Hi, Need to use *SSL_CTX_set1_curves_list()*, for ECC curves configuration using string.
SSL_CTX_set1_curves_list(ctx, "P-521:P-384:P-256") Regards, R Ashok On Tue, Nov 26, 2019 at 1:42 PM Rohit Kaushal <rohit.kaus...@gmail.com> wrote: > Hi, > > I would like to ask if anyone here has actually been able to trim the EC > Supported Groups in the Client Hello with a TLS-ECDHE cipher using the APIs > described in the OpenSSL v1.0.2 manpage for SSL_CTX_set1_curves() > <https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set1_curves.html> > > > > My shared objects are built using OpenSSL v1.0.2t with FIPS Object Module > v2.0.5 . The TLS handshake pcap has always shown myCipher ( > "ECDHE-RSA-AES128-GCM-SHA256") in the Client Hello correctly, accompanied > with 13 curves in the Supported Group Extension. However, enhancing SSL_CTX > myCtx to restrict the curves to just 3 (P-521:P384:P256) still show the > same 13 curves as in the pcap. The man page doesn't suggest nor do i see > any reason why FIPS should prevent this from working. > > > //existing working code > > if((myCtx = SSL_CTX_new(SSL_METHOD *)TLSv1_2_method()) == NULL) > > return; > > if((SSL_CTX_set_cipher_list(myCtx, myCipher) != 1)) > > return; > > > > //enhancement, not working > > if(SSL_CTX_set1_curves(myCtx, "P-521:P-384:P-256", 3)) != 1)) > > return; > > > > The API returns 0 (suggesting no error), but pcap shows no change, i.e. > still shows the std. 13 curves. > > > > Trying a code snippet involving SSL_CONF_cmd(myConfCtx, "-named-curve", > "P-256") suggested in this link > <https://superuser.com/questions/912311/how-to-force-a-server-to-use-a-specific-elliptic-curve-at-the-beginning-of-the-h> > , > available prior to SSL_CTX_set1_curves() introduction in v1.0.2, didn’t > help either. > > > Thank you for any guidance you can provide. > > Rohit >
