Hi, Thanks to Piotr's contributions on the mailing list I picked up my earlier ECDH work again. I believe they are ready to be reviewed and find their way into master.
The following patches add support for ECDH(E) in OpenSSL builds, which in practice means that people are able to use ECDSA certificate chains without jumping through hoops, or just use ECDH(E) with their RSA certificates. I started with the patch Jan Just Keijser posted (and reposted) to the openvpn-devel list earlier, and worked from there to make the behaviour TLS-compliant (i.e, extract the curve from the server key by default). For OpenSSL 1.0.2+, we can let OpenSSL do the heavy lifting. For older versions (which are at this moment used by almost everyone), we have to select a curve ourselves. If dynamic selection fails, we fall back to the strongest 'Suite B' curve: secp384r1. For more details, check the commit messages from the patches, and README.ec. A patch to add EC support for PolarSSL builds will follow soon. Regards, -Steffan
