Allow non-standard EC groups with OpenSSL3
This statement just is not correct: This has not a lot to do with EC.
What about "Enable setting any TLS1.3 group [provided by the underlying
crypto libraries]. "?
A bit long for a commit subject. Maybe just:
Enable usage of TLS groups not identified by a NID in OpenSSL 3
OpenSSL3 no longer uses the NID to identify TLS groups, instead it uses
names. This allows also to use groups from external provider. It also
recognises secp256r1 as the same group as prime256v1.
This statement also is not quite right: OpenSSL3 still uses NIDs to
identify some groups, notably those not implemented by a provider, i.e.,
legacy/"classic" crypto. I would agree with the statement that "OpenSSL3
prefers the use of names over NIDs for the identification of TLS1.3
groups, including EC groups." Lastly, the "it" in your statement above
is unclear (at least to me as a non-native speaker): What about
explicitly stating "OpenSSL3 also recognises secp256r1 as the same group
as prime256v1"? This fact of course has nothing to do with this patch.
This fact has to do with the patch since you no longer doing that dance
with that curve for the new code that affects OpenSSL 3, so pointing
that out in the commit message helps to understand the code change.
Maybe like this:
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by providers.
This commits also remove the mapping of secp256r1 to prime256v1 for the
OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
