httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Tue, 07 Jan 2014 17:40:29 GMT
On 05.01.2014 15:09, Dr Stephen Henson wrote:
> One the subject of 1.0.2 would it be appropriate to set auto ecdh parameter
> selection as the default in mod_ssl where supported? As things stand one single
> curve can be set (with default P-256) and it's an all or nothing choice, with
> auto parameter selection the highest priority curve supported by both sides is used.

For ephemeral keys, you mean? So something like the below in ssl_init_server_certs?
I think that would make sense if the admin did not explicitly configure a single
curve (together with the "Curves" SSL_CONF command, this should allow "to configure
a list of curve names [...] (from which OpenSSL would then pick the first which
intersects with the elliptic_curves extension from the ClientHello)", as mentioned
in [1], right?).

Kaspar

[1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52369430.3050807@velox.ch%3E


--- modules/ssl/ssl_engine_init.c       (revision 1555662)
+++ modules/ssl/ssl_engine_init.c       (working copy)
@@ -1020,11 +1020,16 @@ static apr_status_t ssl_init_server_certs(server_r
                      OBJ_nid2sn(nid), vhost_id, certfile);
     }
     /*
-     * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+     * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later)
+     * or configure NIST P-256 (required to enable ECDHE for earlier versions)
      */
     else {
+#if defined(SSL_CTX_set_ecdh_auto)
+        SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
+#else
         SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
                              EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#endif
     }
 #endif

Mime
View raw message