trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Forward Secrecy ?
Date Mon, 25 Nov 2013 15:12:40 GMT
On Nov 25, 2013, at 12:22 AM, Igor Galić <i.galic@brainsware.org> wrote:

> 
> 
> ----- Original Message -----
>> Here's the commit adding ECDHE support to apache httpd:
>> 
>> 	http://mail-archives.apache.org/mod_mbox/httpd-cvs/200911.mbox/%3C20091110075514.166A6238890A@eris.apache.org%3E
> 
> What this code does is more than just an initial throw, it enables to use
> ECC /keys/ all we need to start using ECDHE is the initialization.
> 
>   http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=834378&r1=834377&r2=834378&view=diff
> 
>> and for stud:
>> 
>> 	https://github.com/bumptech/stud/pull/61/files
> 
> Wow. That's bad. That looks specifically for the *bad* NSA curve constants
> before initializing the ec code. That's not something I'd rely on, since
> not even NIST is any more.

I believe that this code originates from an OpenSSL mailing list recommendation from the OpenSSL
devs. Do you have the list of "bad" NIST curves?

J
Mime
View raw message