trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan-Frode Myklebust <janfr...@tanso.net>
Subject Re: Forward Secrecy ?
Date Mon, 25 Nov 2013 09:02:11 GMT
On Mon, Nov 25, 2013 at 08:22:35AM +0000, Igor Galić wrote:
> 
> > and for stud:
> > 
> > 	https://github.com/bumptech/stud/pull/61/files
> 
> Wow. That's bad. That looks specifically for the *bad* NSA curve constants
> before initializing the ec code. That's not something I'd rely on, since
> not even NIST is any more.

Are there any other relevant curve constants that's usable? Looks to me
like everyone is using NIST P-384 or NIST P-256, and these are the only
once available as named curves in my openssl library.

$ openssl ecparam -list_curves
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

BTW: James Peach has already come up with a patch implementing the ECDHE
ciphers using NIST P-256, so now my test server is forward secret for
most clients:

	https://www.ssllabs.com/ssltest/analyze.html?d=dibs.tanso.net


  -jf

Mime
View raw message