On Thu, Oct 24, 2013 at 11:52:36PM -0700, Patrick Pelletier wrote: > >(For EC, the specified curve must also be acceptable to client(s) per > >ClientHello extension, > >which encourages using the callback or choosing a popular curve like P-256.) > > So, my understanding is that if the "tmp_ecdh" is set to a curve > which is not supported by the client, then OpenSSL ought to just > skip the elliptic curve cipher suites and pick the next acceptable > cipher suite supported by both the client and server. Is this not > the case? > > I was puzzled by this message: > > http://www.metzdowd.com/pipermail/cryptography/2013-October/018330.html
With respect to the OpenSSL server implementation I was wrong. The issue was a bug in the RedHat OpenSSL package's recently introduced EC support advertising curves it did not implement. The issue is still possible if clients both send SSLv2 compatible HELLO (thus no extensions) and include EC ciphersuites. Since SSLv2 is now disabled by default, one might say they should not do that. > The following draft also seems to suggest the same thing, that if > client and server both support an elliptic curve suite, they will > pick it, and then discover that they don't have any curves in > common, and give up, rather than picking a non-EC suite: > > http://datatracker.ietf.org/doc/draft-gutmann-tls-eccsuites/ That's a deeper set of issues, that are still relevant. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
