On 02/08/2014 05:52 PM, Edward Lee wrote:
Hi.
Racket's OpenSSL bindings do not currently enable the ECDH(E) and the
DHE ciphers, which are needed for perfect forward secrecy.
I've attached a patch that:
- Embeds reasonable defaults for DHE mode.
- Adds two functions, ssl-server-context-enable-dhe! and
ssl-server-context-enable-ecdhe! that when given
DHE/ECDHE setup arguments (for DHE, a DH parameter file path,
for ECDHE, the name of one of the built-in OpenSSL elliptic curves
[currently, only secp521r1])
- (unrelated, but also useful) Adds bindings for TLS 1.1/1.2-only
server/client contexts.
This patch is currently a work in progress (it currently only supports
one elliptic curve name) that works well enough for what I am using it
for, but I'm interested in getting this patch upstream.
Here are a few comments:
What is SSL_CTRL_SET_ECDH_AUTO? I couldn't find it in the openssl
headers, and I searched a few recent versions. It seems unused here, anyway.
I think it would be better to read the DH params file into memory using
Racket file operations and then use a memory BIO for
PEM_read_bio_DHparams. Two reasons: the file access will then
automatically go through Racket's security-guard checks, and the file
read will go through Racket's IO system, so if the read blocks it won't
block all Racket threads.
In ...enable-ecdhe!, the 'case' form doesn't need 'quote'. It should be
this instead:
(case name
[(secp521r1) NID_secp521r1]
[else ___])
As it is, the function will accept 'quote as the name of a curve.
What's the exact process for this?
If you have a github account, you can fork the repo there and submit a
pull request. But we can certainly handle patches like this too.
Ryan
_________________________
Racket Developers list:
http://lists.racket-lang.org/dev
