On Mon, Feb 10, 2014 at 06:37:56PM -0500, Ryan Culpepper wrote: > On 02/08/2014 05:52 PM, Edward Lee wrote: > >Hi. > > > >Racket's OpenSSL bindings do not currently enable the ECDH(E) and the > >DHE ciphers, which are needed for perfect forward secrecy. > > > >I've attached a patch that: > > - Embeds reasonable defaults for DHE mode. > > - Adds two functions, ssl-server-context-enable-dhe! and > > ssl-server-context-enable-ecdhe! that when given > > DHE/ECDHE setup arguments (for DHE, a DH parameter file path, > > for ECDHE, the name of one of the built-in OpenSSL elliptic curves > > [currently, only secp521r1]) > > - (unrelated, but also useful) Adds bindings for TLS 1.1/1.2-only > > server/client contexts. > > > >This patch is currently a work in progress (it currently only supports > >one elliptic curve name) that works well enough for what I am using it > >for, but I'm interested in getting this patch upstream. > > Here are a few comments: > > What is SSL_CTRL_SET_ECDH_AUTO? I couldn't find it in the openssl > headers, and I searched a few recent versions. It seems unused here, > anyway. It's not defined in OpenSSL 1.0.1, I think. It can be used for enabling ECDH(E) in OpenSSL >= 1.0.2, with OpenSSL automatically selecting the curve - <https://www.openssl.org/news/changelog.html>, "Support for automatic EC temporary key parameter selection..." > > I think it would be better to read the DH params file into memory > using Racket file operations and then use a memory BIO for > PEM_read_bio_DHparams. Two reasons: the file access will then > automatically go through Racket's security-guard checks, and the > file read will go through Racket's IO system, so if the read blocks > it won't block all Racket threads. I will investigate this, and time permitting, will change my patch to use Racket's IO system for loading the parameters. > > In ...enable-ecdhe!, the 'case' form doesn't need 'quote'. It should > be this instead: > > (case name > [(secp521r1) NID_secp521r1] > [else ___]) > > As it is, the function will accept 'quote as the name of a curve. Thanks for pointing this out. > > >What's the exact process for this? > > If you have a github account, you can fork the repo there and submit > a pull request. But we can certainly handle patches like this too. > > Ryan Great, thanks.
--Edward _________________________ Racket Developers list: http://lists.racket-lang.org/dev
