I have taken the patch provided by Wolfgang and changed it slightly. I moved the default setting from tls-openssl.c into globals.c. Now the if tls_eccurve==NULL does something slightly different, but the rest of Wolfang's code is unchanged. (It checks to see if errant code left it NULL, which in my understanding can never happen, but this checks for errors every way possible.)
The commit is available for viewing at http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_ecdhe . Please look it over and see if there is anything that you feel should be done differently. I'm aware of Phil's reservation with setting a default cipher. Personally I would rather set it to secp384r1 (default to higher, but standard encryption...the alternative is only trying to use it when tls_eccurve is actually set). prime256v1 and secp384r1are both FIPS compliant so it is in at least every RH/CentOS openssl package 1.0.0+. Suse must be the same since they have incorporated the patch into their more recent OS version. Debian/Ubuntu has a recent version of openssl, so it's worth checking to see if this would work on that too. ...Todd On Tue, Sep 30, 2014 at 5:32 AM, Todd Lyons <[email protected]> wrote: > ------- You are receiving this mail because: ------- > You are on the CC list for the bug. > > http://bugs.exim.org/show_bug.cgi?id=1397 > > Todd Lyons <[email protected]> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |[email protected] > > > > > --- Comment #7 from Todd Lyons <[email protected]> 2014-09-30 13:32:47 --- > I see that Suse incorporates the ECDHE patch in their official release. I'm > willing to merge this now. Has anybody uncovered more evidence or spoken with > a > knowledgeable crypto person to know whether one curve is better than the other > to use? > > > -- > Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim > details at http://www.exim.org/ ## -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
