On 30/09/14 19:16, Todd Lyons wrote: > I have taken the patch provided by Wolfgang and changed it slightly. > I moved the default setting from tls-openssl.c into globals.c. Now > the if tls_eccurve==NULL does something slightly different, but the > rest of Wolfang's code is unchanged. (It checks to see if errant code > left it NULL, which in my understanding can never happen, but this > checks for errors every way possible.) > > The commit is available for viewing at > http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_ecdhe > . Please look it over and see if there is anything that you feel > should be done differently. > > I'm aware of Phil's reservation with setting a default cipher. > Personally I would rather set it to secp384r1 (default to higher, but > standard encryption...the alternative is only trying to use it when > tls_eccurve is actually set). prime256v1 and secp384r1are both FIPS > compliant so it is in at least every RH/CentOS openssl package 1.0.0+. > Suse must be the same since they have incorporated the patch into > their more recent OS version. Debian/Ubuntu has a recent version of > openssl, so it's worth checking to see if this would work on that too.
Add this info to the change log? Also http://safecurves.cr.yp.to ? -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
