Re: [exim-dev] [Bug 2298] tls_eccurve does not accept multiple entries

[Viktor Dukhovni via Exim-dev]

> On Aug 10, 2018, at 4:24 AM, admin--- via Exim-dev <exim-dev@exim.org> wrote:
> 
> Most uses should leave tls_eccurve at the default "auto".  With a modern
> version of OpenSSL this will support the full set of curves known to the
> library.
> 
> The use of accepting a list for tls_eccurve would be restricted to cases of
> "more than one, but not the full set".  I'm not sure how common that need is.

If you do decide to support multiple specific curves, the appropriate
interface is SSL_CTX_set1_curves_list(3):

    https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set1_curves_list.html

    int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list);

    SSL_CTX_set1_curves_list() sets the supported curves for ctx to
    string list.  The string is a colon separated list of curve NIDs
    or names, for example "P-521:P-384:P-256".

Note that there's no mention of support for spaces around the ":"
separators.  Exim could, if this was considered sufficiently useful,
look for a colon in the parameter value, and if one were found,
call SSL_CTX_set1_curves_list(3) instead of:

    int SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int onoff);

Not saying this is necessary, but it is an option with OpenSSL >= 1.0.2.

-- 
        Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##