On 04/18/2016 11:23 PM, David Martin wrote: > On Mon, Apr 18, 2016 at 3:02 PM, Janusz Dziemidowicz > <[email protected]> wrote: >> 2016-04-15 16:50 GMT+02:00 David Martin <[email protected]>: >>> I have tested the current patch with the HAProxy default, a list of curves, >>> a single curve and also an incorrect curve. All seem to behave correctly. >>> The conditional should only skip calling ecdh_auto() if curves_list() >>> returns 0 in which case HAProxy exits anyway. >>> >>> Maybe I'm missing something obvious, this has been a learning experience for >>> me. >> >> You are correct. I guess I shouldn't have been looking at patches >> during a break at a day work;) >> Seems ok for me now. Apart from the missing documentation changes;) >> >> -- >> Janusz Dziemidowicz > > Added doc changes :) >
Hi All, I don't know how the curve negotiation works, but i have some questions. What is the behavior if the SSL_CTX_set_ecdh_auto is used on server side and if the client doesn't support the neg. In other words: Is it useful to set both SSL_CTX_set_ecdh_auto and SSL_CTX_set_tmp_ecdh (with the first one of the list for instance), to ensure the first wanted curve is used if client doesn't support the neg. R, Emeric
