Neal Horman wrote:
I've been looking at Dan Luke's revised SSL options patch.
It includes support for ECDH and flexible support for sourcing
the DH params from disk.
Dan, have you done more testing ?
No, I just deployed it on production server instead ;-)
But changes are rather small and simple, thus I expect no hidden bug
affecting security.
Note that ECDH support has been just prerequisite for another change
(although ECDH have value even with no further changes). I'm going to
implement support for ECC certificates because mainstream commercial CA
included ECC into portfolio already.
The initial change is just simple (SSL_CTX_use_RSAPrivateKey_file needs
to be changed to SSL_CTX_use_PrivateKey_file) and I verified it working
already (e.g. client connects with ECDHE-ECDSA-AES256-GCM-SHA384 instead
of ECDHE-RSA-AES256-GCM-SHA384). True production deployment require dual
mode (e.g. both RSA and ECC certificate available at the same time).
Thus two keys and certificates needs to be loaded instead of just one. I
didn't completed such change yet.
I will announce here once done and new version of patch become avaiable.
It's up to particular source tree owner's decision to include those
changes into tree or not. I'm UW user, thus changes in panda's code
doesn't affects me.
Dan
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
