On 31/12/14 11:29, Joel Sing wrote:
Well I've already made it working last night by adding a check
for SSL_CTX_need_tmp_RSA before calling SSL_CTX_set_tmp_rsa
Excellent. You might want to see if you can get that upstream.
Yes i've subscribed to their list and send it already.
So if I get it right, since I'm using HIGH ciphersuite I will never need
an ephemeral RSA key correct?
Correct - LibreSSL no longer has any export ciphersuites and no longer
supports ephemeral RSA keys.
I'm a bit confused with LibreSSL. Has it already replaced OpenSSL in
OpenBSD?
radiusd is linked with libssl and libcrypto. Are these from OpenSSL or
LibreSSL?
I thought LibreSSL is libtls/libressl
(http://www.openbsd.org/faq/current.html#20141031)
Is there a case were that SSL_CTX_need_tmp_RSA() will be true?
Not if you are using LibreSSL (or BoringSSL) - from s3_lib.c:
case SSL_CTRL_NEED_TMP_RSA:
ret = 0;
break;
case SSL_CTRL_SET_TMP_RSA:
case SSL_CTRL_SET_TMP_RSA_CB:
SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
break;
SSL_OP_EPHEMERAL_RSA is not defined anywhere.
So presumably it was added so that they could support export cipher suites...
the commit message that added the code appears to be useless though:
http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff;h=12b7f6efb1bbf6c70061d590a5ddfb1f71b0fefd