It turns out that, with recent OpenSSL, OpenLDAP 2.4.47 already supports
ECC ciphers - only not with a configurable curve. So probably probably
OpenSSL made it available by default without needing application support.
Geert
On Tue, Jul 16, 2019 at 16:27:18 +0200, Geert Hendrickx wrote:
> Hi Quanah
>
> I tested the RE24 branch specifically for the ECC support, but the default
> behaviour seems to depend on the OpenSSL version.
>
> With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use
> ECC until I explicitly set a curve in oclTLSECName. There is no default
> value? This is contrary to expectation, most TLS enabled software enable
> ECC by default, based on the configured cipher string.
>
> However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and
> appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
>
> But, I can only override it with a single curve, since oclTLSECName is
> single-valued. And colon, comma or otherwise separated is not accepted
> (TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
>
> OpenSSL supports multiple curves in configuration starting with 1.0.2, so
> I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1.
> So I'm confused, as the code seems to do nothing OpenSSL version specific.
>
>
> Geert
>
--
geert.hendrickx.be :: [email protected] :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
