On Tue, Jul 16, 2019 at 09:49:36 -0700, Quanah Gibson-Mount wrote: > --On Tuesday, July 16, 2019 5:27 PM +0200 Geert Hendrickx > <[email protected]> wrote: > > > With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not > > use ECC until I explicitly set a curve in olcTLSECName. There is no > > default value? This is contrary to expectation, most TLS enabled > > software enable ECC by default, based on the configured cipher string. > > Hi Geert, > > The OpenSSL API does not support more than 1 EC to be enabled per context.
Hmm, at least nginx and postfix support specifying multiple curves: https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_ecdh_curve http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves Both specifically refer to OpenSSL >= 1.0.2 Geert -- geert.hendrickx.be :: [email protected] :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!
