Geert Hendrickx wrote: > On Tue, Jul 16, 2019 at 09:49:36 -0700, Quanah Gibson-Mount wrote: >> --On Tuesday, July 16, 2019 5:27 PM +0200 Geert Hendrickx >> <[email protected]> wrote: >> >>> With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not >>> use ECC until I explicitly set a curve in olcTLSECName. There is no >>> default value? This is contrary to expectation, most TLS enabled >>> software enable ECC by default, based on the configured cipher string. >> >> Hi Geert, >> >> The OpenSSL API does not support more than 1 EC to be enabled per context. > > > Hmm, at least nginx and postfix support specifying multiple curves: > https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_ecdh_curve > http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves > > Both specifically refer to OpenSSL >= 1.0.2
Feel free to submit a patch. But it won't be in time for 2.4.48. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
