I looked around and found RFC 5430 - Suite B Profile for Transport Layer Security (TLS), which states:
RFC 4492 defines a variety of elliptic curves. For cipher suites defined in this specification, only secp256r1(23) or secp384r1(24) may be used. … Clients desiring to negotiate only a Suite B compliant connection MUST generate a "Supported Elliptic Curves Extension" containing only the allowed curves. So does this mean that OpenSSL will not support RFC 5430 / Suite B in 1.0.1? Thanks, Erik From: Bodo Moeller <bmoel...@acm.org<mailto:bmoel...@acm.org>> Reply-To: "openssl-dev@openssl.org<mailto:openssl-dev@openssl.org>" <openssl-dev@openssl.org<mailto:openssl-dev@openssl.org>> Date: Wed, 29 Feb 2012 18:52:11 -0500 To: "openssl-dev@openssl.org<mailto:openssl-dev@openssl.org>" <openssl-dev@openssl.org<mailto:openssl-dev@openssl.org>> Subject: Re: Limiting EC curves in ClientHello It appears there is no way to specify that only a subset should be used? Yes, this is a know deficiency in the current code. I'm more familiar with the server side, but I think it's similar: if you set up *one* curve, then negotiation should happen accordingly; if you use a callback to provide curves, it will be expected to be able to handle any curve, which is fundamentally broken (a peer could be using a named curve that's not even defined yet). So technically, there is a way to specific that only a subset should be used -- it's just that the subset needs to be of size 0 or 1, which isn't utterly flexible. We should get around to fixing that at some point. Bodo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
