On Tue, May 08, 2012, Jan Just Keijser wrote: > hello list, > > we're trying to add ECDH/ECDSA support to OpenVPN and we have run > into a question we cannot easily answer ourselves: > > we're using SSL_CTX_set_tmp_ecdh to add an ECDH curve to your > server-side SSL CTX object; this is very similar to the DH > parameters which are added using SSL_CTX_set_tmp_dh. We do *not* add > a 'set_tmp_dh_callback' to the server SSL CTX , as the DH parameter > file is static. > The question is: does the same apply to the > SSL_CTX_set_tmp_ecdh/SSL_CTX_set_tmp_ecdh_callback function? > Or do we need to add callbacks , similar to the way RSA callbacks > are added, as done in the s_server.c code? > > A more general question is where we can read up on all this :) ? > > many thanks in advance, >
ECDH parameters aren't exactly the same as DH. For DH generating parameters is a time consuming process and so servers allow an external file to load DH parameters from. With ECDH the parameters are normally form a set of hard coded names curves so "parameter generation" just involves looking them up. It is practical for a server to just load and use them as required but that isn't supported in OpenSSL before 1.0.2. So what you could do is provide an option to set ECDH parameters from a file and have a fallback for a common set, P-256 is a good choice for example. That can be done very simply with something like this: EC_KEY *ecdh; ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh == NULL) /* error */ SSL_CTX_set_tmp_ecdh(ctx,ecdh); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
