On Wed, May 09, 2012, Jan Just Keijser wrote:
> thank you for the quick reply. The code we currently use is very similar:
> 254 nid = OBJ_sn2nid(curve_name);
> 255
> 256 if (nid == 0)
> 257 msg(M_SSLERR, "unknown curve name (%s)", curve_name);
> 258 else
> 259 {
> 260 ecdh = EC_KEY_new_by_curve_name(nid);
> 261 if (ecdh == NULL)
> 262 msg (M_SSLERR, "Unable to create curve (%s)", curve_name);
> 263 else
> 264 {
> 265 const char *sname;
> 266
> 267 if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh))
> 268 msg (M_SSLERR, "SSL_CTX_set_tmp_ecdh: cannot add curve");
> 269
>
> this is for the OpenVPN server (listening) process; what we are not
> sure about is whether this is sufficient for a client-server
> architecture: would it be necessary to add different 'ecdh' objects
> for each client (e.g. using the set_tmp_ecdh_callback function)? Or
> is a single 'ecdh' object for the server sufficient?
>
No code is needed on the client: it uses the parameters the server
specifies.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
