Hi Steve,
Dr. Stephen Henson wrote:
On Wed, May 09, 2012, Jan Just Keijser wrote:
thank you for the quick reply. The code we currently use is very similar:
254 nid = OBJ_sn2nid(curve_name);
255
256 if (nid == 0)
257 msg(M_SSLERR, "unknown curve name (%s)", curve_name);
258 else
259 {
260 ecdh = EC_KEY_new_by_curve_name(nid);
261 if (ecdh == NULL)
262 msg (M_SSLERR, "Unable to create curve (%s)", curve_name);
263 else
264 {
265 const char *sname;
266
267 if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh))
268 msg (M_SSLERR, "SSL_CTX_set_tmp_ecdh: cannot add curve");
269
this is for the OpenVPN server (listening) process; what we are not
sure about is whether this is sufficient for a client-server
architecture: would it be necessary to add different 'ecdh' objects
for each client (e.g. using the set_tmp_ecdh_callback function)? Or
is a single 'ecdh' object for the server sufficient?
No code is needed on the client: it uses the parameters the server
specifies.
Yes I realize that the client does not need any code change.
My bad again, for not correctly phrasing the comment/question: if
multiple clients connect to the same server, would I then need to use
multipe 'ecdh' parameters/objects on the server? For old-style 'dh'
parameters this is usually not the case, but I'm not sure about 'ecdh'
parameters.
many thanks,
JJK / Jan Just Keijser
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
