On Fri, Nov 01, 2013, Rob Stradling wrote: > Hi. When I build the latest development version of httpd or nginx > against the OpenSSL_1_0_2-stable branch, the ECDHE-RSA and > ECDHE-ECDSA ciphers don't work. With both webservers, I can get > these ciphers to work by either... > 1. Deleting: SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); > or > 2. Adding: SSL_CTX_set_ecdh_auto(ctx, 1); > > Should it still be possible to manually configure ECDH keys using > SSL_CTX_set_tmp_ecdh() in 1_0_2? > If so, any ideas why it isn't working? Is there a bug in > OpenSSL_1_0_2-stable? Or are both httpd and nginx doing something > wrong? >
I think it's a bug in OpenSSL 1.0.2. It shouldn't break anything that works in previous versions, at least not without a very good reason. I'll look into it. > Or, is "SSL_CTX_set_ecdh_auto(ctx, 1);" the only supported way of > doing it in 1_0_2? > It's the preferred way as it just does the right thing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
