hey folks-- I'm working on a set of patches that will hopefully normalize the terminology for PFS key exchange within OpenSSL to the terms that the rest of the world uses. (Keeping backward compatibility is one of my goals too, of course).
In particular, i'm concerned that when the rest of the world (including the TLS RFCs) talk about DHE and ECDHE, OpenSSL sometimes (but not always!) talks about EDH and EECDH. PFS is confusing enough without this. i note that ssl/tls1.h says: 561 /* XXX 562 * Inconsistency alert: 563 * The OpenSSL names of ciphers with ephemeral DH here include the string 564 * "DHE", while elsewhere it has always been "EDH". 565 * (The alias for the list of all such ciphers also is "EDH".) 566 * The specifications speak of "EDH"; maybe we should allow both forms 567 * for everything. */ I'm unclear particularly about line 566. Which specifications speak of "EDH"? RFC 2246 (TLS 1.0), RFC 4346 (TLS 1.1), and RFC 5246 (TLS 1.2) all say only DHE, and never mention EDH. The retrospective RFC 6101 (SSL 3.0) also mentions DHE but not EDH. So which specifications does line 566 refer to? --dkg
pgpQr_SOLJxRf.pgp
Description: PGP signature