This set of patches normalizes the terminology for Perfect Forward Secrecy key exchange within OpenSSL to the terms used by standards bodies and other implementations, while keeping backward compatibility for existing configurations and other inputs.
The relevant RFCs and other implementations refer to Diffie-Hellman ephemeral key exchange as "DHE" (and its elliptic curve variant as "ECDHE"). OpenSSL uses this terminology in some places, but it also uses "EDH" and "EECDH" in others. This confusion makes selecting these key exchange mechanisms harder for administrators to understand. For example, there is a ciphersuite that openssl calls EDH-RSA-DES-CBC3-SHA, and another one called DHE-RSA-AES128-SHA, whose only difference is the choice of the cipher. Another example is that "openssl ciphers -v EECDH" emits no ciphersuites named with "EECDH" in them, but rather produces all "ECDHE" strings. And "openssl ciphers -v ECDHE" fails with "Error in cipher list". This series of changesets standardizes OpenSSL's input, API, and output on the standard names (DHE and ECDHE) while retaining backward compatibility for string input and API for the older EDH and EECDH terminology. OpenSSL's textual output is changed only in two places: * packet traces will emit "ECDHE" for key exchange where it used to emit "EECDH", and "DHE" where it used to emit "EDH". * the six full ciphersuite strings that used to print "EDH-" in their titles now print "DHE-" instead. All test suites should pass, and there should be no ABI changes. The only API addition is the introduction of new "DHE" #defines that match exactly the existing "EDH" #defines (the "EDH" #defines remain, of course, aliased to the same values as the "DHE" #defines), and the introduction of new text strings to match. With this series applied, "openssl cipher -v DHE:ECDHE" should produce the same output as "openssl -v EDH:EECDH", and all DHE ciphersuites should have the string "DHE" in their name. doc/apps/ciphers.pod | 26 ++--- doc/ssl/SSL_CIPHER_get_name.pod | 4 +- doc/ssl/SSL_CTX_set_cipher_list.pod | 2 +- doc/ssl/SSL_CTX_set_options.pod | 2 +- doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 2 +- doc/ssleay.txt | 14 +-- ssl/d1_srvr.c | 4 +- ssl/s3_clnt.c | 12 +-- ssl/s3_lib.c | 162 +++++++++++++++---------------- ssl/s3_srvr.c | 18 ++-- ssl/ssl.h | 12 ++- ssl/ssl3.h | 29 ++++-- ssl/ssl_ciph.c | 55 +++++++---- ssl/ssl_lib.c | 14 +-- ssl/ssl_locl.h | 8 +- ssl/t1_lib.c | 6 +- ssl/t1_trce.c | 20 ++-- ssl/tls1.h | 12 +-- 18 files changed, 222 insertions(+), 180 deletions(-) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
