This set of patches normalizes the terminology for Perfect Forward
Secrecy key exchange within OpenSSL to the terms used by standards
bodies and other implementations, while keeping backward compatibility
for existing configurations and other inputs.

The relevant RFCs and other implementations refer to Diffie-Hellman
ephemeral key exchange as "DHE" (and its elliptic curve variant as
"ECDHE").  OpenSSL uses this terminology in some places, but it also
uses "EDH" and "EECDH" in others.  This confusion makes selecting
these key exchange mechanisms harder for administrators to understand.

For example, there is a ciphersuite that openssl calls
EDH-RSA-DES-CBC3-SHA, and another one called DHE-RSA-AES128-SHA, whose
only difference is the choice of the cipher.

Another example is that "openssl ciphers -v EECDH" emits no
ciphersuites named with "EECDH" in them, but rather produces all
"ECDHE" strings.  And "openssl ciphers -v ECDHE" fails with "Error in
cipher list".

This series of changesets standardizes OpenSSL's input, API, and
output on the standard names (DHE and ECDHE) while retaining backward
compatibility for string input and API for the older EDH and EECDH

OpenSSL's textual output is changed only in two places:

 * packet traces will emit "ECDHE" for key exchange where it used to
   emit "EECDH", and "DHE" where it used to emit "EDH".

 * the six full ciphersuite strings that used to print "EDH-" in their
   titles now print "DHE-" instead.

All test suites should pass, and there should be no ABI changes.  The
only API addition is the introduction of new "DHE" #defines that match
exactly the existing "EDH" #defines (the "EDH" #defines remain, of
course, aliased to the same values as the "DHE" #defines), and the
introduction of new text strings to match.

With this series applied, "openssl cipher -v DHE:ECDHE" should produce
the same output as "openssl -v EDH:EECDH", and all DHE ciphersuites
should have the string "DHE" in their name.

 doc/apps/ciphers.pod                     |  26 ++---
 doc/ssl/SSL_CIPHER_get_name.pod          |   4 +-
 doc/ssl/SSL_CTX_set_cipher_list.pod      |   2 +-
 doc/ssl/SSL_CTX_set_options.pod          |   2 +-
 doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod |   2 +-
 doc/ssleay.txt                           |  14 +--
 ssl/d1_srvr.c                            |   4 +-
 ssl/s3_clnt.c                            |  12 +--
 ssl/s3_lib.c                             | 162 +++++++++++++++----------------
 ssl/s3_srvr.c                            |  18 ++--
 ssl/ssl.h                                |  12 ++-
 ssl/ssl3.h                               |  29 ++++--
 ssl/ssl_ciph.c                           |  55 +++++++----
 ssl/ssl_lib.c                            |  14 +--
 ssl/ssl_locl.h                           |   8 +-
 ssl/t1_lib.c                             |   6 +-
 ssl/t1_trce.c                            |  20 ++--
 ssl/tls1.h                               |  12 +--
 18 files changed, 222 insertions(+), 180 deletions(-)

OpenSSL Project                       
Development Mailing List             
Automated List Manager                 

Reply via email to