On 2009.10.28 at 11:05:22 -0400, Victor Duchovni wrote: > On Wed, Oct 28, 2009 at 04:06:07PM +0300, Victor B. Wagner wrote: > > > But for some setups, especially in OpenSSL 1.0, which supports EC > > ciphersuites, dh parameters are not neccessary. > > This is not entirely accurately, one still needs to designate an ECDH > curve for ECDHE ciphers. Postfix code for this:
curve is not DH parameters. It is quite different dataset. (and often expressed as just OID, not actual curve data). > > file, add ':!DH' to the end of ciphersuite list, thus restricting > > application to the ciphersuites which do not need tmp DH parameters. > > (which may result in empty cipher list and failure to start). > > More precise is "!kEDH", and IIRC OpenSSL does not offer kEDH ciphers > on the wire, when no parameters are provided by the application. Question is - should we make user immediately aware of this restriction during parsing the configuration? If user specifies DSA key only it is fatal. If user specifies RSA key only half of otherwise available suites are left. > DTRT! When no parameters are provided, don't include kEDH ciphers in > the list of available ciphers, regardless of the user-specified cipherlist. I think that is not very good idea to SILENTLY cut off lot of good ciphersuites. And obvoisly a fatal configuration error if some of these ciphersuites were explicitely specified by user in the cipher list. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
