On Tue, Jul 01, 2014, Jeffrey Walton wrote: > Ah, my bad. If keylength is greater than 512, then I translate it from > DH/RSA to EC sizes. Then I drop into that code. > > 512 is an edge case: is it DH/RSA 512; or is it effectively P-521? > > Right now, I think I have that all defined out with `#define 0` and > simply use P-256 to maximize interop. >
The ecdh callback code is a bit of a mess. It followed the symantics of DH which don't fit well with ECDH. It has the form: EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize); where is_export indicates whether it is an export length cipher suite and keysize is the algorithm strength of the selected ciphersuite. That parameter isn't any help as what you really need to know if the set of curves supported by the peer. If you return a curve the peer doesn't support the handshake will typically be aborted. For that reason it's usual to avoid the ecdh callback altogether and just specify a commonly supported curve such as P-256 and pass it to SSL_CTX_set_tmp_ecdh. Then if the peer doesn't support that curve ECDH is disabled and a ciphersuite not using ECDH will be used instead. OpenSSL 1.0.2 fixes this ugliness: you just call SSL_CTX_set_ecdh_auto(ctx, 1) and the highest preference common curve is automatically used. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org