Hi, I re-send this patch as it proved to be somewhat helpful.
It will be great to reach to a level it can be actually used. I guess configuration option should be added to make it optional and remove the hard coded curve? Regards, Alon Bar-Lev. On Tue, Nov 12, 2013 at 12:27 AM, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > From: Jan Just Keijser <janj...@nikhef.nl> > > Discussion: https://forums.openvpn.net/topic8404-30.html > Tested-By: Sanaullah <sanaulla...@gmail.com> > --- > src/openvpn/ssl_openssl.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index f64177a..665bb5c 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -309,6 +309,7 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const > char *dh_file, > { > DH *dh; > BIO *bio; > + EC_KEY *ecdh=NULL; > > ASSERT(NULL != ctx); > > @@ -336,6 +337,16 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const > char *dh_file, > 8 * DH_size (dh)); > > DH_free (dh); > + > + ecdh = EC_KEY_new_by_curve_name(NID_secp224r1); > + > + if (ecdh == NULL) > + msg (M_SSLERR, "Unable to create curve (NID_secp224r1)"); > + > + if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh)) > + msg (M_SSLERR, "SSL_CTX_set_tmp_ecdh"); > + > + EC_KEY_free(ecdh); > } > > int > -- > 1.8.3.2 >
