[openssl-users] SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

Viktor Dukhovni openssl-users at dukhovni.org
Sun May 14 20:16:56 UTC 2017


> On May 13, 2017, at 11:48 AM, Massimo G. <sberla81 at hotmail.com> wrote:
> 
> Hi all,
> my 'openssl version' is "1.0.2k-fips".
> The SSL_CTX_set_tmp_ecdh_callback() function is not included in the API list (Documentation - Manpages for 1.0.2).
> 
> 1) Shouldn't I use that function?

You may, but SSL_CTX_set_ecdh_auto() is a better choice, since it picks the
curve based on the client's list of supported curves.  You can set the list
of curves supported on your end via SSL_CTX_set1_curves() which takes a list
of "nids".  IIRC you should first check that all the "nids" are supported,
before configuring the final list.

Postfix setups the nid array, from a list of names as follows:

    while ((curve = mystrtok(&curves, CHARS_COMMA_SP)) != 0) {
        int     nid = EC_curve_nist2nid(curve);

        if (nid == NID_undef)
            nid = OBJ_sn2nid(curve);
        if (nid == NID_undef)
            nid = OBJ_ln2nid(curve);
        if (nid == NID_undef) {
            msg_warn("ignoring unknown \"auto\" ECDHE curve \"%s\"",
                     curve);
            continue;
        }

        /*
         * Validate the NID by trying it as the sole EC curve for a
         * throw-away SSL context.  Silently skip unsupported code points.
         * This way, we can list X25519 and X448 as soon as the nids are
         * assigned, and before the supporting code is implemented.  They'll
         * be silently skipped when not yet supported.
         */
        if (SSL_CTX_set1_curves(tmpctx, &nid, 1) <= 0) {
            ++unknown;
            continue;
        }
        if (++n > space) {
            space *= 2;
            nids = myrealloc(nids, space * sizeof(int));
        }   
        nids[n - 1] = nid;
    }

> 2) Why isn't it listed in the manpages?

Someone has to contribute the manpage.

> 
> 3) Should I refer to a different Manpages version? If so, why?

The documentation is in better shape in 1.1.0 and continues to
improve.

-- 
	Viktor.



More information about the openssl-users mailing list