[openssl-users] Authentication over ECDHE

Viktor Dukhovni openssl-users at dukhovni.org
Sat Dec 29 20:32:09 UTC 2018


> On Dec 29, 2018, at 8:19 AM, C.Wehrmeyer <c.wehrmeyer at gmx.de> wrote:
> 
> OK, so I've been reading the mails before going to sleep and spent some time thinking and researching about this, and I've come to a conclusion: OpenSSL is a goddamn mess, SSL_clear() is pretty much superfluous, and as such shouldn't exist.
> 
> Why? Well, to quote Viktor here:
> 
> > DO NOT reuse the same SSL handle for multiple connections,

I said it, neither because it can't be done, nor because it is
incompatible with session caching, or has anything to do with
ephemeral key agreement (which works just fine even with
session resumption), but simply because it is easier for a
beginner to get the code working without SSL handle re-use.

Once you have you everything else working, and have become
more adept with use of the library, you can add connection
handle re-use and measure the performance impact.  If it
makes a significant difference, then invest in maintaining
slightly more complex code to get the advantage.

That's all I can offer in light of the bellicose rant, ... :-(
Good luck.

-- 
	Viktor.



More information about the openssl-users mailing list