[openssl-users] OpenSSL 1.0.1 branch : setting Diffie Hellman Elliptic curve name via SSL_set_tmp_ecdh and EC_KEY_new_by_curve_name

[Sreekanth Sukumaran]

Hi All,

In our project, we are currently supporting two branches of OpenSSL (1.0.1
and 1.0.2)

Recently we had a requirement to enable elliptic curve Diffie Hellman, we
see that in
OpenSSL 1.0.2 branch, we can use the below function to enable ECDH

/* Set automatic curve selection for server ssl to onoff.If onoff is 1 then

the highest preference curve is automatically used for ECDH temporary keys

used during key exchange. */

(void)SSL_set_ecdh_auto(ssl, 1);


However in OpenSSL 1.0.1 the ECDH curve name has to be explicitly set by
the calling function. We researched about this and in one of the examples
in OpenSSL wiki at
https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman

we have found that *"**NID_X9_62_prime256v1" *is used.

Hence for OpenSSL 1.0.1, we have the implementation as below

sECDH = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); // secp256r1 curve
- referred as prime256v1

(void)SSL_set_tmp_ecdh(ssl, sECDH);


However we are wondering, whether there is any recommendation for the
choice of the named elliptic curve. Is any particular recommended ? Any
suggestions in this regard is much appreciated.

-- 
Regards,
Sreekanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161103/d0a4c0d4/attachment-0001.html>