[openssl-users] SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k
Viktor Dukhovni
openssl-users at dukhovni.org
Sun May 14 20:16:56 UTC 2017
> On May 13, 2017, at 11:48 AM, Massimo G. <sberla81 at hotmail.com> wrote:
>
> Hi all,
> my 'openssl version' is "1.0.2k-fips".
> The SSL_CTX_set_tmp_ecdh_callback() function is not included in the API list (Documentation - Manpages for 1.0.2).
>
> 1) Shouldn't I use that function?
You may, but SSL_CTX_set_ecdh_auto() is a better choice, since it picks the
curve based on the client's list of supported curves. You can set the list
of curves supported on your end via SSL_CTX_set1_curves() which takes a list
of "nids". IIRC you should first check that all the "nids" are supported,
before configuring the final list.
Postfix setups the nid array, from a list of names as follows:
while ((curve = mystrtok(&curves, CHARS_COMMA_SP)) != 0) {
int nid = EC_curve_nist2nid(curve);
if (nid == NID_undef)
nid = OBJ_sn2nid(curve);
if (nid == NID_undef)
nid = OBJ_ln2nid(curve);
if (nid == NID_undef) {
msg_warn("ignoring unknown \"auto\" ECDHE curve \"%s\"",
curve);
continue;
}
/*
* Validate the NID by trying it as the sole EC curve for a
* throw-away SSL context. Silently skip unsupported code points.
* This way, we can list X25519 and X448 as soon as the nids are
* assigned, and before the supporting code is implemented. They'll
* be silently skipped when not yet supported.
*/
if (SSL_CTX_set1_curves(tmpctx, &nid, 1) <= 0) {
++unknown;
continue;
}
if (++n > space) {
space *= 2;
nids = myrealloc(nids, space * sizeof(int));
}
nids[n - 1] = nid;
}
> 2) Why isn't it listed in the manpages?
Someone has to contribute the manpage.
>
> 3) Should I refer to a different Manpages version? If so, why?
The documentation is in better shape in 1.1.0 and continues to
improve.
--
Viktor.
More information about the openssl-users
mailing list