Hi David, On Wed, Apr 13, 2016 at 03:19:45PM -0500, David Martin wrote: > This is my first attempt at a patch, I'd love to get some feedback on this. > > Adds support for SSL_CTX_set_ecdh_auto which is available in OpenSSL 1.0.2.
> From 05bee3e95e5969294998fb9e2794ef65ce5a6c1f Mon Sep 17 00:00:00 2001 > From: David Martin <dmart...@gmail.com> > Date: Wed, 13 Apr 2016 15:09:35 -0500 > Subject: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection > > Use SSL_CTX_set_ecdh_auto if the OpenSSL version supports it, this > allows the server to negotiate ECDH curves much like it does ciphers. > Prefered curves can be specified using the existing ecdhe bind options > (ecdhe secp384r1:prime256v1) Could it have a performance impact ? I mean, may this allow a client to force the server to use curves that imply harder computations for example ? I'm asking because some people got seriously hit by the move from dhparm 1024 to 2048, so if this can come with a performance impact we possibly want to let the user configure it. Thanks, Willy