On 11/21/11 3:16 PM, Dr. Stephen Henson wrote:
On Mon, Nov 21, 2011, Charles Owens wrote:
I'm trying to make sure I completely understand the situation with
respect to the "TLS ephemeral ECDH crash" issue (from
http://openssl.org/news/secadv_20110906.txt).
Is it true that with 0.9.8r by default the related ciphersuites
(ECCdraft) are disabled? If they were enabled, would they show up
as ECDH in the output of "openssl ciphers"?
They aren't disabled at compile time but they need to be explicitly enabled
with a custom ciphersuites string including the ECCdraft option.
My interpretation is that our build of 0.9.8r doesn't have the
issue, assuming that ECC isn't compiled in. I'd appreciate any info
I might need to be 100% certain about this.
Also, in case you're wondering, moving to 1.0.0.e isn't currently an
option (we're using 0.9.8r + FIPS).
If you are actually enabling FIPS mode then ECC ciphersuites will always be
disabled in 0.9.8 because the algorithm is not part of the 1.2.x validation
and unapproved ciphersuites are disabled in FIPS mode.
That happens in FIPS mode even if you do include ECCdraft in the cipherstring.
Steve.
Thanks! -- Charles
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
