Thanks Steve for the response. That was very useful information. Thanks Varma
On Thu, Aug 23, 2012 at 6:05 AM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Wed, Aug 22, 2012, Varma Dantuluri wrote: > > > Hi > > > > We are in the process of adding support for ECDSA-ECDHE cipher suites and > > hence ECDSA certificates to our server. > > > > Right now, the server does the following: > > > > 1) Assign the ECDSA certificate to the SSL_CTX. > > 2) Set the callback for ECDH parameter generation using > > SSL_CTX_set_tmp_ecdh_callback. > > > > In ssl3_send_server_key_exchange, when this callback is called, the value > > of 'keylength' parameter is always either 512 or 1024. Shouldnt > 'keylength' > > have the curve name or id in the case of ECDH? Are we doing something > wrong > > here? > > > > No, it's a limitation in some versions of OpenSSL. You basically have to > pick > a curve you think the peer will support, P-256 is usually a safe choice. If > the peer doesn't support it then ECDHE will be disabled. You might as as > well > set the curve using SSL_CTX_set_tmp_ecdh instead of the callback. > > This is fixed in the development version of OpenSSL: for that you can just > set > it to automatically use the right curve based on client and server > preferences. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
