On Sat, Feb 21, 2015 at 11:02 PM, Andrew Z wrote:
> i hope someone had a chance to create an rpm for opessl that has all curves
> and doesn't mind to share the srpm.
You just conjured an amazing image involving, well, "all curves".
> Or maybe help me out by explaining what i need to enable in the config of
> the openssl to get them (curves) included. Currently i use this :
>
> + ./Configure --prefix=/usr --openssldir=/etc/pki/tls
> --system-ciphers-file=/etc/crypto-policies/back-ends/openssl.config zlib
> enable
> -camellia enable-seed enable-tlsext enable-rfc3779 enable-cms enable-md2
> no-mdc2 no-rc5 no-gost no-srp --with-krb5-flavor=MIT --engin
> esdir=/usr/lib64/openssl/engines --with-krb5-dir=/usr shared linux-x86_64
> fips
> Configuring for linux-x86_64
> no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip
> dir)
> no-gmp [default] OPENSSL_NO_GMP (skip dir)
> no-gost [option] OPENSSL_NO_GOST (skip dir)
> no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir)
> no-mdc2 [option] OPENSSL_NO_MDC2 (skip dir)
> no-rc5 [option] OPENSSL_NO_RC5 (skip dir)
> no-rsax [forced] OPENSSL_NO_RSAX (skip dir)
> no-sctp [default] OPENSSL_NO_SCTP (skip dir)
> no-srp [option] OPENSSL_NO_SRP (skip dir)
> no-store[experimental] OPENSSL_NO_STORE (skip dir)
> no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir)
> no-zlib-dynamic [default]
> IsMK1MF=0
> CC=gcc
>
>
> crypto is completely out of my league and i'm 99.9% sure i do _not_ know
> what i'm talking about ...
And this looks like a really, really bad idea. Not in the sense of
enabling all the curves you want, but in the sense of breaking every
SSL based system tools that might generally be willing to use other
types of cryptography. This will mean that your SSL based *clients*
will not be able to interoperate with public applications and sites
that use non-curve crypography. Why would you want this?