On Tue, Apr 19, 2016 at 06:30:05PM +0200, Janusz Dziemidowicz wrote:
> 2016-04-19 18:13 GMT+02:00 Emeric Brun :
> > I don't know how the curve negotiation works, but i have some questions.
> >
> > What is the behavior if the SSL_CTX_set_ecdh_auto is used on server side
> > and if
> > the client do
2016-04-19 18:13 GMT+02:00 Emeric Brun :
> I don't know how the curve negotiation works, but i have some questions.
>
> What is the behavior if the SSL_CTX_set_ecdh_auto is used on server side and
> if
> the client doesn't support the neg.
>
> In other words:
>
> Is it useful to set both SSL_CTX_s
On 04/18/2016 11:23 PM, David Martin wrote:
> On Mon, Apr 18, 2016 at 3:02 PM, Janusz Dziemidowicz
> wrote:
>> 2016-04-15 16:50 GMT+02:00 David Martin :
>>> I have tested the current patch with the HAProxy default, a list of curves,
>>> a single curve and also an incorrect curve. All seem to beha
atches
> during a break at a day work;)
> Seems ok for me now. Apart from the missing documentation changes;)
>
> --
> Janusz Dziemidowicz
Added doc changes :)
From f54632ab99e526ddb6d6acc26f6c1cb74b3c647d Mon Sep 17 00:00:00 2001
From: David Martin
Date: Mon, 18 Apr 2016 16:10:13
2016-04-15 16:50 GMT+02:00 David Martin :
> I have tested the current patch with the HAProxy default, a list of curves,
> a single curve and also an incorrect curve. All seem to behave correctly.
> The conditional should only skip calling ecdh_auto() if curves_list()
> returns 0 in which case HAPr
On Apr 15, 2016 4:24 AM, "Janusz Dziemidowicz"
wrote:
>
> 2016-04-14 17:39 GMT+02:00 David Martin :
> > Here's a revised patch, it throws a fatal config error if
> > SSL_CTX_set1_curves_list() fails. The default echde option is used so
> > current configurations should not be impacted.
> >
> > So
2016-04-15 11:16 GMT+02:00 Pavlos Parissis :
> But on server side you need openssl 1.1.0[1] which is not ready yet and
> I think it requires changes on haproxy. Nginx has already some level of
> support[2] for openssl 1.1.0.
Sure, I didn't mean that it will work right now, but someday,
somewhere i
2016-04-14 17:39 GMT+02:00 David Martin :
> Here's a revised patch, it throws a fatal config error if
> SSL_CTX_set1_curves_list() fails. The default echde option is used so
> current configurations should not be impacted.
>
> Sorry Janusz, forgot the list on my reply.
I believe that now it is wr
On 15/04/2016 10:58 πμ, Janusz Dziemidowicz wrote:
> 2016-04-15 6:55 GMT+02:00 Willy Tarreau :
>>> Switching ECDHE curves can have performance impact, for example result
>>> of openssl speed on my laptop:
>>> 256 bit ecdh (nistp256) 0.0003s 2935.3
>>> 384 bit ecdh (nistp384) 0.0027s36
2016-04-15 6:55 GMT+02:00 Willy Tarreau :
>> Switching ECDHE curves can have performance impact, for example result
>> of openssl speed on my laptop:
>> 256 bit ecdh (nistp256) 0.0003s 2935.3
>> 384 bit ecdh (nistp384) 0.0027s364.9
>> 521 bit ecdh (nistp521) 0.0016s623.2
>> The d
me feedback on this.
> >>
> >> Adds support for SSL_CTX_set_ecdh_auto which is available in OpenSSL 1.0.2.
> >
> >> From 05bee3e95e5969294998fb9e2794ef65ce5a6c1f Mon Sep 17 00:00:00 2001
> >> From: David Martin
> >> Date: Wed, 13 Apr 2016 15:
available in OpenSSL 1.0.2.
>>>
>>>> From 05bee3e95e5969294998fb9e2794ef65ce5a6c1f Mon Sep 17 00:00:00 2001
>>>> From: David Martin
>>>> Date: Wed, 13 Apr 2016 15:09:35 -0500
>>>> Subject: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve s
able in OpenSSL 1.0.2.
>
>> From 05bee3e95e5969294998fb9e2794ef65ce5a6c1f Mon Sep 17 00:00:00 2001
>> From: David Martin
>> Date: Wed, 13 Apr 2016 15:09:35 -0500
>> Subject: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection
>>
>> Use SSL_CTX_set_ecd
Mon Sep 17 00:00:00 2001
> From: David Martin
> Date: Wed, 13 Apr 2016 15:09:35 -0500
> Subject: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection
>
> Use SSL_CTX_set_ecdh_auto if the OpenSSL version supports it, this
> allows the server to negotiate ECDH curves mu
PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection
Use SSL_CTX_set_ecdh_auto if the OpenSSL version supports it, this
allows the server to negotiate ECDH curves much like it does ciphers.
Prefered curves can be specified using the existing ecdhe bind options
(ecdhe secp384r1:prime256v1)
---
15 matches
Mail list logo
