[Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

2014-02-25 Thread Steffan Karger
This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2 or newer is used, lets OpenSSL do the heavy lifting. Otherwise, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from

[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

2014-02-25 Thread Steffan Karger
Signed-off-by: Steffan Karger --- sample/sample-keys/README| 6 ++-- sample/sample-keys/ec-ca.crt | 13 + sample/sample-keys/ec-ca.key | 6 sample/sample-keys/ec-client.crt | 61

[Openvpn-devel] [PATCH] Add ECDH support for OpenSSL builds of OpenVPN

2014-02-25 Thread Steffan Karger
Hi, Thanks to Piotr's contributions on the mailing list I picked up my earlier ECDH work again. I believe they are ready to be reviewed and find their way into master. The following patches add support for ECDH(E) in OpenSSL builds, which in practice means that people are able to use ECDSA

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Steffan Karger
Hi, On 25-02-14 22:49, Jan Just Keijser wrote: > read up on the original ticket too: > https://forums.openvpn.net/topic8404-30.html > > there's some useful commands/description in there on how to generate > ECDSA certificates. Thanks. I've added support for ECDSA to EasyRSA 3 a little while

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Jan Just Keijser
Hi Steffan, On 25/02/14 09:48, Steffan Karger wrote: Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering > wrote: > Although there is apparently more work to do to get more cipher suites > working, this does give us a start on

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Steffan Karger
Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering wrote: > > Although there is apparently more work to do to get more cipher suites > > working, this does give us a start on working with EC-crypto. Maybe this > > part can go in (once ACK'ed) as 'the start of EC-support', so

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Gert Doering
Hi, On Tue, Feb 25, 2014 at 01:39:11AM +0100, Steffan Karger wrote: > > I added warning if DH isn't specified - old client may not support ECDH. > > Autodetecting ecdh is a good idea - I made option ecdh=auto. > > On the long run I agree that a warning should suffice, but for now I > would

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Steffan Karger
Hi Piotr, On 24-02-14 01:28, pietrek -- wrote: > Hi Steffan, > I modified my patch again. And thanks for your code - it helped me. Good to hear it helped you. But your new patch basically is my code now, except that it accepts a configuration without a DH-file. > 1) In such case server will set