Hello,
after reading the LibreSSL accouncement from today, I assumed that
specifying ecdhe "auto" in /etc/httpd.conf would enable X25519, P-256
and P-384 on current.
I've noticed that "auto" enables only curves x25519 and P-256 (which is
what I'd want to use - but somehow unexpected with regard to the
announcement). Diff is attached which clarifies the meaning of "auto" in
httpd.conf.5.
There currently seems to be no way to explicitly specify x25519, or to
specify multiple colon separated curves with the ecdhe statement. Would
it make sense to change semantics and make the ecdhe statement in
httpd.conf consistent with the recent changes to openssl s_client
-groups (e.g., to also allow more common names like P-256 instead of
prime256v1)?
Best Regards
Andreas
Index: httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.78
diff -u -p -u -r1.78 httpd.conf.5
--- httpd.conf.5 24 Jan 2017 13:28:47 -0000 1.78
+++ httpd.conf.5 1 Feb 2017 14:18:45 -0000
@@ -527,7 +527,7 @@ The default is none, which disables DHE
.It Ic ecdhe Ar curve
Specify the ECDHE curve to use for ECDHE cipher suites.
Valid parameter values are none, auto and the short name of any known curve.
-The default is auto.
+The default is auto which enables curves X25519 and P-256.
.It Ic key Ar file
Specify the private key to use for this server.
The