On Tue, Jul 16, 2019 at 09:49:36 -0700, Quanah Gibson-Mount wrote:
--On Tuesday, July 16, 2019 5:27 PM +0200 Geert Hendrickx geert@hendrickx.be wrote:
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in olcTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
Hi Geert,
The OpenSSL API does not support more than 1 EC to be enabled per context.
Hmm, at least nginx and postfix support specifying multiple curves: https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_ecdh_curve http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
Both specifically refer to OpenSSL >= 1.0.2
Geert