It turns out that, with recent OpenSSL, OpenLDAP 2.4.47 already supports ECC ciphers - only not with a configurable curve. So probably probably OpenSSL made it available by default without needing application support.
Geert
On Tue, Jul 16, 2019 at 16:27:18 +0200, Geert Hendrickx wrote:
Hi Quanah
I tested the RE24 branch specifically for the ECC support, but the default behaviour seems to depend on the OpenSSL version.
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in oclTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
But, I can only override it with a single curve, since oclTLSECName is single-valued. And colon, comma or otherwise separated is not accepted (TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
OpenSSL supports multiple curves in configuration starting with 1.0.2, so I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1. So I'm confused, as the code seems to do nothing OpenSSL version specific.
Geert