It turns out that, with recent OpenSSL, OpenLDAP 2.4.47 already supports
ECC ciphers - only not with a configurable curve. So probably probably
OpenSSL made it available by default without needing application support.
On Tue, Jul 16, 2019 at 16:27:18 +0200, Geert Hendrickx wrote:
I tested the RE24 branch specifically for the ECC support, but the default
behaviour seems to depend on the OpenSSL version.
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use
ECC until I explicitly set a curve in oclTLSECName. There is no default
value? This is contrary to expectation, most TLS enabled software enable
ECC by default, based on the configured cipher string.
However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and
appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
But, I can only override it with a single curve, since oclTLSECName is
single-valued. And colon, comma or otherwise separated is not accepted
(TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
OpenSSL supports multiple curves in configuration starting with 1.0.2, so
I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1.
So I'm confused, as the code seems to do nothing OpenSSL version specific.
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!