Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client). (de57d237) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Commit de57d237 authored May 20, 2015 by

Emilia Kasper

Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client).



Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else.

The result:

$ openssl s_server -named_curves "auto"

This command will negotiate an ECDHE ciphersuite with P-256:

$ openssl s_client

This command will negotiate P-384:

$ openssl s_client -curves "P-384"

This command will not negotiate ECDHE because P-224 is disabled with "auto":

$ openssl s_client -curves "P-224"

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

parent 1554d553

Hide whitespace changes

Inline Side-by-side

Please register or to comment