Re: RE24 testing call (2.4.48) LMDB RE0.9 testing call (0.9.24)

[Geert Hendrickx <geert@hendrickx.be>]

It turns out that, with recent OpenSSL, OpenLDAP 2.4.47 already supports
ECC ciphers - only not with a configurable curve.  So probably probably
OpenSSL made it available by default without needing application support.


	Geert


On Tue, Jul 16, 2019 at 16:27:18 +0200, Geert Hendrickx wrote:
> Hi Quanah
> 
> I tested the RE24 branch specifically for the ECC support, but the default
> behaviour seems to depend on the OpenSSL version.
> 
> With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use
> ECC until I explicitly set a curve in oclTLSECName.  There is no default
> value?  This is contrary to expectation, most TLS enabled software enable
> ECC by default, based on the configured cipher string.
> 
> However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and
> appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
> 
> But, I can only override it with a single curve, since oclTLSECName is
> single-valued.  And colon, comma or otherwise separated is not accepted
> (TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
> 
> OpenSSL supports multiple curves in configuration starting with 1.0.2, so
> I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1.
> So I'm confused, as the code seems to do nothing OpenSSL version specific.
> 
> 
> 	Geert
> 
 

-- 
geert.hendrickx.be :: geert@hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!