[Date Prev][Date Next]
Re: RE24 testing call (2.4.48) LMDB RE0.9 testing call (0.9.24)
- To: Quanah Gibson-Mount <email@example.com>
- Subject: Re: RE24 testing call (2.4.48) LMDB RE0.9 testing call (0.9.24)
- From: Geert Hendrickx <firstname.lastname@example.org>
- Date: Tue, 16 Jul 2019 16:43:45 +0200
- Cc: email@example.com
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=hendrickx.be; s=geert; t=1563288225; bh=TSKgLZU8hUeSbXMvaDyBAkjOJeNV4hsPZY6mcQkoYCM=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=SjAkAmywgiFuKs2gj52xlMQpM/20ZZrNmqQ5nvCsXdRXnVcQWGdO8TlKydZ46V4xh /MyIPkf+PfhpePgB+lSyknSg3iq28xZvklr1D2WcnnC8tjNr/DBs9LxzEmaEB3Bb7S lWDY8OqbpNvWcja+I5Pb9tu3fbbQ1/yypRle254YQnSVCHlejQahlpuoLSy+ymb36y IYbFwb9Z59giB8nkugrZiRGv2lI8tIN4a1fQYZOtHNNt6NZoomsDkz8yiQ8XyEM2La lSXMNe8vTbiA4PByl81iq3G+xeSKd2nf4P1Ux1n7p6ekgRZvaTswdQHQ4a5SztCPim gqP5r/3gjF/zw==
- In-reply-to: <20190716142718.GA2445@vera.ghen.be>
- References: <DE273198FC0A963A5F733B11@[192.168.1.39]> <20190716142718.GA2445@vera.ghen.be>
- User-agent: Mutt/1.12.1 (2019-06-15)
It turns out that, with recent OpenSSL, OpenLDAP 2.4.47 already supports
ECC ciphers - only not with a configurable curve. So probably probably
OpenSSL made it available by default without needing application support.
On Tue, Jul 16, 2019 at 16:27:18 +0200, Geert Hendrickx wrote:
> Hi Quanah
> I tested the RE24 branch specifically for the ECC support, but the default
> behaviour seems to depend on the OpenSSL version.
> With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use
> ECC until I explicitly set a curve in oclTLSECName. There is no default
> value? This is contrary to expectation, most TLS enabled software enable
> ECC by default, based on the configured cipher string.
> However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and
> appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
> But, I can only override it with a single curve, since oclTLSECName is
> single-valued. And colon, comma or otherwise separated is not accepted
> (TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
> OpenSSL supports multiple curves in configuration starting with 1.0.2, so
> I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1.
> So I'm confused, as the code seems to do nothing OpenSSL version specific.
geert.hendrickx.be :: firstname.lastname@example.org :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!