SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

Massimo G.

Hi all,
my 'openssl version' is "1.0.2k-fips".
The SSL_CTX_set_tmp_ecdh_callback() function is not included in the API list (Documentation - Manpages for 1.0.2).

1) Shouldn't I use that function?

2) Why isn't it listed in the manpages?

3) Should I refer to a different Manpages version? If so, why?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

OpenSSL - User mailing list
> 2) Why isn't it listed in the manpages?

Many fucntions aren't documented.  We're all working on it.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

Viktor Dukhovni
In reply to this post by Massimo G.

> On May 13, 2017, at 11:48 AM, Massimo G. <[hidden email]> wrote:
>
> Hi all,
> my 'openssl version' is "1.0.2k-fips".
> The SSL_CTX_set_tmp_ecdh_callback() function is not included in the API list (Documentation - Manpages for 1.0.2).
>
> 1) Shouldn't I use that function?

You may, but SSL_CTX_set_ecdh_auto() is a better choice, since it picks the
curve based on the client's list of supported curves.  You can set the list
of curves supported on your end via SSL_CTX_set1_curves() which takes a list
of "nids".  IIRC you should first check that all the "nids" are supported,
before configuring the final list.

Postfix setups the nid array, from a list of names as follows:

    while ((curve = mystrtok(&curves, CHARS_COMMA_SP)) != 0) {
        int     nid = EC_curve_nist2nid(curve);

        if (nid == NID_undef)
            nid = OBJ_sn2nid(curve);
        if (nid == NID_undef)
            nid = OBJ_ln2nid(curve);
        if (nid == NID_undef) {
            msg_warn("ignoring unknown \"auto\" ECDHE curve \"%s\"",
                     curve);
            continue;
        }

        /*
         * Validate the NID by trying it as the sole EC curve for a
         * throw-away SSL context.  Silently skip unsupported code points.
         * This way, we can list X25519 and X448 as soon as the nids are
         * assigned, and before the supporting code is implemented.  They'll
         * be silently skipped when not yet supported.
         */
        if (SSL_CTX_set1_curves(tmpctx, &nid, 1) <= 0) {
            ++unknown;
            continue;
        }
        if (++n > space) {
            space *= 2;
            nids = myrealloc(nids, space * sizeof(int));
        }  
        nids[n - 1] = nid;
    }

> 2) Why isn't it listed in the manpages?

Someone has to contribute the manpage.

>
> 3) Should I refer to a different Manpages version? If so, why?

The documentation is in better shape in 1.1.0 and continues to
improve.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users