diff options
author | Emilia Kasper <emilia@openssl.org> | 2015-05-20 15:47:51 +0200 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-05-20 15:47:51 +0200 |
commit | de57d2372985d2640ae82f7954bf9dc07caf2f09 (patch) | |
tree | 62ce809bf90d041fe75baaae1361ef37a7b6dd8d /CHANGES | |
parent | 1554d55318a7bb3347f4ccfadf78cca56e51ee79 (diff) |
Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client).
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else.
The result:
$ openssl s_server -named_curves "auto"
This command will negotiate an ECDHE ciphersuite with P-256:
$ openssl s_client
This command will negotiate P-384:
$ openssl s_client -curves "P-384"
This command will not negotiate ECDHE because P-224 is disabled with "auto":
$ openssl s_client -curves "P-224"
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -396,7 +396,14 @@ whose return value is often ignored. [Steve Henson] - Changes between 1.0.2 and 1.0.2a [xx XXX xxxx] + Changes between 1.0.2a and 1.0.2b [xx XXX xxxx] + + *) Only support 256-bit or stronger elliptic curves with the + 'ecdh_auto' setting (server) or by default (client). Of supported + curves, prefer P-256 (both). + [Emilia Kasper] + + Changes between 1.0.2 and 1.0.2a [19 Mar 2015] *) ClientHello sigalgs DoS fix |