diff options
| author | Steffan Karger <steffan@karger.me> | 2014-04-24 00:31:08 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-04-25 19:36:52 +0200 |
| commit | 609e8131427686adca9b4ed2db44db4aaa920a01 (patch) | |
| tree | 4193d4fb98b7017ba2e66c0d330fac6514bf7124 /doc/openvpn.8 | |
| parent | 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce (diff) | |
| download | openvpn-609e8131427686adca9b4ed2db44db4aaa920a01.tar.gz openvpn-609e8131427686adca9b4ed2db44db4aaa920a01.tar.xz openvpn-609e8131427686adca9b4ed2db44db4aaa920a01.zip | |
Add support for elliptic curve diffie-hellmann key exchange (ECDH)
This patch is based on Jan Just Keijser's patch from Feb 7, 2012.
When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the
heavy lifting. For OpenSSL builds, if a user specifies a curve using
--ecdh-curve, it first tries to override automatic selection using that
curve.
For older OpenSSL, tries the following things (in order of preference):
* When supplied, use the ecdh curve specified by the user.
* Try to extract the curve from the private key, use the same curve.
* Fall back on secp384r1 curve.
Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do
*not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be
used.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53597BEA.6080408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8625
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc/openvpn.8')
| -rw-r--r-- | doc/openvpn.8 | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 3a58317..b7d6a3d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4246,6 +4246,13 @@ included with the OpenVPN distribution. Diffie Hellman parameters may be considered public. .\"********************************************************* .TP +.B \-\-ecdh-curve name +Specify the curve to use for elliptic curve Diffie Hellman. Available +curves can be listed with +.B \-\-show-curves +. The specified curve will only be used for ECDH TLS-ciphers. +.\"********************************************************* +.TP .B \-\-cert file Local peer's signed certificate in .pem format \-\- must be signed by a certificate authority whose certificate is in @@ -5027,6 +5034,13 @@ lowest. Show currently available hardware-based crypto acceleration engines supported by the OpenSSL library. .\"********************************************************* +.TP +.B \-\-show-curves +(Standalone) +Show all available elliptic curves to use with the +.B \-\-ecdh-curve +option. +.\"********************************************************* .SS Generate a random key: Used only for non-TLS static key encryption mode. .\"********************************************************* |