diff options
author | Steffan Karger <steffan@karger.me> | 2014-04-24 00:31:08 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-04-25 19:36:52 +0200 |
commit | 609e8131427686adca9b4ed2db44db4aaa920a01 (patch) | |
tree | 4193d4fb98b7017ba2e66c0d330fac6514bf7124 /src/openvpn/ssl.c | |
parent | 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce (diff) | |
download | openvpn-609e8131427686adca9b4ed2db44db4aaa920a01.tar.gz openvpn-609e8131427686adca9b4ed2db44db4aaa920a01.tar.xz openvpn-609e8131427686adca9b4ed2db44db4aaa920a01.zip |
Add support for elliptic curve diffie-hellmann key exchange (ECDH)
This patch is based on Jan Just Keijser's patch from Feb 7, 2012.
When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the
heavy lifting. For OpenSSL builds, if a user specifies a curve using
--ecdh-curve, it first tries to override automatic selection using that
curve.
For older OpenSSL, tries the following things (in order of preference):
* When supplied, use the ecdh curve specified by the user.
* Try to extract the curve from the private key, use the same curve.
* Fall back on secp384r1 curve.
Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do
*not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be
used.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53597BEA.6080408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8625
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b09e52b..9bcb2ac 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -555,6 +555,10 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); } + /* Once keys and cert are loaded, load ECDH parameters */ + if (options->tls_server) + tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); + /* Allowable ciphers */ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); |