Ignored by GnuTLS and Mozilla NSS.
.TP
.B LDAP_OPT_X_TLS_ECNAME
-Gets/sets the name of the curve used for
+Gets/sets the name of the curve(s) used for
elliptic curve key exchanges.
.BR invalue
must be
certutil \-d /path/to/certdbdir \-L
.fi
.TP
+.B TLS_ECNAME <name>
+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This option is only used for OpenSSL.
+This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification.
+.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
stored in the
so this directive is ignored.
.TP
.B olcTLSECName: <name>
-Specify the name of a curve to use for Elliptic curve Diffie-Hellman
-ephemeral key exchange. This is required to enable ECDHE algorithms in
-OpenSSL. This option is not used with GnuTLS; the curves may be
+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This option is only used for OpenSSL.
+This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. This option is also
ignored for Mozilla NSS.
.TP
so this directive is ignored.
.TP
.B TLSECName <name>
-Specify the name of a curve to use for Elliptic curve Diffie-Hellman
-ephemeral key exchange. This is required to enable ECDHE algorithms in
-OpenSSL. This option is not used with GnuTLS; the curves may be
+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This option is only used for OpenSSL.
+This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. This option is also
ignored for Mozilla NSS.
.TP
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
{0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN},
+ {0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME},
#ifdef HAVE_OPENSSL_CRL
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
case LDAP_OPT_X_TLS_RANDOM_FILE:
case LDAP_OPT_X_TLS_CIPHER_SUITE:
case LDAP_OPT_X_TLS_DHFILE:
+ case LDAP_OPT_X_TLS_ECNAME:
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
return ldap_pvt_tls_set_option( ld, option, (void *) arg );
DH_free( dh );
}
- if ( is_server && lo->ldo_tls_ecname ) {
+ if ( lo->ldo_tls_ecname ) {
#ifdef OPENSSL_NO_EC
Debug( LDAP_DEBUG_ANY,
"TLS: Elliptic Curves not supported.\n", 0,0,0 );
return -1;
#else
- EC_KEY *ecdh;
-
- int nid = OBJ_sn2nid( lt->lt_ecname );
- if ( nid == NID_undef ) {
+ if ( SSL_CTX_set1_curves_list( ctx, lt->lt_ecname )) {
Debug( LDAP_DEBUG_ANY,
- "TLS: could not use EC name `%s'.\n",
+ "TLS: could not set EC name `%s'.\n",
lo->ldo_tls_ecname,0,0);
tlso_report_error();
return -1;
}
- ecdh = EC_KEY_new_by_curve_name( nid );
- if ( ecdh == NULL ) {
+ /*
+ * This is a NOP in OpenSSL 1.1.0 and later, where curves are always
+ * auto-negotiated.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10100000UL
+ if ( SSL_CTX_set_ecdh_auto( ctx, 1 ) <= 0 ) {
Debug( LDAP_DEBUG_ANY,
- "TLS: could not generate key for EC name `%s'.\n",
- lo->ldo_tls_ecname,0,0);
- tlso_report_error();
- return -1;
+ "TLS: could not enable automatic EC negotiation.\n", 0, 0, 0 );
}
- SSL_CTX_set_tmp_ecdh( ctx, ecdh );
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
- EC_KEY_free( ecdh );
#endif
+#endif /* OPENSSL_NO_EC */
}
if ( tlso_opt_trace ) {
projects / thirdparty / openldap.git / commitdiff
