From: Aram Sargsyan <aram@isc.org>
Date: Fri, 7 Jan 2022 20:37:46 +0000 (+0000)
Subject: Use uncompressed point conversion form for 'tls ephemeral' ECC keys
X-Git-Tag: v9.18.0~23^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a19b5cd621a4cda588f7bc80705a898548859ce;p=thirdparty%2Fbind9.git

Use uncompressed point conversion form for 'tls ephemeral' ECC keys

GnuTLS, NSS, and possibly other TLS libraries currently fail to work
with compressed point conversion form supported by OpenSSL.

Use uncompressed point conversion form for better compatibility.
---

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 2d24481882b..cb8d41beb7b 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -317,16 +317,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 			goto ssl_error;
 		}
 
-		/* We use a named curve and compressed point conversion form. */
+		/* Use a named curve and uncompressed point conversion form. */
 #if HAVE_EVP_PKEY_GET0_EC_KEY
 		EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
 				     OPENSSL_EC_NAMED_CURVE);
 		EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
-				     POINT_CONVERSION_COMPRESSED);
+				     POINT_CONVERSION_UNCOMPRESSED);
 #else
 		EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE);
 		EC_KEY_set_conv_form(pkey->pkey.ec,
-				     POINT_CONVERSION_COMPRESSED);
+				     POINT_CONVERSION_UNCOMPRESSED);
 #endif /* HAVE_EVP_PKEY_GET0_EC_KEY */
 
 #if defined(SSL_CTX_set_ecdh_auto)