Does this need a SSL_CTX_set_options(c->ctx, SSL_OP_SINGLE_ECDH_USE) as well? The API docs are pretty sparse, but it looks like mod_ssl does this (as well as nginx etc.)
The description in ssl.h is “If set, always create a new key when using tmp_ecdh parameters” Reading the docs for the equivalent DH option [1], it seems like this switches behaviour between single key generation on startup (which persists for the life of the process) and each session getting a new key generated from the parameters. A quick source dive seems to confirm this behaviour (for DH and ECDH). ECDH key gen should be pretty quick, and even though both behaviours are technically ephemeral, the SINGLE_ECDH_USE approach seems more conservative (and consistent with how we handle DHE now). cheers tim [1] https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#NOTES On 9/04/2014, at 7:36 pm, bugzi...@apache.org wrote: > https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 > > Mladen Turk <mt...@apache.org> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Status|NEW |RESOLVED > Resolution|--- |FIXED > > --- Comment #4 from Mladen Turk <mt...@apache.org> --- > Patch applied. > Resolving, but will need to verify the functionality. > > -- > You are receiving this mail because: > You are the assignee for the bug. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
