On Wednesday 01 February 2017 15:41:29 Andreas Bartelt wrote: > Hello, > > after reading the LibreSSL accouncement from today, I assumed that > specifying ecdhe "auto" in /etc/httpd.conf would enable X25519, P-256 > and P-384 on current.
This is correct. > I've noticed that "auto" enables only curves x25519 and P-256 (which is > what I'd want to use - but somehow unexpected with regard to the > announcement). Why do you believe this is the case? > Diff is attached which clarifies the meaning of "auto" in httpd.conf.5. There are some documentation improvements that could be used here, however the meaning of auto for httpd.conf.5 needs to refer to the meaning of "auto" for libtls (currently tls_config_set_ecdhecurve()). Otherwise libtls changes and httpd becomes out of date. > There currently seems to be no way to explicitly specify x25519, or to > specify multiple colon separated curves with the ecdhe statement. Would > it make sense to change semantics and make the ecdhe statement in > httpd.conf consistent with the recent changes to openssl s_client > -groups (e.g., to also allow more common names like P-256 instead of > prime256v1)? Yes - tls_config_set_ecdhecurve() needs to change to accept the same colon separate list of priority ordered curve names, that SSL_set1_curves_list() accepts.
