s_server was trying to set the ECDH curve when no-ec was defined. This also
highlighted the fact that the -no_ecdhe option to s_server is broken, and
doesn't make any sense any more (ECDHE is on by default and the only way it
can be disabled is through the cipherstring). Therefore this commit removes
the option.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
- exclude it using the list of supported ciphers.
+ exclude it using the list of supported ciphers. This also means that the
+ "-no_ecdhe" option has been removed from s_server.
[Kurt Roeckx]
*) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
[Kurt Roeckx]
*) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
void print_ssl_summary(SSL *s);
#ifdef HEADER_SSL_H
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
void print_ssl_summary(SSL *s);
#ifdef HEADER_SSL_H
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
- SSL_CTX *ctx, int no_ecdhe, int no_jpake);
+ SSL_CTX *ctx, int no_jpake);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
}
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
}
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
- SSL_CTX *ctx, int no_ecdhe, int no_jpake)
+ SSL_CTX *ctx, int no_jpake)
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
const char *flag = sk_OPENSSL_STRING_value(str, i);
const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
const char *flag = sk_OPENSSL_STRING_value(str, i);
const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
- /* If no_ecdhe or named curve already specified don't need a default. */
- if (!no_ecdhe && strcmp(flag, "-named_curve") == 0)
- no_ecdhe = 1;
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake && (strcmp(flag, "-cipher") == 0)) {
BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake && (strcmp(flag, "-cipher") == 0)) {
BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
- /*
- * This is a special case to keep existing s_server functionality: if we
- * don't have any curve specified *and* we haven't disabled ECDHE then
- * use P-256.
- */
- if (!no_ecdhe) {
- if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) {
- BIO_puts(bio_err, "Error setting EC curve\n");
- ERR_print_errors(bio_err);
- return 0;
- }
- }
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake) {
if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake) {
if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
- if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL))
+ if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
goto end;
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
goto end;
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE,
OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE,
OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF,
- OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_ECDHE,
+ OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
OPT_SSL3,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
OPT_SSL3,
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
#endif
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
#endif
-#ifndef OPENSSL_NO_EC
- {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"},
-#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
"Set the advertised protocols for the NPN extension (comma-separated list)"},
#ifndef OPENSSL_NO_NEXTPROTONEG
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
"Set the advertised protocols for the NPN extension (comma-separated list)"},
#ifndef OPENSSL_NO_DH
int no_dhe = 0;
#endif
#ifndef OPENSSL_NO_DH
int no_dhe = 0;
#endif
- int no_ecdhe = 0, nocert = 0, ret = 1;
+ int nocert = 0, ret = 1;
int noCApath = 0, noCAfile = 0;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
int noCApath = 0, noCAfile = 0;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
no_dhe = 1;
#endif
break;
no_dhe = 1;
#endif
break;
- case OPT_NO_ECDHE:
- no_ecdhe = 1;
- break;
case OPT_NO_RESUME_EPHEMERAL:
no_resume_ephemeral = 1;
break;
case OPT_NO_RESUME_EPHEMERAL:
no_resume_ephemeral = 1;
break;
}
ssl_ctx_add_crls(ctx, crls, 0);
}
ssl_ctx_add_crls(ctx, crls, 0);
- if (!config_ctx(cctx, ssl_args, ctx, no_ecdhe, jpake_secret == NULL))
+ if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
goto end;
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
goto end;
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
}
ssl_ctx_add_crls(ctx2, crls, 0);
}
ssl_ctx_add_crls(ctx2, crls, 0);
- if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL))
+ if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL))
goto end;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
goto end;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
[B<-bugs>]
[B<-brief>]
[B<-www>]
[B<-bugs>]
[B<-brief>]
[B<-www>]
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
-=item B<-no_ecdhe>
-
-if this option is set then no ECDH parameters will be loaded effectively
-disabling the ephemeral ECDH cipher suites.
-
=item B<-crl_check>, B<-crl_check_all>
Check the peer certificate has not been revoked by its CA.
=item B<-crl_check>, B<-crl_check_all>
Check the peer certificate has not been revoked by its CA.
projects / openssl.git / commitdiff