Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tlscontext: apply ecdh-curve-list for client, too #3356

Merged
merged 2 commits into from Jul 15, 2020
Merged

tlscontext: apply ecdh-curve-list for client, too #3356

merged 2 commits into from Jul 15, 2020

Conversation

alltilla
Copy link
Collaborator

@alltilla alltilla commented Jul 14, 2020
edited

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_curves_list.html

SSL_CTX_set1_groups() sets the supported groups for ctx to glistlen
groups in the array glist. The array consist of all NIDs of groups in
preference order. For a TLS client the groups are used directly in the
supported groups extension. For a TLS server the groups are used to
determine the set of shared groups.
...
The curve functions are synonyms for the equivalently named group
functions and are identical in every respect.

Signed-off-by: Attila Szakacs attila.szakacs@oneidentity.com

@alltilla
tlscontext: apply ecdh-curve-list for client, too
0f4bb93 
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_curves_list.html
> SSL_CTX_set1_groups() sets the supported groups for ctx to glistlen
> groups in the array glist. The array consist of all NIDs of groups in
> preference order. For a TLS client the groups are used directly in the
> supported groups extension. For a TLS server the groups are used to
> determine the set of shared groups.
> ...
> The curve functions are synonyms for the equivalently named group
> functions and are identical in every respect.

Signed-off-by: Attila Szakacs <attila.szakacs@oneidentity.com>
@alltilla
news: add entry for syslog-ng#3356
76eaa46 
Signed-off-by: Attila Szakacs <attila.szakacs@oneidentity.com>
@alltilla alltilla force-pushed the ecdh_curve_list_client_side branch from 792f6c6 to 76eaa46 Compare July 14, 2020 07:16
@kira-syslogng
Copy link
Contributor

Build SUCCESS

@MrAnno
Copy link
Collaborator

MrAnno commented Jul 14, 2020

I just saw this is a bugfix. In my understanding, this patch makes it possible to restrict curves on the client-side too.
Does it fix anything else I missed?

@MrAnno MrAnno merged commit 02632b6 into syslog-ng:master Jul 15, 2020
@MrAnno
Copy link
Collaborator

MrAnno commented Jul 15, 2020

It turned out that not all curves are available by default, so this option can also be used to extend the allowed list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrAnno MrAnno MrAnno approved these changes

@furiel furiel furiel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@alltilla @kira-syslogng @MrAnno @furiel