Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
ClientHello sends ECC ciphers without extensions #366
I've noticed to send ECC extensions requires not only
RFC 4492 in section 4 says "A client that proposes ECC cipher suites may choose not to include these extensions. In this case, the server is free to choose any one of the elliptic curves or point formats listed in Section 5." I've proposed a change in go server to address that, however I think you may want to consider enabling ECC extensions when ECC ciphers are sent, otherwise the server could pick a curve that though allowed by the RFC is not supported by wolfSSL and there could still be an error. Also I think the burden of setting some default supported curves should be on the library.
I think a way to accomplish this would be if
Thanks for the ideas and suggestions. For portability reasons, enabling TLS extensions by default on all platforms may not be the best choice, but it may make sense on standard desktop environments. We'll put this on our list to think over.
If supported curves has been enabled, having wolfSSL send a default list of curves sounds like a good idea (unless explicitly set with wolfSSL_CTX_UseSupportedCurve()). We'll add this to our desired feature list.
To remedy this as much as possible for us I've added support for the ECC curves extension,