On Jan 31, 2020, at 9:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I'll probably write my bachelor thesis about some aspects. I'll definitely share results, if they concern the server side.
Thanks.
I don't know if that's true. As far as I know OpenSSL itself is perfectly capable of supporting multiple curves.
I've tested that with my private HTTPS servers and openssl s_client: `openssl s_client -groups "X25519" -connect <host>` `openssl s_client -groups "prime256v1" -connect <host>`
That's the client side... the question is what happens on the server side? i.e. what API calls are necessary? I think that the curves supplied to OpenSSL are defaults, and it can negotiate more. See the "cipher_list" configuration, which allows you to specify multiple ciphers.
I've also observed at least one server in the eduroam federation which support multiple named curves. (Based on my data from analyzing TLS Handshakes in EAP-TLS)
I haven't had the the time to try to modify freeradius locally to ignore the ecdh_curve completely. Unfortunately I'm just beginning to get into the openssl API.
Good luck. It's enormously more complex than it needs to be. :( Alan DeKok.