On Feb 3, 2020, at 11:00 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I've tried one ugly patch now to try to mitigate the "problem":
*What* problem? You've asked how to change curves, and you can do that via the configuration file. What is the problem you're solving?
Since the ecdh_curve parameter is set with a default value of prime256v1, leaving out the configuration parameter results in the choice of prime256v1.
You can set the curve to nothing: ecdh_curve = "" See the set_ecdh_curve() function.
I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2 It seems this OpenSSL version enables all curves if no specific curve is set. My suggested fix would be to at least introduce a configuration item to disable the choice of one specific named curve.
You can pretty much do that already. Alan DeKok.