Single ECDH Curve for forward secrecy
Alan DeKok
aland at deployingradius.com
Mon Feb 3 17:21:50 CET 2020
On Feb 3, 2020, at 11:00 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel at uni-bremen.de> wrote:
> I've tried one ugly patch now to try to mitigate the "problem":
*What* problem? You've asked how to change curves, and you can do that via the configuration file. What is the problem you're solving?
> Since the ecdh_curve parameter is set with a default value of
> prime256v1, leaving out the configuration parameter results in the
> choice of prime256v1.
You can set the curve to nothing:
ecdh_curve = ""
See the set_ecdh_curve() function.
> I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2
> It seems this OpenSSL version enables all curves if no specific curve is
> set.
> My suggested fix would be to at least introduce a configuration item to
> disable the choice of one specific named curve.
You can pretty much do that already.
Alan DeKok.
More information about the Freeradius-Devel
mailing list