Single ECDH Curve for forward secrecy

Jan-Frederik Rieckers rieckers+freeradius-devel at uni-bremen.de
Mon Feb 3 17:39:33 CET 2020



On 03.02.20 17:21, Alan DeKok wrote:
>> Since the ecdh_curve parameter is set with a default value of
>> prime256v1, leaving out the configuration parameter results in the
>> choice of prime256v1.
> 
>   You can set the curve to nothing:
> 
> 	ecdh_curve = ""
> 
>   See the set_ecdh_curve()  function.

I'm sorry, I didn't notice this.

In my opinion, it seems a little bit odd, that leaving out the option
defaults to "prime256v1", but setting it to empty string enables all curves.
There's also no documentation for this behavior in the configuration
file. Maybe this could be added?

Greetings
Jan-Frederik Rieckers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20200203/7104311b/attachment.sig>


More information about the Freeradius-Devel mailing list