Elliptic Curve Cryptography (ECC) is a next generation public key cryptosystem which is more resource efficient than RSA and is being endorsed by the NSA (e.g., see http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm and http://www.nsa.gov/ia/industry/crypto_suite_b.cfm). The IETF has recently published RFC 4492 (http://www.ietf.org/rfc/rfc4492.txt) which describes new ECC-based cipher suites for TLS. These cipher suites are being implemented by major vendors including Microsoft, Red Hat and Sun. A more extensive list of vendors and products supporting these cipher suites is available at http://dev.experimentalstuff.com:8082/, e.g. both Firefox (starting with 2.0), Internet Explorer (starting with Vista) and OpenSSL support these cipher suites. We'd like to see these cipher suites exposed to Apache users and administrators.
Created attachment 18657 [details] Patch for exposing ECC cipher suites in OpenSSL to mod_ssl/Apache This patch has been successfully tested with Apache 2.2.2 and a development release of OpenSSL 0.9.9 (in particular, openssl-SNAP-20060724).
Created attachment 18658 [details] Instructions for building and testing an ECC enabled version of Apache README.html contains the instructions I used for building and testing an ECC enabled version of Apache 2.2.2 with openssl-SNAP-20060724. vipul
Created attachment 18859 [details] Instructions for building and testing an ECC enabled version of Apache The URL for the patch was broken in the previous version.
I would like to apply this, but could you wrap the ECC specific functionality in an #ifndef OPENSSL_NO_EC, OPENSSL_NO_ECDH or OPENSSL_NO_ECDSA instead of the library version: you may have a more recent library that was not compiled with ECC support. Also, do you have any thoughts about perl-framework tests for this feature?
Hi Sander, Very good point. When you say that you'd like to apply this patch, are you talking about the Apache trunk or do you mean for your own experimentation with ECC. I'm no longer actively working on this but would be happy to put in the additional work required if it would benefit the larger Apache user community. Please let me know. As for your other question, sorry I'm not a perl user and don't know what a perl-framework test for this would entail. thanks, vipul
Created attachment 23614 [details] Patch for exposing ECC cipher suites in openssl-1.0.0-beta2 to Apache 2.2.11 I've cleaned up the patch and successfully used it to enable ECC ciphers in Apache 2.2.11 using openssl-1.0.0-beta2. In the process, I've also addressed comment #4 by wrapping ECC-specific functionality in #if (SSL_LIBRARY_VERSION >= 0x00908000) && !defined(OPENSSL_NO_EC) This way, if you have a recent version of OpenSSL compiled with OPENSSL_NO_EC, you can pass the same flag when compiling Apache to leave out ECC support even after the patch has been committed. NOTE: Be sure to apply the patch posted at https://issues.apache.org/bugzilla/show_bug.cgi?id=45521 to httpd-2.2.11 before applying the ECC patch. Otherwise, you'll see compile-time errors about "STACK undeclared". I wasted a few hours because of this. The patch for Bug 45521 was checked into the Apache trunk after 2.2.11 was released. Let me know if you encounter any issues. vipul
Created attachment 23615 [details] Updated instructions for building and testing an ECC enabled version of Apache This attachment contains updated instructions for building and testing an ECC-enabled version of Apache 2.2.11 with openssl-1.0.0-beta2.
Created attachment 24502 [details] ECC patch against trunk Applied the patch to trunk and tested manually.
Hi Sander, Thank you for seeing this through! The two NSA web pages mentioned in comment #0 have moved and their new URLs are as follows: The Case for Elliptic Curve Cryptography: http://www.nsa.gov/business/programs/elliptic_curve.shtml NSA Suite B Cryptography: http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml vipul
Implemented in r834378 and r835046.