Summary: | Expose ECC cipher suites (IETF RFC 4492) in OpenSSL to Apache | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Vipul Gupta <vipul.gupta> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | sander, vipul.gupta |
Priority: | P2 | Keywords: | PatchAvailable |
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | other | ||
Attachments: |
Patch for exposing ECC cipher suites in OpenSSL to mod_ssl/Apache
Instructions for building and testing an ECC enabled version of Apache Instructions for building and testing an ECC enabled version of Apache Patch for exposing ECC cipher suites in openssl-1.0.0-beta2 to Apache 2.2.11 Updated instructions for building and testing an ECC enabled version of Apache ECC patch against trunk |
Description
Vipul Gupta
2006-07-27 23:51:41 UTC
Created attachment 18657 [details]
Patch for exposing ECC cipher suites in OpenSSL to mod_ssl/Apache
This patch has been successfully tested with Apache 2.2.2
and a development release of OpenSSL 0.9.9 (in particular,
openssl-SNAP-20060724).
Created attachment 18658 [details]
Instructions for building and testing an ECC enabled version of Apache
README.html contains the instructions I used for building and
testing an ECC enabled version of Apache 2.2.2 with openssl-SNAP-20060724.
vipul
Created attachment 18859 [details]
Instructions for building and testing an ECC enabled version of Apache
The URL for the patch was broken in the previous version.
I would like to apply this, but could you wrap the ECC specific functionality in an #ifndef OPENSSL_NO_EC, OPENSSL_NO_ECDH or OPENSSL_NO_ECDSA instead of the library version: you may have a more recent library that was not compiled with ECC support. Also, do you have any thoughts about perl-framework tests for this feature? Hi Sander, Very good point. When you say that you'd like to apply this patch, are you talking about the Apache trunk or do you mean for your own experimentation with ECC. I'm no longer actively working on this but would be happy to put in the additional work required if it would benefit the larger Apache user community. Please let me know. As for your other question, sorry I'm not a perl user and don't know what a perl-framework test for this would entail. thanks, vipul Created attachment 23614 [details] Patch for exposing ECC cipher suites in openssl-1.0.0-beta2 to Apache 2.2.11 I've cleaned up the patch and successfully used it to enable ECC ciphers in Apache 2.2.11 using openssl-1.0.0-beta2. In the process, I've also addressed comment #4 by wrapping ECC-specific functionality in #if (SSL_LIBRARY_VERSION >= 0x00908000) && !defined(OPENSSL_NO_EC) This way, if you have a recent version of OpenSSL compiled with OPENSSL_NO_EC, you can pass the same flag when compiling Apache to leave out ECC support even after the patch has been committed. NOTE: Be sure to apply the patch posted at https://issues.apache.org/bugzilla/show_bug.cgi?id=45521 to httpd-2.2.11 before applying the ECC patch. Otherwise, you'll see compile-time errors about "STACK undeclared". I wasted a few hours because of this. The patch for Bug 45521 was checked into the Apache trunk after 2.2.11 was released. Let me know if you encounter any issues. vipul Created attachment 23615 [details]
Updated instructions for building and testing an ECC enabled version of Apache
This attachment contains updated instructions for building and testing an ECC-enabled version of Apache 2.2.11 with openssl-1.0.0-beta2.
Created attachment 24502 [details]
ECC patch against trunk
Applied the patch to trunk and tested manually.
Hi Sander, Thank you for seeing this through! The two NSA web pages mentioned in comment #0 have moved and their new URLs are as follows: The Case for Elliptic Curve Cryptography: http://www.nsa.gov/business/programs/elliptic_curve.shtml NSA Suite B Cryptography: http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml vipul |