diff --git a/CHANGES b/CHANGES index a7833dbd1b63fceb781e5e1d82d614a03a66ecea..39585dc825b4507109ad293704b587d4d135afea 100644 --- a/CHANGES +++ b/CHANGES @@ -54,7 +54,8 @@ *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is always enabled now. If you want to disable the support you should - exclude it using the list of supported ciphers. + exclude it using the list of supported ciphers. This also means that the + "-no_ecdhe" option has been removed from s_server. [Kurt Roeckx] *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls diff --git a/apps/s_apps.h b/apps/s_apps.h index 55dc9f1ffcbc34ea09176b5d935ad510201e7c84..91faf4fe12c44c091b0f8519847f7b6683bb4494 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -207,7 +207,7 @@ int load_excert(SSL_EXCERT **pexc); void print_ssl_summary(SSL *s); #ifdef HEADER_SSL_H int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_ecdhe, int no_jpake); + SSL_CTX *ctx, int no_jpake); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download); int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, diff --git a/apps/s_cb.c b/apps/s_cb.c index 7a4bf297cc6ca7ccdbc33f3c43f6bca0907457fb..0a9616655ff6ee4b51079dabd78e3a7d97adc300 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1195,7 +1195,7 @@ void print_ssl_summary(SSL *s) } int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_ecdhe, int no_jpake) + SSL_CTX *ctx, int no_jpake) { int i; @@ -1203,9 +1203,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); - /* If no_ecdhe or named curve already specified don't need a default. */ - if (!no_ecdhe && strcmp(flag, "-named_curve") == 0) - no_ecdhe = 1; #ifndef OPENSSL_NO_JPAKE if (!no_jpake && (strcmp(flag, "-cipher") == 0)) { BIO_puts(bio_err, "JPAKE sets cipher to PSK\n"); @@ -1222,18 +1219,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, return 0; } } - /* - * This is a special case to keep existing s_server functionality: if we - * don't have any curve specified *and* we haven't disabled ECDHE then - * use P-256. - */ - if (!no_ecdhe) { - if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) { - BIO_puts(bio_err, "Error setting EC curve\n"); - ERR_print_errors(bio_err); - return 0; - } - } #ifndef OPENSSL_NO_JPAKE if (!no_jpake) { if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) { diff --git a/apps/s_client.c b/apps/s_client.c index 5aa1adc51ec88a6fd68b08805cdd5ab13ad00210..dbeb770f59a6762da62abae7fe00669dcd4bdb3a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1211,7 +1211,7 @@ int s_client_main(int argc, char **argv) ASYNC_init(1, 0, 0); } - if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, diff --git a/apps/s_server.c b/apps/s_server.c index ba88bd702a817177d530d6c52e597891e998c94c..698dd1c73bc48297da974abfab8cd490a798d2ba 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -804,7 +804,7 @@ typedef enum OPTION_choice { OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, - OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_ECDHE, + OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL3, @@ -949,9 +949,6 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, #endif -#ifndef OPENSSL_NO_EC - {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"}, -#endif #ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Set the advertised protocols for the NPN extension (comma-separated list)"}, @@ -1000,7 +997,7 @@ int s_server_main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH int no_dhe = 0; #endif - int no_ecdhe = 0, nocert = 0, ret = 1; + int nocert = 0, ret = 1; int noCApath = 0, noCAfile = 0; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; @@ -1297,9 +1294,6 @@ int s_server_main(int argc, char *argv[]) no_dhe = 1; #endif break; - case OPT_NO_ECDHE: - no_ecdhe = 1; - break; case OPT_NO_RESUME_EPHEMERAL: no_resume_ephemeral = 1; break; @@ -1670,7 +1664,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx, no_ecdhe, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1733,7 +1727,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx2, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL)) goto end; } #ifndef OPENSSL_NO_NEXTPROTONEG diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index c1a1d1a02217881fa8c32d61116593d3f5d53b10..59d600d99c7e69eb3d768609e2b4934c8b6a7c02 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -76,7 +76,6 @@ B B [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] -[B<-no_ecdhe>] [B<-bugs>] [B<-brief>] [B<-www>] @@ -180,11 +179,6 @@ a static set of parameters hard coded into the s_server program will be used. if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. -=item B<-no_ecdhe> - -if this option is set then no ECDH parameters will be loaded effectively -disabling the ephemeral ECDH cipher suites. - =item B<-crl_check>, B<-crl_check_all> Check the peer certificate has not been revoked by its CA.