interfasys
Verified User
For advanced users only, the ones who know why it's important not to use prime256v1.
This is the patch you need to improve your EC key exchange when using Apache. On top of that you need to be on 2.4 or you will have other KX issues.
*Notes*
This is the patch you need to improve your EC key exchange when using Apache. On top of that you need to be on 2.4 or you will have other KX issues.
Code:
--- a/modules/ssl/ssl_engine_init.c.orig
+++ b/modules/ssl/ssl_engine_init.c
@@ -1116,7 +1116,7 @@
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
- EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+ EC_KEY_new_by_curve_name(NID_secp384r1));
#endif
}
#endif*Notes*
- This will be obsolete as soon as OpenSSL 1.0.2 is released.
- Don't use secp521r1 if you need to support IE