Using Supported Elliptic Curves Extension with CyaSSL
We are back to talk about TLS extensions again. Today we present the addition of Supported Elliptic Curves on CyaSSL!
RFC 4492 introduces five new ECC-based key
exchange algorithms for TLS: ECDH_ECDSA, ECDHE_ECDSA, ECDH_RSA,
ECDHE_RSA and ECDH_anon. However, it may be desirable in constrained
environments to only support a limited number of curves. When a client
uses this extension, servers that understands it MUST NOT negotiate the
use of an ECC cipher suite unless they can complete the handshake while
respecting the choice of curves specified by the client. This eliminates
the possibility that a negotiated ECC handshake will be subsequently
aborted due to a client’s inability to deal with the server’s ECC key.
To enable the usage of Supported Elliptic Curves in CyaSSL you can simply do:
./configure --enable-supportedcurves
Using Supported Elliptic Curves on the
client side requires additional function calls, which should be one of
the following functions:
CyaSSL_CTX_UseSupportedCurve();
CyaSSL_UseSupportedCurve();
CyaSSL_CTX_UseSupportedCurve() is most
recommended when the client would like to enable Supported Curves for
all sessions. Setting the Supported Elliptic Curves extension at context
level will enable it in all SSL objects created from that same context
from the moment of the call forward.
CyaSSL_UseSupportedCurve() will enable it
for one SSL object only, so it's recommended to use this function when
there is no need for Supported Elliptic Curves on all sessions.
These functions can be called more than once to indicate the support of multiple curves.
On the server side no call is required. The
server will automatically attend to the client's request selecting ECC
cipher suites only if the supported curves are allowed.
All TLS extensions can also be enabled with:
./configure --enable-tlsx
No comments:
Post a Comment