Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] OpenSSL elliptic curves
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51
PostPosted: Tue Sep 02, 2014 12:25 pm    Post subject: [SOLVED] OpenSSL elliptic curves Reply with quote
Hello,

I have currently set the bindist USE flag for my OpenSSL installation,
this flag disables elliptic curve cryptography, because of patents, so I disabled
the flag and tried to re-emerge, but emerge wants to pull in a new slot instead:

Code:
# emerge openssl

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  NS    ] dev-libs/openssl-0.9.8z_p2:0.9.8 [1.0.1i:0] USE="(sse2) zlib -bindist -gmp -kerberos {-test}" ABI_X86="(64) (-32) (-x32)" 0 kB

Total: 1 package (1 in new slot), Size of downloads: 0 kB


Now, even if I knew how to use this other version, the show-stopper is that elliptic curve key exchange was added in OpenSSL 1.x.

What are my options?

Last edited by litan on Wed Sep 03, 2014 8:30 am; edited 1 time in total
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 2158
Location: Berlin, Germany
PostPosted: Wed Sep 03, 2014 1:28 am    Post subject: Reply with quote
bindist flags on openssl in slot 0 and openssh must match.
Code:
# emerge -pv openssl:0 openssh
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51
PostPosted: Wed Sep 03, 2014 8:29 am    Post subject: Reply with quote
Thanks chithanh, that works.

I removed the bindist flag from openssh in /etc/portage/package.use:
Code:
dev-libs/openssl -tls-heartbeat -bindist
net-misc/openssh -bindist


Code:
# emerge -pv openssl:0 openssh

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] dev-libs/openssl-1.0.1i  USE="(sse2) zlib -bindist* -gmp -kerberos -rfc3779 -static-libs {-test} -tls-heartbeat -vanilla" ABI_X86="(64) (-32) (-x32)" 0 kB
[ebuild   R    ] net-misc/openssh-6.6_p1-r1  USE="hpn pam tcpd -X -X509 -bindist* -kerberos -ldap -ldns -libedit (-selinux) -skey -static" 1,273 kB

Total: 2 packages (2 reinstalls), Size of downloads: 1,273 kB


Before:
Code:
$ openssl ciphers -v 'ECDHE-RSA-AES256-GCM-SHA384'
Error in cipher list
139909532599952:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:


After:
Code:
$ openssl ciphers -v 'ECDHE-RSA-AES256-GCM-SHA384'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD


After recompiling apache, it also supports the new suites.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy