Open BenBE opened 8 years ago
this would be nice to be able to configure on a more granular level, so that i can specify multiple curves at least. different servers unfortunately use different curves, like prime256v1 or secp521r1. having different curves prohibits s2s interoperability.
With OpenSSL 1.1.0 you could even configure a list of curves to support: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set1_curves_list.html
In recent versions ejabberd allows for the DH parameters to be set in its configuration. But a similar setting for the ECDH parameters is missing. In a quick shot, of which the results are included below, I tried to add this feature in p1_tls, so it can be used in ejabberd.
The intention is to allow the used named curve for ECC to be specified in the ejabberd config by providing its name in a setting like "ecdh_curvename" or "s2s_ecdh_curvename" (for s2s).
I know this is by far not perfect, but should provide a good starting point for further developments.
Thanks to emias (IRC) for reviewing of and commenting on this initial PoC.