On Fri, Jan 11, 2008 at 08:41:23AM -0800, Rodney Thayer wrote:

> That's great. I wonder what they tested it with. Probably
> the OpenSSL s_server tool ;-)
> I wonder if apache-ssl supports ECC...

If it uses OpenSSL, and is linked against 0.9.9 (i.e. not yet), then
ECDSA support requires no new application code provided you are willing
to *switch* from RSA to ECDSA. If the application already supports both
RSA and DSA certs (2 certificate slots), then it can be switched from
RSA+DSA to RSA+ECDSA or DSA+ECDSA again with no code changes, just point
it at the right cert(s).

What does require new code (the ~10 lines I posted) is enabling EECDH by
selecting a suitable curve. So ECDSA without forward secrecy is already
supported by existing OpenSSL apps once they re-compile/re-link against
a library with ECDSA support. Enabling forward-secrecy (EECDH) requires
code to select the appropriate curve.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org