method

ecdh_curves=

v2_6_3 - Show latest stable - Class: OpenSSL::SSL::SSLContext

ecdh_curves=(p1)

public

Sets the list of “supported elliptic curves” for this context.

For a TLS client, the list is directly used in the Supported Elliptic Curves Extension. For a server, the list is used by OpenSSL to determine the set of shared curves. OpenSSL will pick the most appropriate one from it.

Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve can be set, and this has no effect for TLS clients.

Example

ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ecdh_curves = "X25519:P-256:P-224"
svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx1)
Thread.new { svr.accept }

ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ecdh_curves = "P-256"
cli = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx2)
cli.connect

p cli.tmp_key.group.curve_name
# => "prime256v1" (is an alias for NIST P-256)

static VALUE
ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
{
    SSL_CTX *ctx;

    rb_check_frozen(self);
    GetSSLCTX(self, ctx);
    StringValueCStr(arg);

#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST)
    if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg)))
        ossl_raise(eSSLError, NULL);
#else
    /* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to
     * SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */
    {
        VALUE curve, splitted;
        EC_KEY *ec;
        int nid;

        splitted = rb_str_split(arg, ":");
        if (!RARRAY_LEN(splitted))
            ossl_raise(eSSLError, "invalid input format");
        curve = RARRAY_AREF(splitted, 0);
        StringValueCStr(curve);

        /* SSL_CTX_set1_curves_list() accepts NIST names */
        nid = EC_curve_nist2nid(RSTRING_PTR(curve));
        if (nid == NID_undef)
            nid = OBJ_txt2nid(RSTRING_PTR(curve));
        if (nid == NID_undef)
            ossl_raise(eSSLError, "unknown curve name");

        ec = EC_KEY_new_by_curve_name(nid);
        if (!ec)
            ossl_raise(eSSLError, NULL);
        EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
        if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
            EC_KEY_free(ec);
            ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
        }
        EC_KEY_free(ec);
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
        /* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
         * is enabled. So disable ecdh_auto. */
        if (!SSL_CTX_set_ecdh_auto(ctx, 0))
            ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
# endif
    }
#endif

    return arg;
}

ecdh_curves=

Example

Related methods