-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #86: ECDHE with ASIO (w/ pull request #117) #90
base: 4.7
Are you sure you want to change the base?
Conversation
- this is just a stop-gap change until this is implemented in Boost::ASIO - enables passing EDCH temporary parameters needed for Ephemeral Diffie- Hellman, which enables Perfect Forward Secrecy in the HTTPS server
- implemented ECDHE support in restbed to work with the patched ASIO implementation from chriskohlhoff/asio#117 - if the patch is pulled into Corusoft's repository, ASIO will work with the current version of ASIO; remove #ifdef ECDHE_SUPPORT if that happens.
How will the upgrade to the latest OpenSSL 102 effect this PR, if at all? |
@ben-crowhurst: will have to investigate the API for OpenSSL 1.0.2 and let you know. But you need to check to see if FIPS140.2 support is necessary for your project because I don't think the OpenSSL v1.0.2 has achieved certification yet. In a nutshell, newest isn't always best depending on requirements. |
Can migrate to OpenSSL-fips-2_0-stable under your recommendation? |
OpenSSL recommends the 2.0.9 branch https://github.com/openssl/openssl/releases/tag/OpenSSL-fips-2_0_9 - found it here: https://www.openssl.org/docs/fips.html. According the OpenSSL, there is a very specific set of steps required to compile the library for FIPS140-2 support. Need to make sure your project does it exactly as specified for it to be valid; if you deviate from the process at all, it will require re-validation. |
Implements ECDHE support in RestBed, but requires the version of ASIO that incorporates: chriskohlhoff/asio#117
Might be a bit until that happens; but the change is here none the less.
In the mean time, you may be able to cherry-pick 0903c62, which implements a proof-of-concept version hardcoded to work with secp256r1 (P-256 curve).
Fixes #86.