Fix #86: ECDHE with ASIO (w/ pull request #117) #90
Conversation
- this is just a stop-gap change until this is implemented in Boost::ASIO - enables passing EDCH temporary parameters needed for Ephemeral Diffie- Hellman, which enables Perfect Forward Secrecy in the HTTPS server
- implemented ECDHE support in restbed to work with the patched ASIO implementation from chriskohlhoff/asio#117 - if the patch is pulled into Corusoft's repository, ASIO will work with the current version of ASIO; remove #ifdef ECDHE_SUPPORT if that happens.
conz27
changed the title
conz27
changed the title
|
How will the upgrade to the latest OpenSSL 102 effect this PR, if at all? |
|
@ben-crowhurst: will have to investigate the API for OpenSSL 1.0.2 and let you know. But you need to check to see if FIPS140.2 support is necessary for your project because I don't think the OpenSSL v1.0.2 has achieved certification yet. In a nutshell, newest isn't always best depending on requirements. |
|
Can migrate to OpenSSL-fips-2_0-stable under your recommendation? |
|
OpenSSL recommends the 2.0.9 branch https://github.com/openssl/openssl/releases/tag/OpenSSL-fips-2_0_9 - found it here: https://www.openssl.org/docs/fips.html. According the OpenSSL, there is a very specific set of steps required to compile the library for FIPS140-2 support. Need to make sure your project does it exactly as specified for it to be valid; if you deviate from the process at all, it will require re-validation. |
Implements ECDHE support in RestBed, but requires the version of ASIO that incorporates: chriskohlhoff/asio#117
Might be a bit until that happens; but the change is here none the less.
In the mean time, you may be able to cherry-pick 0903c62, which implements a proof-of-concept version hardcoded to work with secp256r1 (P-256 curve).
Fixes #86.