Opened 5 years ago

Closed 5 years ago

#16140 closed enhancement (implemented)

Drop support for OpenSSL without ECC.

Reported by: yawning Owned by:
Priority: Medium Milestone: Tor: 0.2.7.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client tor-relay tls
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Offshoot of #16034.

tor should error out at build time (and possibly runtime if we can easily detect it) if elliptic curve cryptography is not available (or the ECDHE suites we want to use are not available).

OPENSSL_NO_EC is the define for the former, and ECC support is available in any version of OpenSSL that we want to support (>= 1.0.0). I think the only people that ship OpenSSL without all the curves available are RedHat (but at least they have some curves now, as opposed to none). I'm personally ok with breaking builds on such systems if they don't give us all the curves we want.

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by yawning

Status: newneeds_review

This mandates OpenSSL with ECC support, and will bail out at runtime if the requested group isn't available. Looking at how RedHat screws up OpenSSL, this should compile since they don't go as far as to remove the NID definitions.

I for one welcome our new NIST overlords (Though this is less bad than the alternatives).

comment:2 Changed 5 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merged, thanks!

Note: See TracTickets for help on using tickets.