[cl-plus-ssl-devel] [CL-PLUS-SSL-DEVEL][PATCH] call SSL_CTX_set_tmp_rsa_callback to support ephemeral ciphers

Kari Lentz kari.k.lentz at gmail.com
Fri Jan 31 15:18:07 UTC 2014


Please find attached a patch supports enables CL+SSL to support ciphers
that require a temporary/ephemeral RSA key.  To quote the OpenSSL
documentation:

"When using a cipher with RSA authentication, an ephemeral RSA key exchange
can take place. In this case the session data are negotiated using the
ephemeral/temporary RSA key and the RSA key supplied and certified by the
certificate chain is only used for signing.

Under previous export restrictions, ciphers with RSA keys shorter (512
bits) than the usual key length of 1024 bits were created. To use these
ciphers with RSA keys of usual length, an ephemeral key exchange must be
performed, as the normal (certified) key cannot be directly used."
Basically, it accomplishes this by calling the Open SSL library function,
"SSL_CTX_set_tmp_rsa_callback", upon initialization with a callback
function whose purpose is to generate the ephemeral RSA key key.

Best Regards,

Kari Lentz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/cl-plus-ssl-devel/attachments/20140131/dc3891d0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-use-SSL_CTX_set_tmp_rsa_callback-to-support-ephemera.patch
Type: application/octet-stream
Size: 2808 bytes
Desc: not available
URL: <https://mailman.common-lisp.net/pipermail/cl-plus-ssl-devel/attachments/20140131/dc3891d0/attachment.obj>


More information about the cl-plus-ssl-devel mailing list