Bug 1022478

Summary: [RFE]Add support for -named_curve in s_client utility
Product: Red Hat Enterprise Linux 6 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 6.5Keywords: FutureFeature
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1080127 (view as bug list) Environment:
Last Closed: 2014-06-06 12:05:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1080127    
Bug Blocks:    

Description Alicja Kario 2013-10-23 11:26:54 UTC 
Description of problem:
Because different TLS servers and clients may support different curves for ECDHE cipher suites, we need to be able to test situations in which the client and server support different curves. Or if the default server curve is unsupported by the client.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-15.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start openssl s_server
2. Grab all packets comming to s_server
3. Try to connect using s_client -named_curve secp256r1
4. Decode packet capture, check curves advertised in ClientHello

Actual results:
All curves supported are listed

Expected results:
Only secp256r1 listed

Additional info:
Needed for automatic verification of bug 1022468
Comment 1 Tomas Mraz 2013-10-24 09:40:06 UTC 
This would have to be consulted with upstream - we in general do not want to add new functionality to openssl that is not accepted upstream.
Comment 2 Alicja Kario 2013-10-30 11:31:51 UTC 
(In reply to Tomas Mraz from comment #1)
> This would have to be consulted with upstream - we in general do not want to
> add new functionality to openssl that is not accepted upstream.

AFAIK that's the case for all functionality we provide in RHEL packages.
We still need a tracking bug to backport it.
Comment 3 Tomas Mraz 2014-06-06 11:58:23 UTC 
Backporting the functionality from upstream master branch is not possible as it would require backporting also completely new SSL_CONF API calls. Writing a patch from scratch would be possible but not trivial and the priority is not high enough to warrant spending time on it.
Comment 4 RHEL Program Management 2014-06-06 12:05:47 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.