Bug 1080127

Summary: [RFE]Add support for -named_curve in s_client utility
Product: Red Hat Enterprise Linux 7 Reporter: Hubert Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: mfrodl
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1022478 Environment:
Last Closed: 2015-08-27 11:15:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1022478, 1080128    

Description Hubert Kario 2014-03-24 17:55:27 UTC 
+++ This bug was initially created as a clone of Bug #1022478 +++

Description of problem:
Because different TLS servers and clients may support different curves for ECDHE cipher suites, we need to be able to test situations in which the client and server support different curves. Or if the default server curve is unsupported by the client.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-15.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start openssl s_server
2. Grab all packets comming to s_server
3. Try to connect using s_client -named_curve secp256r1
4. Decode packet capture, check curves advertised in ClientHello

Actual results:
All curves supported are listed

Expected results:
Only secp256r1 listed

Additional info:
Needed for automatic verification of bug 1022468

--- Additional comment from Tomas Mraz on 2013-10-24 05:40:06 EDT ---

This would have to be consulted with upstream - we in general do not want to add new functionality to openssl that is not accepted upstream.

--- Additional comment from Hubert Kario on 2013-10-30 07:31:51 EDT ---

(In reply to Tomas Mraz from comment #1)
> This would have to be consulted with upstream - we in general do not want to
> add new functionality to openssl that is not accepted upstream.

AFAIK that's the case for all functionality we provide in RHEL packages.
We still need a tracking bug to backport it.
Comment 1 Hubert Kario 2014-09-08 14:54:52 UTC 
This functionality is implemented in upstream OpenSSL 1.0.2 (current beta), the option is named "-curves" and accepts curve names separated by colons. It is documented in master branch in SSL_CONF_cmd man page.

Unfortunately, it was implemented using mechanisms not present in 1.0.1, so it would require non-insignificant effort to backport.
Comment 3 RHEL Program Management 2015-08-27 11:15:38 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.