Red Hat Bugzilla – Bug 1019449
ECDHE now supported in Fedora openssl, please add to openvpn
Last modified: 2013-10-22 06:35:39 EDT
Per bug 319901, elliptic curve crypto is now available in fedora's openssl libs. openvpn needs to be rebuilt with EC* options enabled for TLS cipher suites.
A lot more than a rebuild of OpenVPN is needed. To properly support EC, OpenVPN needs to be enhanced with ECDH (now only DH is available). This requires upstream OpenVPN to get patches written and applied. There are some people looking into this from time to time, but until OpenVPN has the needed patches, EC isn't really functional at all.
Closing this Fedora bug, as this needs to be taken upstream with the OpenVPN community directly.
yep, here's the upstream ticket and forum thread:
I'd love to have ECDH on my OpenVPN connections, and it looks like patches exist but they haven't been properly asked for, implemented, or tested (yet).
Please, don't unblock parent ticket when child ticked is resolved. We'd better leave it blocked (for reference, for statistical purposes, etc).
(In reply to Peter Lemenkov from comment #3)
> Please, don't unblock parent ticket when child ticked is resolved. We'd
> better leave it blocked (for reference, for statistical purposes, etc).
Fair enough, I just felt the OpenVPN bug isn't really related to Fedora enabling elliptic curves.
For OpenVPN's part, that needs to be resolved upstream (which it isn't yet). IMO, this bug is completely irrelevant to Fedora as this issue should only tracked upstream with OpenVPN.
And to my knowledge, there's no ETA for when OpenVPN will enable EC.