@@ -440,8 +440,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
{
if (NULL != curve_name)
{
- msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH "
- "curve, using default curves.");
+ msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an "
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify curves.");
}
}
@@ -709,10 +709,16 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
}
void
-tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
- )
+tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
{
-#ifndef OPENSSL_NO_EC
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (curve_name != NULL)
+ {
+ msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify groups.");
+ }
+#elif !defined(OPENSSL_NO_EC)
int nid = NID_undef;
EC_KEY *ecdh = NULL;
const char *sname = NULL;
OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that --ecdh-curve is ingored and --tls-groups should be used. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_mbedtls.c | 5 +++-- src/openvpn/ssl_openssl.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-)