To whom it may concern:

problem: Openssl as shipped in fedora 22 is maimed by lawyers.

The issue is documented in this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1021898

openssl ecparam -list_curves
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field

In order to enable EC curve support within Fedora 22. Do the following.

1. Install a development environment. Preferably in a fedora 22 VM but not required. Instructions can be found here: https://fedoraproject.org/wiki/How_t...an_RPM_package

2. Download from OpenSSL version openssl-1.0.1k from here: ftp://ftp.openssl.org/source/openssl-1.0.1k.tar.gz Verify it with the md5 file that you can find in the source directory.

3. Read this if you need more detail: https://github.com/ptudor/centos6-openssl/issues/8

4. Download the patch files from: https://github.com/tittof/centos6-openssl Most of these files match what fedora ships. Unzip the package (there's a download zip button on the right).

5. Place all the patch files (yes everything) in the ~/rpmbuild/SOURCES / directory

6. place the openssl-1.0k.tar.gz file in ~/rpmbuild/SOURCES/

7. copy openssl.spec file from ~/rpmbuild/SOURCES/ to ~/rpmbuild/SPECS

8. For some reason openssl-1.0.1i-fix_secure_gentenv.patch file tries to fix something that isn't broken. Unfortunately I was unsuccessful in just commenting out the patch in the spec file. Probably because all the patches build on one another and must be run in sequence. I tricked the patch file by re-replacing the original content: sed -i -e "s/__secure_getenv/secure_getenv/g" openssl-1.0.1i-fix_secure_gentenv.patch Someone more knowledgeable could probably do better.

10. The problem that will happen if you don't do the above is documented here: http://sourceware.org/glibc/wiki/Tip.../secure_getenv

11. Edit openssl.spec file in the SPECS directory and change the existing release information to this: Release: 11%{?dist}.local

12. cd to the SPEC directory and run: QA_RPATHS=$[ 0x0001|0x0010 ] rpmbuild -ba openssl.spec

13. I altered the above command a little but the source information for it is documented here: https://www.bfccomputing.com/bitcoin...6k1-on-fedora/

14 As root goto the ~/rpmbuild/RPMS directory after the build completes and run dnf install ./openssl-libs-1.0.1k-11.fc22.local.x86_64.rpm ./openssl-1.0.1k-11.fc22.local.x86_64.rpm ./openssl-devel-1.0.1k-11.fc22.local.x86_64.rpm

15. dont try to do the above one file at a time. It will fail with dependency problems.

16. Verify the result openssl ecparam -list_curves

openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls12: WTLS curvs over a 224 bit prime field



Additional Notes:

– if you want fedora's src RPM for comparison then about mid way down the page are the details for getting the src rpm.
a. use the instructions to download the src https://www.bfccomputing.com/bitcoin...6k1-on-fedora/

then rpm2cpio openssl-1.0.1k-11.fc22.src.rpm | cpio -idmv

Welcome to LQ!

I am not a Fedora user, but you are recommending use of a very old and unpatched version of openssl which has been very much in the CVE news lately - not good!

You are recommending they build openssl-1.0.1k, whereas the current patch level is openssl-1.0.1p as far as I am aware - that is a lot of known vulnerability!

Users would be better advised to use the latest patch level package from the Fedora repos I would think.

You are correct P is the latest revision. Fedora ships K in their RPMs in Fedora 22 and patches the crap out of it to bring it up to whatever _they_ think is sufficient. I'm not a cryptographer or a lawyer. Wish Fedora would not cripple their operating system. I'd switch but I like fedora otherwise...

Fedora doesn't ship ECC since Fedora 6 apparently (see this) and instead of making such statements maybe read this.

//I also renamed this thread and moved it.