[openssl-users] The default cipher of executable 'openssl'
Dave Thompson
dthompson at prinpay.com
Sat Jun 20 03:29:34 UTC 2015
> From: openssl-users On Behalf Of Viktor Dukhovni
> Sent: Friday, June 12, 2015 02:47
> > 1) 1.0.1l
> > ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
> > certdb/cafile.pem
> > Using default temp DH parameters
> > Using default temp ECDH parameters
> > ACCEPT
>
> With SSL 3.0, no extension support, thus no supported curves
> extension, thus ideally no EDCHE support. If ECDHE happened anyway
> with earlier releases, that was a bug that is perhaps now fixed.
>
That is it.
I'm not sure a bug, but I'd agree not ideal. 4492 says client SHOULD
send the curves and pointformats extensions, but if it doesn't the server
"is free to choose any one of [4492 named curves]" (no BCP14 verb).
OpenSSL's old behavior of using a particular curve is permitted.
I'm not sure it was an intentional change. <=1.0.1 had all the logic
in ssl3_choose_cipher, with (large clumsy) code blocks of the form
"if ECC suite is in intersection of client and server lists and we have
ECC key&cert, but client specified curves and our curve isn't among
them, don't use ECC suite", and similarly for pointformats. If client
didn't send the extensions the "don't use" branch wasn't taken.
1.0.2 has new APIs for both client and server apps to restrict curves,
and ssl3_choose_cipher is rearranged into several new routines,
using I think some new data, with result that if the client doesn't
send extensions ECC is NOT selected (and in the OPs case DHE is).
> > 2) 1.0.2
> > ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
> > certdb/cafile.pem
> > Using default temp DH parameters
> > ACCEPT
> >
> > Note that, in 1.0.2, openssl doesn't print out 'Using default temp ECDH
> > parameters'.
>
That's a red herring. That code was also refactored; s_server still
defaults to P256, it just doesn't say so. If I run 1.0.2* s_server -ssl3
then s_client allowing at least 1.0, it sends clienthello containing
ECC suites in cipherlist (by default), with applicable extensions
including two for ECC; receiving this, server negotiates version=3.0,
but DOES select ECDHE-RSA (given RSA cert&key) and client agrees.
More information about the openssl-users
mailing list