[openssl-users] (no subject)

Matt Caswell matt at openssl.org
Tue Jun 27 07:56:13 UTC 2017



On 27/06/17 01:05, Neetish Pathak wrote:
> Hi ,
> 
> 1) I am working with a client and server program and want to use
> ECDHE-ECDSA type ciphers.
> I see that default Elliptic curve group supported is X25519. (when I
> check client  and server logs on wireshark)
> I wish to generate a self-signed certificate for X25519 curve. But I am
> unable to do that the way I do for other curves like secp256r1,
> secp521r1 etc.
> 
> I generate a private key for secp521r1 using ecparam command and  then I
> generate the self-signed certificate.
> 
> openssl ecparam -name secp521r1 -genkey -param_enc named_curve -out
> server_key.pem
> 
> openssl req -new -x509 -key server_key.pem -out server_cert.pem -days 730
> 
> 
> On man page for X25519,
> 
> I found the command to generate private key
> 
> openssl genpkey -algorithm X25519 -out xkey.pem
> 
> But as I try to generate a self signed certificate, I am getting the
> following error
> 
> EVP_PKEY_sign_init:operation not supported for this keytype

It is not possible to "self-sign" an X25519 certificate because X25519
is a key-exchange algorithm only, not a digital signature algorithm. You
would not typically create an X25519 certificate at all but an Ed25519
one (only supported in the master branch).


> 
> 
> Could you please clarify where am I going wrong. Also, why is X25519 not
> mentioned
> 
> in ec curve list
> 
> using openssl ecparam -list_curves

X25519 is different. "Standard" EC keys can be used for ECDH or ECDSA.
X25519 keys are for X25519 only (similar to ECDH). Internally X25519 is
treated as a standalone algorithm and not integrated into the rest of
the EC logic.

> 
> 
> Any references to clarify my understanding will be appreciated.
> 
> 2) Also, can you direct me towards what hack is needed in Openssl to
> support pre-generated PSK in TLS 1.3 and false start in TLS 1.2 (for my
> study purpose).

For external PSKs in TLS1.3 (again only supported in master), you need
to use the new
SSL_CTX_set_psk_use_session_callback()/SSL_CTX_set_psk_find_session_callback()
APIs. See the man pages in master for this (for some reason I notice
that the documentation for this has not been updated on the website -
but it *is* in the doc/man3 folder in git).

> 
> Are you planning to integrate false start in OpenSSL any time. Thanks

I am not aware of anyone working on this.

Matt


> 
> Thanks
> 
> 
> Best Regards,
> Neetish
> 
> On Wed, Jun 21, 2017 at 3:17 PM, Neetish Pathak <npathak2 at ncsu.edu
> <mailto:npathak2 at ncsu.edu>> wrote:
> 
> 
> 
>     On Wed, Jun 21, 2017 at 3:11 AM, Matt Caswell <matt at openssl.org
>     <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>         On 21/06/17 00:38, Neetish Pathak wrote:
>         > I wanted to understand the replay attack vulnerability in case of enable
>         > early data of TLS 1.3 while false start is secure in that respect as I
>         > have read from https://github.com/openssl/openssl/issues/1541
>         <https://github.com/openssl/openssl/issues/1541>
>         > So, with false start, the application data is sent from client after the
>         > first leg of the handshake i.e. one round trip is complete, so the data
>         > goes encrypted even though the handshake is not completed. In enable
>         > early data mode in TLS 1.3 for 0-RTT for session resumption, the
>         > application data is sent from the client along with the client hello
>         > message. Does the application data in early data mode go as clear text ?
> 
>         No, it is encrypted using a traffic key derived from the PSK.
> 
>         > I assume this is also encrypted using the PSK because 0-RTT is only
>         > applicable when PSK is available on the client side. How is it
>         > vulnerable to replay attack. Please help me understand.
> 
>         The same PSK can be used multiple times. Because the traffic key
>         for the
>         early data is derived from the PSK, if you later re-use the PSK
>         and send
>         early data again then the same traffic key will be derived. This
>         can be
>         exploited by an attacker who can record the early data from an
>         earlier
>         session and replay it later. The server will think that the replayed
>         data is a new connection and process the early data accordingly.
> 
>         Early data (aka 0-RTT data) can be dangerous if not used
>         properly. For
>         this reason the current TLSv1.3 draft makes this note:
> 
>            Protocols MUST NOT use 0-RTT data without a profile that
>         defines its
>            use.  That profile needs to identify which messages or
>         interactions
>            are safe to use with 0-RTT.  In addition, to avoid accidental
>         misuse,
>            implementations SHOULD NOT enable 0-RTT unless specifically
>            requested.  Implementations SHOULD provide special functions for
>            0-RTT data to ensure that an application is always aware that
>         it is
>            sending or receiving data that might be replayed.
> 
> 
>         >
>         > Is there any API available in OpenSSL for false start ?
> 
>         No, OpenSSL does not support false start. As an aside please
>         note that
>         false start only applies to <= TLSv1.2.
> 
> 
>     Thanks for your comments.
> 
>     I need some direction on the doing server and client side
>     authentication during the handshake. 
> 
>     *1) For certificate sent from the server side, I am using* 
> 
>     SSL_CTX_load_verify_locations(ssl_ctx, CAFILE, NULL))   for loading
>     verification file *on the client side*
> 
>     Where do I get a CAFILE in the above API. If the server is sending a
>     self signed certificate, what will be the CA file on the client side
>     for verification. 
> 
> 
>     *2) For Client side authentication*
>     *
>     *
>     I am using SSL_CTX_use_PrivateKey_file and SSL_CTX_use_certificate
>     file on the client side to load the private key and the certificate. 
>     I read that client side authentication will not kick off unless the
>     server sends CertificateRequest. I can use
>     SSL_CTX_set_client_cert_cb() that sets the client_cert_cb()callback
>     to be called on CertificateRequest.
> 
>     I am not sure how I can enable the server side to send
>     CertificateRequest. What is the API for that.
>     Should SSL_CTX_set_verify((ssl_ctx,SSL_VERIFY_PEER, NULL)) be used
>     on server side for sending the certificateRequest message. Please
>     correct me ?
> 
>     *3) Certificate request Message*
>     Also, what is the use of CertificateVerify message. Why does client
>     need to prove the ownership of private key for the public key sent
>     previously in the client certificate. I assume this is not happening
>     when the server sends the certificate. It doesn't prove the
>     ownership of private key.Please comment
> 
> 
> 
>     Also, some guidance on a reference for understanding the
>     authentication of certificates will be appreciated 
> 
> 
>     Thanks
>     Neetish
>      
> 
> 
> 
>         Matt
> 
>         >
>         > Thanks
>         > Best regards,
>         > Neetish
>         >
>         > On Tue, Jun 20, 2017 at 11:52 AM, Neetish Pathak <npathak2 at ncsu.edu <mailto:npathak2 at ncsu.edu>
>         > <mailto:npathak2 at ncsu.edu <mailto:npathak2 at ncsu.edu>>> wrote:
>         >
>         >     I Appreciate your response
>         >
>         >     On Tue, Jun 20, 2017 at 2:09 AM, Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>
>         >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>> wrote:
>         >
>         >
>         >
>         >         On 19/06/17 19:11, Neetish Pathak wrote:
>         >         > 2) Can you suggest some places to put a time stamp in OpenSSL code.
>         >
>         >         I agree with Ben's responses to all your other questions. For this
>         >         question, I'm not sure what you are trying to achieve? Starting
>         >         before
>         >         SSL_accept/SSL_connect and finishing after they return should be
>         >         fine.
>         >         Or are you looking for a breakdown of where the time is going?
>         >
>         >         Thanks Matt. I was asking for a breakdown since I was not sure
>         >         if the SSL_accept and SSL_connect just do the handshake or if
>         >         they are doing some other things that may impact latency and CPU
>         >         usage. Just wanted to be clear that calling SSL_connect  starts
>         >         ClientHello , SSL_accept unblocks on receiving ClientHello and
>         >         sends ServerHello, and both functions return after sending
>         >         Finished message from their sides (i.e. client and server).
>         >
>         >
>         >
>         >
>         >
>         >         Matt
>         >
>         >         >
>         >         > Thanks
>         >         > Best Regards,
>         >         > Neetish
>         >         >
>         >         > On Mon, Jun 19, 2017 at 5:49 AM, Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>
>         <mailto:matt at openssl.org <mailto:matt at openssl.org>>
>         >         > <mailto:matt at openssl.org <mailto:matt at openssl.org>
>         <mailto:matt at openssl.org <mailto:matt at openssl.org>>>> wrote:
>         >         >
>         >         >
>         >         >
>         >         >     On 16/06/17 23:51, Neetish Pathak wrote:
>         >         >     > Thanks Matt, Appreciate ur response and tips
>         >         >     >
>         >         >     > On Fri, Jun 16, 2017 at 3:36 PM, Matt Caswell
>         <matt at openssl.org <mailto:matt at openssl.org>
>         <mailto:matt at openssl.org <mailto:matt at openssl.org>>
>         >         <mailto:matt at openssl.org <mailto:matt at openssl.org>
>         <mailto:matt at openssl.org <mailto:matt at openssl.org>>>
>         >         >     > <mailto:matt at openssl.org
>         <mailto:matt at openssl.org> <mailto:matt at openssl.org
>         <mailto:matt at openssl.org>>
>         >         <mailto:matt at openssl.org <mailto:matt at openssl.org>
>         <mailto:matt at openssl.org <mailto:matt at openssl.org>>>>> wrote:
>         >         >     >
>         >         >     >
>         >         >     >
>         >         >     >     On 16/06/17 20:08, Benjamin Kaduk via
>         openssl-users
>         >         wrote:
>         >         >     >     > On 06/16/2017 01:58 PM, Neetish Pathak
>         wrote:
>         >         >     >     >> Hello
>         >         >     >     >> Thanks
>         >         >     >     >> I tried reading  some content from the
>         server
>         >         side and I
>         >         >     observed the
>         >         >     >     >> new_session_cb getting invoked in that
>         case on
>         >         the client
>         >         >     side. I
>         >         >     >     >> understand that may be due to delayed
>         NewSession info
>         >         >     transfer from
>         >         >     >     >> server side to client side. But it is
>         helpful for
>         >         saving
>         >         >     the session
>         >         >     >     >> info on the client side. (Thanks Matt
>         for your input)
>         >         >     >     >>
>         >         >     >     >> However, now I have two concerns
>         >         >     >     >>
>         >         >     >     >> 1) I see that latency for handshake
>         with session
>         >         resumption in
>         >         >     >     TLS 1.3
>         >         >     >     >> has not improved as much as it improves
>         for TLS 1.2
>         >         >     >     >> With TLS 1.3, I observed that
>         resumption brings
>         >         down the
>         >         >     connection
>         >         >     >     >> time from 2.5 ms to 1.2-1.3 ms
>         >         >     >     >> while with TLS 1.2 (using either
>         session IDs or
>         >         tickets), the
>         >         >     >     >> connection time reduces from 2.5 ms to
>         0.5-0.6 ms.
>         >         >     >     >>
>         >         >     >     >> The whole code is similar for running
>         the two
>         >         experiments
>         >         >     with only
>         >         >     >     >> max TLS version changed. Can someone
>         comment on
>         >         the latency
>         >         >     >     >> measurements for the two cases.
>         >         >     >     >> TLS 1.3 is supposed to be better than
>         TLS 1.2 in my
>         >         >     opinion. Please
>         >         >     >     >> comment.
>         >         >     >     >>
>         >         >     >     >
>         >         >     >     > Are you seeing a HelloRetryRequest in the
>         >         resumption flow?
>         >         >     That would
>         >         >     >     > add an additional round trip.  (Your
>         numbers in
>         >         milliseconds
>         >         >     are of
>         >         >     >     > course not transferrable to other systems;
>         >         round-trips is an
>         >         >     easier to
>         >         >     >     > understand number.)  RFC 5246 and
>         >         draft-ietf-tls-tls13-20
>         >         >     both have
>         >         >     >     > message-flow diagrams that show the
>         number of
>         >         round trips in
>         >         >     various
>         >         >     >     > handshake flows.
>         >         >     >
>         >         >     >     Care should also be taken about when you are
>         >         starting your
>         >         >     "timer" and
>         >         >     >     when you stop it, e.g. if you stop your
>         timer after the
>         >         >     session ticket
>         >         >     >     data has been received by the client then
>         this is
>         >         not a "fair"
>         >         >     test (the
>         >         >     >     connection is ready for data transfer
>         earlier than
>         >         the arrival
>         >         >     of the
>         >         >     >     session ticket).
>         >         >     >
>         >         >     >     I would expect to see the TLS1.3 latency
>         for a full
>         >         handshake
>         >         >     to be
>         >         >     >     around the same as for a TLS1.2 resumption
>         >         handshake. With a
>         >         >     TLS1.3
>         >         >     >     resumption only marginally different.
>         There are the same
>         >         >     number of round
>         >         >     >     trips for a TLS1.3 full handshake as that
>         there are
>         >         for a
>         >         >     resumption
>         >         >     >     one. The primary difference is that the
>         Certificate
>         >         message is
>         >         >     not sent
>         >         >     >     (which can be quite a large message).
>         >         >     >
>         >         >     >     Your timings suggest you are testing this
>         over a LAN
>         >         where the
>         >         >     effects
>         >         >     >     of network latency are going to be
>         relatively low.
>         >         The real
>         >         >     benefits
>         >         >     >     from fewer round trips will really be seen
>         when network
>         >         >     latency is more
>         >         >     >     significant.
>         >         >     >
>         >         >     >
>         >         >     >
>         >         >     > In my application program, I put start and
>         stop timer
>         >         before and after
>         >         >     > SSL_accept on server side and before and after
>         >         SSL_connect on the
>         >         >     client
>         >         >     > side.
>         >         >
>         >         >     That should be fine (my worry was that you might
>         also be
>         >         including the
>         >         >     subsequent session ticket transfer).
>         >         >
>         >         >     > I am not sure how I can put timers at
>         individual steps
>         >         of Handshake
>         >         >     > using my client applications. I was assuming
>         SSL and
>         >         SSL_accept take
>         >         >     > care of the entire handshake process.
>         >         >     >
>         >         >     > Yes, I am testing on local machine. I will
>         migrate my
>         >         test to remote
>         >         >     > machines. But I am not really able to
>         understand why TLS
>         >         1.3 is slower
>         >         >     > on my machine.
>         >         >
>         >         >     If you are on a local machine I would not expect a
>         >         significant speed up
>         >         >     in TLSv1.3 vs TLSv1.2. TLSv1.3 has been designed
>         to reduce
>         >         the number of
>         >         >     round-trips required in order to avoid
>         unnecessary network
>         >         latency. If
>         >         >     you are on a local machine then there isn't any
>         >         significant network
>         >         >     latency anyway - so timings are presumably
>         dominated by
>         >         the CPU
>         >         >     intensive tasks. You should make sure that you are
>         >         comparing like with
>         >         >     like, i.e. the same ciphers, key lengths, key
>         exchange
>         >         algorithms,
>         >         >     curves etc between TLSv1.2 and TLSv1.3.
>         Differences in any
>         >         one of these
>         >         >     could obviously have significant performance
>         impacts.
>         >         >
>         >         >     Matt
>         >         >
>         >         >     --
>         >         >     openssl-users mailing list
>         >         >     To unsubscribe:
>         >         >   
>          https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>
>         >       
>          <https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>>
>         >         >   
>          <https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>
>         >       
>          <https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>>>
>         >         >
>         >         >
>         >         >
>         >         >
>         >         --
>         >         openssl-users mailing list
>         >         To unsubscribe:
>         >         https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>
>         >       
>          <https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>>
>         >
>         >
>         >
>         --
>         openssl-users mailing list
>         To unsubscribe:
>         https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>
> 
> 
> 
> 
> 


More information about the openssl-users mailing list