SSL Server setup DH/ECDH

Chitrang Srivastava chitrang.srivastava at gmail.com
Wed Aug 7 11:19:38 UTC 2019


Hi Matt,

I tried following code but it is crashing @ *SSL_CTX_set_ciphersuites*
s_ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
SSL_CTX_set_ciphersuites(s_ctx,
"TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");

In the debugger I noticed

s_ctx :: cipher_list & cipher_list_by_id are both NULL
However tls13_ciphersuites is populated.
Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites
tries to delete this cipher_list and hence crash ?

Any pointer what I am missing?

-Thanks



On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <matt at openssl.org> wrote:

>
>
> On 06/08/2019 14:58, Chitrang Srivastava wrote:
> > Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.
> > So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses
> > TLS_1_3_AES_256_SHA_384.
> > While without that it uses TLS_1_3_AES_128_SHA_256, which is better in
> terms of
> > performance.
>
> Ah! Right - now I understand.
>
> So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server
> prefers the
> server's ordering of ciphersuites compared to the clients. With that
> option set
> it will use the first ciphersuite that is in the server's list that is
> also in
> the client's list. Without the set it will use the first ciphersuite that
> is in
> the client's list that is also in the server's list. Server operators often
> prefer this because it gives more control over which ciphersuite
> ultimately gets
> used. But that's only really useful if you also look at this list of
> configured
> ciphersuites and make sure they are in your preferred order! Otherwise the
> option is fairly pointless!
>
> For TLSv1.3 the default list is:
>
> #   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
>                                     "TLS_CHACHA20_POLY1305_SHA256:" \
>                                     "TLS_AES_128_GCM_SHA256"
>
> If you want a different order you can use the functions
> SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:
>
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
>
> Matt
>
> >
> > Thanks very much,
> > Chitrang
> >
> > Tuesday, August 6, 2019, Matt Caswell <matt at openssl.org
> > <mailto:matt at openssl.org>> wrote:
> >
> >
> >
> >     On 06/08/2019 12:20, Chitrang Srivastava wrote:
> >     > Noticed that if I set  SSL_OP_CIPHER_SERVER_PREFERENCE,
> >     TLS_1_3_AES_256_SHA_384
> >     > is being used while without that
> >     > AES_128_SHA256 is being used and I see client(Chrome) send this as
> first
> >     preference.
> >     > Is there anyway where I can always prefer AES-128-SHA256 cipher
> suite of
> >     TLS 1.3?
> >
> >     Hmmm...are you sure?
> >
> >     Those names don't look like OpenSSL names for those ciphersuites. I
> guess you
> >     mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a
> TLSv1.3
> >     ciphersuite and the latter is for TLSv1.2 and below. They are
> mutually
> >     exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2
> ciphersuites and
> >     vice versa.
> >
> >     SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol
> version
> >     negotiated. OpenSSL negotiates the version *first* before deciding
> what
> >     ciphersuite to use. So it should not be the case that
> >     SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3
> ciphersuite to be used
> >     when a TLSv1.2 ciphersuite was used without it.
> >
> >     Matt
> >
> >
> >     >
> >     > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <matt at openssl.org
> >     <mailto:matt at openssl.org>
> >     > <mailto:matt at openssl.org <mailto:matt at openssl.org>>> wrote:
> >     >
> >     >
> >     >
> >     >     On 06/08/2019 11:21, Chitrang Srivastava wrote:
> >     >     > Yes , since in my case mostly browser will be used to access
> >     webserver running
> >     >     > on embedded platform.
> >     >     > Another question, since my webserver is running on embedded
> platform and
> >     >     it has
> >     >     > limited memory , I have disabled
> >     >     > ARIA/CAMELLIA  and few others, is that OK ? because I don't
> see any
> >     ciphers
> >     >     > suites which is used in practice.
> >     >
> >     >     Yes, that should be fine.
> >     >
> >     >     Matt
> >     >
> >     >     >
> >     >     >
> >     >     >
> >     >     > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <
> matt at openssl.org
> >     <mailto:matt at openssl.org>
> >     >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> >     >     > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>>> wrote:
> >     >     >
> >     >     >
> >     >     >
> >     >     >     On 06/08/2019 11:07, Chitrang Srivastava wrote:
> >     >     >     > Thanks Matt,
> >     >     >     >
> >     >     >     > So now I have, which i believe is enough ?
> >     >     >     >
> >     >     >     > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> >     >     >     > SSL_OP_CIPHER_SERVER_PREFERENCE);
> >     >     >     > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
> >     >     >
> >     >     >     This is fine although it obviously prevents connections
> from
> >     very old
> >     >     clients
> >     >     >     that don't support TLSv1.2. This might not be a problem
> for you
> >     >     depending on
> >     >     >     your situation.
> >     >     >
> >     >     >     Matt
> >     >     >
> >     >     >     >
> >     >     >     > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <
> matt at openssl.org
> >     <mailto:matt at openssl.org>
> >     >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> >     >     >     <mailto:matt at openssl.org <mailto:matt at openssl.org>
> >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>>
> >     >     >     > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> >     >     <mailto:matt at openssl.org <mailto:matt at openssl.org>
> >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>>>> wrote:
> >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >     >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
> >     >     >     >     > Hi,
> >     >     >     >     >
> >     >     >     >     > I am implementing HTTPs server using openssl
> 1.1.1b.
> >     >     >     >     > Is it mandatory to setup these API's while
> creating ssl
> >     context ?
> >     >     >     >     >
> >     >     >     >     > SSL_CTX_set_tmp_ecdh
> >     >     >     >     >
> >     >     >     >     > SSL_CTX_set_tmp_dh
> >     >     >     >
> >     >     >     >     By default OpenSSL will automatically use ECDH if
> appropriate
> >     >     and choose a
> >     >     >     >     suitable group so there is no need to call
> >     SSL_CTX_set_tmp_ecdh()
> >     >     >     unless you
> >     >     >     >     want more control over which specific group is
> used.
> >     >     >     >
> >     >     >     >     OpenSSL will not use DH unless you specifically
> configure
> >     it. If you
> >     >     >     want to
> >     >     >     >     make use of DH based ciphersuites then you must
> either call
> >     >     >     SSL_CTX_set_tmp_dh()
> >     >     >     >     or SSL_CTX_set_dh_auto() (or the SSL_*
> equivalents).
> >     Calling the
> >     >     >     former enables
> >     >     >     >     you to configure any arbitrary DH group that you
> choose.
> >     Calling the
> >     >     >     latter will
> >     >     >     >     enable the built-in DH groups.
> >     >     >     >
> >     >     >     >     It is not mandatory to call any of the above.
> >     >     >     >
> >     >     >     >     >
> >     >     >     >     > Also any suggestion what all options one should
> set while
> >     >     setting up
> >     >     >     >     server like
> >     >     >     >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2
> |SSL_OP_NO_SSLv3
> >     >     >     >
> >     >     >     >     Don't use the protocol version specific options at
> all. Use
> >     >     >     >     SSL_CTX_set_min_proto_version() if you want to
> specify a
> >     minimum
> >     >     protocol
> >     >     >     >     version. SSLv2 is no longer supported at all.
> SSLv3 is
> >     compiled
> >     >     out by
> >     >     >     default.
> >     >     >     >
> >     >     >     >     Other options that are worth considering are
> >     >     SSL_OP_NO_RENEGOTIATION and
> >     >     >     >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE.
> Generally you
> >     don't need
> >     >     >     the others
> >     >     >     >     unless there is a specific problem you are trying
> to solve.
> >     >     >     >
> >     >     >     >     Matt
> >     >     >     >
> >     >     >
> >     >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190807/de22ed5e/attachment-0001.html>


More information about the openssl-users mailing list