SSL Server setup DH/ECDH
Matt Caswell
matt at openssl.org
Wed Aug 7 12:35:39 UTC 2019
On 07/08/2019 12:19, Chitrang Srivastava wrote:
> Hi Matt,
>
> I tried following code but it is crashing @ *SSL_CTX_set_ciphersuites*
> s_ctx = SSL_CTX_new(TLS_method());
> SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION |
> SSL_OP_CIPHER_SERVER_PREFERENCE);
> SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
> SSL_CTX_set_ciphersuites(s_ctx,
> "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");
>
> In the debugger I noticed
>
> s_ctx :: cipher_list & cipher_list_by_id are both NULL
Well, that is very strange. I just tried the code above and it works just fine
for me.
s_ctx->cipher_list, and s_ctx->cipher_lib_by_id should be populated in the
SSL_CTX_new call:
https://github.com/openssl/openssl/blob/c50fd0f959de5b256d8eefb8ad2a82fcdcb899c3/ssl/ssl_lib.c#L3091-L3101
So you should never have an SSL_CTX object without those things being set.
Matt
> However tls13_ciphersuites is populated.
> Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites tries
> to delete this cipher_list and hence crash ?
>
> Any pointer what I am missing?
>
> -Thanks
>
>
>
> On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>
>
>
> On 06/08/2019 14:58, Chitrang Srivastava wrote:
> > Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.
> > So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses
> > TLS_1_3_AES_256_SHA_384.
> > While without that it uses TLS_1_3_AES_128_SHA_256, which is better in
> terms of
> > performance.
>
> Ah! Right - now I understand.
>
> So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server prefers the
> server's ordering of ciphersuites compared to the clients. With that option set
> it will use the first ciphersuite that is in the server's list that is also in
> the client's list. Without the set it will use the first ciphersuite that is in
> the client's list that is also in the server's list. Server operators often
> prefer this because it gives more control over which ciphersuite ultimately gets
> used. But that's only really useful if you also look at this list of configured
> ciphersuites and make sure they are in your preferred order! Otherwise the
> option is fairly pointless!
>
> For TLSv1.3 the default list is:
>
> # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> "TLS_CHACHA20_POLY1305_SHA256:" \
> "TLS_AES_128_GCM_SHA256"
>
> If you want a different order you can use the functions
> SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:
>
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
>
> Matt
>
> >
> > Thanks very much,
> > Chitrang
> >
> > Tuesday, August 6, 2019, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>>> wrote:
> >
> >
> >
> > On 06/08/2019 12:20, Chitrang Srivastava wrote:
> > > Noticed that if I set SSL_OP_CIPHER_SERVER_PREFERENCE,
> > TLS_1_3_AES_256_SHA_384
> > > is being used while without that
> > > AES_128_SHA256 is being used and I see client(Chrome) send this as first
> > preference.
> > > Is there anyway where I can always prefer AES-128-SHA256 cipher suite of
> > TLS 1.3?
> >
> > Hmmm...are you sure?
> >
> > Those names don't look like OpenSSL names for those ciphersuites. I
> guess you
> > mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a TLSv1.3
> > ciphersuite and the latter is for TLSv1.2 and below. They are mutually
> > exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2
> ciphersuites and
> > vice versa.
> >
> > SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol version
> > negotiated. OpenSSL negotiates the version *first* before deciding what
> > ciphersuite to use. So it should not be the case that
> > SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3 ciphersuite
> to be used
> > when a TLSv1.2 ciphersuite was used without it.
> >
> > Matt
> >
> >
> > >
> > > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>> wrote:
> > >
> > >
> > >
> > > On 06/08/2019 11:21, Chitrang Srivastava wrote:
> > > > Yes , since in my case mostly browser will be used to access
> > webserver running
> > > > on embedded platform.
> > > > Another question, since my webserver is running on embedded
> platform and
> > > it has
> > > > limited memory , I have disabled
> > > > ARIA/CAMELLIA and few others, is that OK ? because I don't
> see any
> > ciphers
> > > > suites which is used in practice.
> > >
> > > Yes, that should be fine.
> > >
> > > Matt
> > >
> > > >
> > > >
> > > >
> > > > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>
> > > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>>> wrote:
> > > >
> > > >
> > > >
> > > > On 06/08/2019 11:07, Chitrang Srivastava wrote:
> > > > > Thanks Matt,
> > > > >
> > > > > So now I have, which i believe is enough ?
> > > > >
> > > > > SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION |
> > > > > SSL_OP_CIPHER_SERVER_PREFERENCE);
> > > > > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
> > > >
> > > > This is fine although it obviously prevents connections from
> > very old
> > > clients
> > > > that don't support TLSv1.2. This might not be a problem
> for you
> > > depending on
> > > > your situation.
> > > >
> > > > Matt
> > > >
> > > > >
> > > > > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell
> <matt at openssl.org <mailto:matt at openssl.org>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>
> > > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>>
> > > > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>
> > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>>>> wrote:
> > > > >
> > > > >
> > > > >
> > > > > On 06/08/2019 09:42, Chitrang Srivastava wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I am implementing HTTPs server using openssl 1.1.1b.
> > > > > > Is it mandatory to setup these API's while
> creating ssl
> > context ?
> > > > > >
> > > > > > SSL_CTX_set_tmp_ecdh
> > > > > >
> > > > > > SSL_CTX_set_tmp_dh
> > > > >
> > > > > By default OpenSSL will automatically use ECDH if
> appropriate
> > > and choose a
> > > > > suitable group so there is no need to call
> > SSL_CTX_set_tmp_ecdh()
> > > > unless you
> > > > > want more control over which specific group is used.
> > > > >
> > > > > OpenSSL will not use DH unless you specifically
> configure
> > it. If you
> > > > want to
> > > > > make use of DH based ciphersuites then you must
> either call
> > > > SSL_CTX_set_tmp_dh()
> > > > > or SSL_CTX_set_dh_auto() (or the SSL_* equivalents).
> > Calling the
> > > > former enables
> > > > > you to configure any arbitrary DH group that you choose.
> > Calling the
> > > > latter will
> > > > > enable the built-in DH groups.
> > > > >
> > > > > It is not mandatory to call any of the above.
> > > > >
> > > > > >
> > > > > > Also any suggestion what all options one should
> set while
> > > setting up
> > > > > server like
> > > > > > SSL_CTX_set_options like SSL_OP_NO_SSLv2
> |SSL_OP_NO_SSLv3
> > > > >
> > > > > Don't use the protocol version specific options at
> all. Use
> > > > > SSL_CTX_set_min_proto_version() if you want to specify a
> > minimum
> > > protocol
> > > > > version. SSLv2 is no longer supported at all. SSLv3 is
> > compiled
> > > out by
> > > > default.
> > > > >
> > > > > Other options that are worth considering are
> > > SSL_OP_NO_RENEGOTIATION and
> > > > > (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE.
> Generally you
> > don't need
> > > > the others
> > > > > unless there is a specific problem you are trying to
> solve.
> > > > >
> > > > > Matt
> > > > >
> > > >
> > >
> >
>
More information about the openssl-users
mailing list