Is ED25519 on DTLS supported?

Matt Caswell matt at openssl.org
Mon Nov 18 16:50:27 UTC 2019



On 18/11/2019 16:42, Matt Caswell wrote:
> 
> 
> On 17/11/2019 01:43, Rafael Ferrer wrote:
>> It's DTLS-OK according to IANA.
>> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16
>>
>>
>> I tested ED25519 certificates on TLS 1.2 and it worked fine.
>>
>> openssl s_server -port 4321 -cert server-cert.pem -key server-key.pem
>> -CAfile client-cert.pem -tls1_2 -sigalgs ed25519
>> openssl s_client -bind localhost:1234 -connect localhost:4321 -cert
>> client-cert.pem -key client-key.pem -CAfile server-cert.pem -tls1_2
>> -sigalgs ed25519
>>
>> But I get a "no shared cipher" error (on the server) if I just replace
>> -tls1_2 with -dtls1_2 on those two commands.
>>
>>
>> The certs and keys are self-signed for both the server and client and
>> where generated by this command.
>>
>> openssl req -x509 -newkey ed25519 -subj "/CN=localhost" -nodes -addext
>> keyUsage=digitalSignature -keyout key.pem -out cert.pem
>>
> 
> 
> This is a really good question. Currently Ed25519 certificates are not
> supported in DTLS. The function ssl_set_masks() in ssl_lib.c has this code:
> 
>     /* Allow Ed25519 for TLS 1.2 if peer supports it */
>     if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
>             && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
>             && TLS1_get_version(s) == TLS1_2_VERSION)
>             mask_a |= SSL_aECDSA;
> 
> Note, this explicitly checks for TLSv1.2 and only allows ED25519 if it
> is true. There is no equivalent code for DTLSv1.2.
> 
> Technically getting it to support DTLSv1.2 is easy. We just amend the
> above line to additionally check for DTLSv1.2 and it should work. The
> question is, is that correct? EdDSA support for TLSv1.2 was specified in
> RFC8422. That RFC only has one mention of DTLS here:
> 
> "IANA has assigned one value from the "TLS HashAlgorithm" registry for
> Intrinsic (8) with DTLS-OK set to true (Y) and this document as
> reference.  This keeps compatibility with TLS 1.3."
> 
> That's in reference to IANA TLS HashAlgorithm registry. But for the TLS
> SignatureAlgorithm registry it says this:
> 
> "IANA has assigned two values in the "TLS SignatureAlgorithm" registry
> for ed25519 (7) and ed448 (8) with this document as reference.  This
> keeps compatibility with TLS 1.3."
> 
> This is in the paragraph before the other one, and there is no reference
> to ed25519/ed448 being "ok" for DTLS, and in fact there is no mention of
> DTLS anywhere else in this RFC.
> 
> So, I'm slightly perplexed as to why the IANA registry says something
> different to this (i.e. DTLS is "ok" for ed25519/ed448). Is this an
> error in the IANA registry? Or is this an error in the RFC? Or is there
> some other RFC somewhere that specifies ed25519/ed448 usage in DTLS?
> 
> I looked to see if there were any errata for RFC8422, but nothing looked
> relevant.

Note, I just asked about this on the TLS WG list.

Matt



More information about the openssl-users mailing list