Enforcing group / key_share order in TLS1.3
Matt Caswell
matt at openssl.org
Mon Jan 13 11:23:35 UTC 2020
On 10/01/2020 22:41, Sebastian Andrzej Siewior wrote:
> gnutls-cli sends by default (in the supported groups extension)
> `secp256r1' first and later `x25519'. The key_share extension contains a
> key for both types. The server has both types configured both groups and
> `x25519' comes first.
> The handshake however ends up with `secp256r1'. Is there a way to tell
> openssl to prefer `x25519' over `secp256r1'?
The current behaviour is that the first key share we see that also
exists in our supported groups list is the one that we use. There isn't
a way at the moment to configure things in order to specify a preference
order.
https://github.com/openssl/openssl/blob/bbe486cf6154df3d3aaedbae6c5b82d4ed31a5f8/ssl/statem/extensions_srvr.c#L662-L720
It wouldn't be too difficult to amend the above logic to select the key
share that is highest in the server's supported group list. But that
would be a new feature and wouldn't be backported to 1.1.1.
PRs to make that change welcome.
Matt
More information about the openssl-users
mailing list