[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

[Hubert Kario]

I've been running tests on the openssl 1.1.0 release recently and I've noticed 
that if the client doesn't include the supported_groups extension, OpenSSL 
will pick curve with id 0x001d, that is ecdh_x25519, as the curve to do ECDHE 
over.

While this is not incorrect behaviour according to the standard (it is quite 
explicit that if client doesn't provide this extension, server can pick any 
curve it wants), I'm afraid that this will cause interoperability problems.

The majority of servers (71%) support *only* prime256v1 curve and of the ones 
that default to ECDHE key exchange nearly 83% will also default to this curve. 
OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised 
by client.

So it is very likely that any client that doesn't advertise curves will expect 
the server to select prime256v1. At the same time it is very unlikely that it 
will support x25519 (given how new it is).
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160916/95c20775/attachment.sig>