[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0
hkario at redhat.com
Fri Sep 16 15:26:03 UTC 2016
I've been running tests on the openssl 1.1.0 release recently and I've noticed
that if the client doesn't include the supported_groups extension, OpenSSL
will pick curve with id 0x001d, that is ecdh_x25519, as the curve to do ECDHE
While this is not incorrect behaviour according to the standard (it is quite
explicit that if client doesn't provide this extension, server can pick any
curve it wants), I'm afraid that this will cause interoperability problems.
The majority of servers (71%) support *only* prime256v1 curve and of the ones
that default to ECDHE key exchange nearly 83% will also default to this curve.
OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised
So it is very likely that any client that doesn't advertise curves will expect
the server to select prime256v1. At the same time it is very unlikely that it
will support x25519 (given how new it is).
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the openssl-dev