[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0
David Benjamin
davidben at google.com
Sat Sep 17 01:31:32 UTC 2016
When we added X25519 to BoringSSL, we at the same time started made the
server require clients supply a curve list (and otherwise we'd just pick a
non-ECDHE cipher), because of this issue. That went in back in December
2015 and it's been running just fine. I'd recommend OpenSSL do the same.
Another option is to have separate notions of "most preferred" and
"default" curve, but just requiring the curve list is cleaner. That turns
out to be practical and aligns well with TLS 1.3. I think if we had to
implement the "default" version, we'd probably have treated missing curve
list as an advertisement of P-256, so if you prefer the other option, that
seems a reasonable implementation strategy.
(I don't have any data on how prevalent such clients are. The issue was
noticed during implementation, so we never actually saw the breakage.)
David
On Fri, Sep 16, 2016 at 11:58 AM Michael Sierchio <kudzu at tenebras.com>
wrote:
>
> On Fri, Sep 16, 2016 at 8:52 AM, Salz, Rich <rsalz at akamai.com> wrote:
>
> ...
>
> That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not
> joking, I think that's a major reason.
>
>
> Well, you've provided them with a reason. ;-) Srsly, thanks for not making
> the NIST curves the default.
>
> - M
>
> --
> "Well," Brahma said, "even after ten thousand explanations, a fool is no
> wiser, but an intelligent man requires only two thousand five hundred."
>
> - The Mahābhārata
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160917/3e239b37/attachment.html>
More information about the openssl-dev
mailing list