[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

[Hubert Kario]

On Friday, 16 September 2016 17:26:03 CET Hubert Kario wrote:
> I've been running tests on the openssl 1.1.0 release recently and I've
> noticed that if the client doesn't include the supported_groups extension,
> OpenSSL will pick curve with id 0x001d, that is ecdh_x25519, as the curve
> to do ECDHE over.
> 
> While this is not incorrect behaviour according to the standard (it is quite
> explicit that if client doesn't provide this extension, server can pick any
> curve it wants), I'm afraid that this will cause interoperability problems.
> 
> The majority of servers (71%) support *only* prime256v1 curve and of the
> ones that default to ECDHE key exchange nearly 83% will also default to
> this curve. OpenSSL 1.0.2h also defaults to this curve if there are no
> curves advertised by client.
> 
> So it is very likely that any client that doesn't advertise curves will
> expect the server to select prime256v1. At the same time it is very
> unlikely that it will support x25519 (given how new it is).

I've filed a bug on github so that it doesn't fall off the radar...
https://github.com/openssl/openssl/issues/2219

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170112/7b24ee05/attachment.sig>