[openssl-dev] rejecting elliptic_curves/supported_groups in ServerHello (new behavior in master/1.1.1 vs 1.1.0)
Dr. Stephen Henson
steve at openssl.org
Wed Oct 4 15:02:26 UTC 2017
On Wed, Oct 04, 2017, Mahesh Bhoothapuri wrote:
> if (SSL_CTX_set1_groups_list(ctx, "P-521:P-384:P-256") == 0) {
> //error
> }
>
If you have the above line you're telling the client to advertise support for
P-521:P-384:P-256 in that order and the server to only use them.
> The client and server both use SSL_CTX_set1_groups-list to set the
> supported group list. Right now, the server always
> has P-256 in the supported groups extension.
> When the the groups list is changed to add X25519, the server responds
> with P-256. Is there a way to have the server support
> multiple specified groups.
>
> Section 9.1 of the rfc states:
> "
>
> A TLS-compliant application MUST support digital signatures with
> rsa_pkcs1_sha256 (for certificates), rsa_pss_sha256 (for
> CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A
> TLS-compliant application MUST support key exchange with secp256r1
> (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748
> <https://tools.ietf.org/html/rfc7748>].
> "
>
Yes and OpenSSL does support those but there is nothing stopping a server or
client being configured to support a different set of groups.
> So, having the server support P-256 satisfies the MUST part. How
> can we support X25519 on the server, or
>
Use X25519 in the supported group list.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list