[openssl-dev] rejecting elliptic_curves/supported_groups in ServerHello (new behavior in master/1.1.1 vs 1.1.0)
Mahesh Bhoothapuri
maheshbhooth at gmail.com
Wed Oct 4 17:46:42 UTC 2017
I am attaching a pcap where I set the supported list to contain X25519.
The client extension contains X25519. However, the server still responds
with keyshare extension secp256r1 in a hello retry request.
This is the case for all the 5 TLS 1.3 ciphers. Is there another setting
for the server to enable the supported groups?
Thanks,
Mahesh
On Wed, Oct 4, 2017 at 8:02 AM, Dr. Stephen Henson <steve at openssl.org>
wrote:
> On Wed, Oct 04, 2017, Mahesh Bhoothapuri wrote:
>
> > if (SSL_CTX_set1_groups_list(ctx, "P-521:P-384:P-256") == 0) {
> > //error
> > }
> >
>
> If you have the above line you're telling the client to advertise support
> for
> P-521:P-384:P-256 in that order and the server to only use them.
>
> > The client and server both use SSL_CTX_set1_groups-list to set the
> > supported group list. Right now, the server always
> > has P-256 in the supported groups extension.
> > When the the groups list is changed to add X25519, the server
> responds
> > with P-256. Is there a way to have the server support
> > multiple specified groups.
> >
> > Section 9.1 of the rfc states:
> > "
> >
> > A TLS-compliant application MUST support digital signatures with
> > rsa_pkcs1_sha256 (for certificates), rsa_pss_sha256 (for
> > CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A
> > TLS-compliant application MUST support key exchange with secp256r1
> > (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748
> > <https://tools.ietf.org/html/rfc7748>].
> > "
> >
>
> Yes and OpenSSL does support those but there is nothing stopping a server
> or
> client being configured to support a different set of groups.
>
> > So, having the server support P-256 satisfies the MUST part. How
> > can we support X25519 on the server, or
> >
>
> Use X25519 in the supported group list.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20171004/1dfaf625/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x25519_trace0.pcap
Type: application/octet-stream
Size: 3120 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20171004/1dfaf625/attachment.obj>
More information about the openssl-dev
mailing list