[openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

Matt Caswell matt at openssl.org
Sun Dec 2 22:48:33 UTC 2018



On 02/12/2018 22:13, Viktor Dukhovni wrote:
> 
> [ While I could ask off-list, or RTFS, someone else might have the
>   same question later, so might as well ask on-list. ]
> 
> Postfix added support for ECDHE ciphers long ago, back when OpenSSL
> 1.0.0 was shiny and new, and the server-side ECDHE support was
> enabled by specifying a single preferred "temp" ECDH curve.  At the
> time we allowed users to configure:
> 
>     smtpd_tls_eecdh_grade = none | strong | ultra
> 
> which was later expanded to:
> 
>     smtpd_tls_eecdh_grade = none | strong | ultra | auto
> 
> as documented at:
> 
>     http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
>     http://www.postfix.org/postconf.5.html#tls_eecdh_strong_curve
>     http://www.postfix.org/postconf.5.html#tls_eecdh_ultra_curve
>     http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
> 
> The "none" setting is documented to disable ECDHE, and did that by
> simply doing nothing, that is by not setting a specific ECDH temp
> curve and also not calling SSL_CTX_set_ecdh_auto().  But doing
> nothing no longer has the same effect in OpenSSL 1.1.0 and later,
> where ECDHE curve negotiation is always on, and SSL_CTX_set_ecdh_auto()
> is basically a NOOP (that returns "failure" if the requested behaviour
> is ECDHE "off").
> 
> I thought I might get the same effect by configuring an empty curve
> list, but OpenSSL 1.1.x, does not accept an empty list, and in any
> case that might also affect DHE support, since IIRC there's now a
> unified list of curves and FFDHE groups, and may not be an interface
> for configuring just the curves?
> 
> Is there still a way to support the "none" setting other than to
> modify the cipherlist (ciphers = "!kECDHE:...")?  The Postfix
> code that deals with DH settings is separate from the code
> that deals with ciphers, and I'd prefer to get these mixed up.

AFAIK this can't be done. If you don't want ECDHE then you should not configure
ECDHE ciphersuites.

WRT a unifed lists of curves that's not quite the case. TLSv1.3 has a single
"supported_groups" list for both FFDHE and ECDHE - but OpenSSL does not support
FFDHE in TLSv1.3 so in an OpenSSL context this still only relates to ECDHE groups.

Matt

> 
> I should say that I understand that turning off ECDHE is increasingly
> unwise, interoperability can and will suffer.  So I may well decide
> to drop support for "none" and pretend the user meant "auto", but
> I'd like to understand the available options first.
> 


More information about the openssl-users mailing list