Is ED25519 on DTLS supported?

Matt Caswell matt at openssl.org
Mon Nov 18 16:42:56 UTC 2019 


On 17/11/2019 01:43, Rafael Ferrer wrote:
> It's DTLS-OK according to IANA.
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16
> 
> 
> I tested ED25519 certificates on TLS 1.2 and it worked fine.
> 
> openssl s_server -port 4321 -cert server-cert.pem -key server-key.pem
> -CAfile client-cert.pem -tls1_2 -sigalgs ed25519
> openssl s_client -bind localhost:1234 -connect localhost:4321 -cert
> client-cert.pem -key client-key.pem -CAfile server-cert.pem -tls1_2
> -sigalgs ed25519
> 
> But I get a "no shared cipher" error (on the server) if I just replace
> -tls1_2 with -dtls1_2 on those two commands.
> 
> 
> The certs and keys are self-signed for both the server and client and
> where generated by this command.
> 
> openssl req -x509 -newkey ed25519 -subj "/CN=localhost" -nodes -addext
> keyUsage=digitalSignature -keyout key.pem -out cert.pem
> 


This is a really good question. Currently Ed25519 certificates are not
supported in DTLS. The function ssl_set_masks() in ssl_lib.c has this code:

    /* Allow Ed25519 for TLS 1.2 if peer supports it */
    if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
            && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
            && TLS1_get_version(s) == TLS1_2_VERSION)
            mask_a |= SSL_aECDSA;

Note, this explicitly checks for TLSv1.2 and only allows ED25519 if it
is true. There is no equivalent code for DTLSv1.2.

Technically getting it to support DTLSv1.2 is easy. We just amend the
above line to additionally check for DTLSv1.2 and it should work. The
question is, is that correct? EdDSA support for TLSv1.2 was specified in
RFC8422. That RFC only has one mention of DTLS here:

"IANA has assigned one value from the "TLS HashAlgorithm" registry for
Intrinsic (8) with DTLS-OK set to true (Y) and this document as
reference.  This keeps compatibility with TLS 1.3."

That's in reference to IANA TLS HashAlgorithm registry. But for the TLS
SignatureAlgorithm registry it says this:

"IANA has assigned two values in the "TLS SignatureAlgorithm" registry
for ed25519 (7) and ed448 (8) with this document as reference.  This
keeps compatibility with TLS 1.3."

This is in the paragraph before the other one, and there is no reference
to ed25519/ed448 being "ok" for DTLS, and in fact there is no mention of
DTLS anywhere else in this RFC.

So, I'm slightly perplexed as to why the IANA registry says something
different to this (i.e. DTLS is "ok" for ed25519/ed448). Is this an
error in the IANA registry? Or is this an error in the RFC? Or is there
some other RFC somewhere that specifies ed25519/ed448 usage in DTLS?

I looked to see if there were any errata for RFC8422, but nothing looked
relevant.

Matt

More information about the openssl-users mailing list