Need help in removing secp521r1 from openssl-1.1.1g and adding TLS_GREASE_BA cipher.
Matt Caswell
matt at openssl.org
Fri Jul 2 14:53:39 UTC 2021
On 02/07/2021 14:02, vinod mg wrote:
> --> Is there a way I can compile openssl itself to exclude 'secp521r1'
> and install? The reason I ask is because application I am testing is
> squid(squid-cache.org <http://squid-cache.org>) for ssl bumping purposes
> and it has limited configurability.
Only by disabling *all* ec groups (via the "no-ec" configure option) but
that is no solution at all really. I would not recommend that!
You might try starting squid with the OPENSSL_CONF environment variable
pointing to a custom OpenSSL config file. Assuming squid doesn't
suppress loading the config file then you can do the same thing as
SSL_CTX_set1_groups_list via the "Groups" SSL_CONF setting. See the info
here on configuring OpenSSL SSL/TLS settings via config file (see the
section "SSL Configuration Module"):
https://www.openssl.org/docs/man1.1.1/man5/config.html
And see the documentation on "Groups" on this page:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
Matt
>
> Thanks,
> Vinod
>
>
> On Fri, Jul 2, 2021 at 4:32 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>
>
>
> On 01/07/2021 07:21, vinod mg wrote:
> > 1) Supress or a way to remove secp521r1 from the currenlty
> installed
> > openssl.
>
> You can specify the list of groups by calling SSL_CTX_set1_groups_list
> (or SSL_set1_groups_list) from your application. See:
>
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html
> <https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html>
>
> > 2) Add the cipher - "0xbaba TLS_GREASE_BA GREASE" like we
> see in
> > chrome.
>
> This is not a real cipher. It does nothing and is always ignored.
> OpenSSL does not support sending this value.
>
> Matt
>
>
> >
> > I am ok with custom install as well, if above cannot be done with
> > already installed openssl package. Please share any wiki I can
> > follow to impliment the same.
> >
> > ~]# openssl ecparam -list_curves
> >
> > secp224r1 : NIST/SECG curve over a 224 bit prime field
> >
> > secp256k1 : SECG curve over a 256 bit prime field
> >
> > secp384r1 : NIST/SECG curve over a 384 bit prime field
> >
> > /secp521r1 : NIST/SECG curve over a 521 bit prime field/
> >
> > prime256v1: X9.62/SECG curve over a 256 bit prime field
> >
> >
> > I am using below OS and version-
> >
> > # cat /etc/redhat-release
> >
> > Red Hat Enterprise Linux release 8.3 (Ootpa)
> >
> >
> > # opensslversion -a
> >
> > OpenSSL 1.1.1g FIPS21 Apr 2020
> >
> > built on: Thu Mar 25 16:46:53 2021 UTC
> >
> > platform: linux-x86_64
> >
> > options:bn(64,64) md2(char) rc4(16x,int) des(int) idea(int)
> > blowfish(ptr)
> >
> > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3
> -O2 -g
> > -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
> > -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
> > -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> > -fasynchronous-unwind-tables -fstack-clash-protection
> > -fcf-protection -Wa,--noexecstack
> > -Wa,--generate-missing-build-notes=yes
> > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
> -DOPENSSL_USE_NODELETE
> > -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
> > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m
> > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM
> > -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
> > -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY
> > -DDEVRANDOM="\"/dev/urandom\""
> >
> -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
> >
> > OPENSSLDIR: "/etc/pki/tls"
> >
> > ENGINESDIR: "/usr/lib64/engines-1.1"
> >
> > Seeding source: os-specific
> >
> > engines:rdrand dynamic
> >
> >
> > Really appriciate your time and help, thanks in advance.
> >
> > Thanks,
> > Vinod
> >
>
More information about the openssl-users
mailing list