Need help in removing secp521r1 from openssl-1.1.1g and adding TLS_GREASE_BA cipher.

Mark Hack markhack at markhack.com
Wed Jul 7 07:01:16 UTC 2021 

The docs are not the easiest to follow so here is what I did to order
curves from strongest to weakest.The file is /etc/pki/tls/openssl.conf
and should be close to your settings. Set the curves to what you want
as I did in the Curve line

openssl_conf = default_modules

[ default_modules ]

ssl_conf = ssl_module

[ ssl_module ]

system_default = crypto_policy

[ crypto_policy ]
Curves = P-521:P-384:P-256



On Fri, 2021-07-02 at 15:53 +0100, Matt Caswell wrote:
> 
> On 02/07/2021 14:02, vinod mg wrote:
> > --> Is there a way I can compile openssl itself to exclude
> > 'secp521r1' 
> > and install? The reason I ask is because application I am testing
> > is 
> > squid(squid-cache.org <http://squid-cache.org>) for ssl bumping
> > purposes 
> > and it has limited configurability.
> 
> Only by disabling *all* ec groups (via the "no-ec" configure option)
> but 
> that is no solution at all really. I would not recommend that!
> 
> You might try starting squid with the OPENSSL_CONF environment
> variable 
> pointing to a custom OpenSSL config file. Assuming squid doesn't 
> suppress loading the config file then you can do the same thing as 
> SSL_CTX_set1_groups_list via the "Groups" SSL_CONF setting. See the
> info 
> here on configuring OpenSSL SSL/TLS settings via config file (see
> the 
> section "SSL Configuration Module"):
> 
> https://www.openssl.org/docs/man1.1.1/man5/config.html
> 
> And see the documentation on "Groups" on this page:
> 
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
> 
> Matt
> 
> > 
> > Thanks,
> > Vinod
> > 
> > 
> > On Fri, Jul 2, 2021 at 4:32 PM Matt Caswell <matt at openssl.org 
> > <mailto:matt at openssl.org>> wrote:
> > 
> > 
> > 
> >     On 01/07/2021 07:21, vinod mg wrote:
> >      >     1) Supress or a way to remove secp521r1 from the
> > currenlty
> >     installed
> >      >     openssl.
> > 
> >     You can specify the list of groups by calling
> > SSL_CTX_set1_groups_list
> >     (or SSL_set1_groups_list) from your application. See:
> > 
> >     
> > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html
> >     <
> > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html
> > >
> > 
> >      >     2) Add the cipher - "0xbaba   TLS_GREASE_BA   GREASE"
> > like we
> >     see in
> >      >     chrome.
> > 
> >     This is not a real cipher. It does nothing and is always
> > ignored.
> >     OpenSSL does not support sending this value.
> > 
> >     Matt
> > 
> > 
> >      >
> >      >     I am ok with custom install as well, if above cannot be
> > done with
> >      >     already installed openssl package. Please share any wiki
> > I can
> >      >     follow to impliment the same.
> >      >
> >      >     ~]# openssl ecparam -list_curves
> >      >
> >      >     secp224r1 : NIST/SECG curve over a 224 bit prime field
> >      >
> >      >     secp256k1 : SECG curve over a 256 bit prime field
> >      >
> >      >     secp384r1 : NIST/SECG curve over a 384 bit prime field
> >      >
> >      >     /secp521r1 : NIST/SECG curve over a 521 bit prime field/
> >      >
> >      >     prime256v1: X9.62/SECG curve over a 256 bit prime field
> >      >
> >      >
> >      >     I am using below OS and version-
> >      >
> >      >     # cat /etc/redhat-release
> >      >
> >      >     Red Hat Enterprise Linux release 8.3 (Ootpa)
> >      >
> >      >
> >      >     # opensslversion -a
> >      >
> >      >     OpenSSL 1.1.1g FIPS21 Apr 2020
> >      >
> >      >     built on: Thu Mar 25 16:46:53 2021 UTC
> >      >
> >      >     platform: linux-x86_64
> >      >
> >      >     options:bn(64,64) md2(char) rc4(16x,int) des(int)
> > idea(int)
> >      >     blowfish(ptr)
> >      >
> >      >     compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack
> > -Wall -O3
> >     -O2 -g
> >      >     -pipe -Wall -Werror=format-security -Wp,-
> > D_FORTIFY_SOURCE=2
> >      >     -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-
> > protector-strong
> >      >     -grecord-gcc-switches
> >     -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> >      >     -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64
> > -mtune=generic
> >      >     -fasynchronous-unwind-tables -fstack-clash-protection
> >      >     -fcf-protection -Wa,--noexecstack
> >      >     -Wa,--generate-missing-build-notes=yes
> >      >     -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
> >     -DOPENSSL_USE_NODELETE
> >      >     -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
> > -DOPENSSL_IA32_SSE2
> >      >     -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> >     -DOPENSSL_BN_ASM_GF2m
> >      >     -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM
> > -DRC4_ASM
> >      >     -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM
> > -DECP_NISTZ256_ASM
> >      >     -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY
> >      >     -DDEVRANDOM="\"/dev/urandom\""
> >      >   
> >       -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-
> > ends/openssl.config"
> >      >
> >      >     OPENSSLDIR: "/etc/pki/tls"
> >      >
> >      >     ENGINESDIR: "/usr/lib64/engines-1.1"
> >      >
> >      >     Seeding source: os-specific
> >      >
> >      >     engines:rdrand dynamic
> >      >
> >      >
> >      >     Really appriciate your time and help, thanks in advance.
> >      >
> >      >     Thanks,
> >      >     Vinod
> >      >
> >

More information about the openssl-users mailing list