On Thu, 2 May 2024 at 19:50, Lukas Tribus <lu...@ltri.eu> wrote: > > On Thu, 2 May 2024 at 17:14, Froehlich, Dominik > <dominik.froehl...@sap.com> wrote: > > The closest I’ve gotten is the “curves” property: > > https://docs.haproxy.org/2.8/configuration.html#5.1-curves > > > > However, I think it only restricts the available elliptic curves in a ECDHE > > handshake, but it does not prevent a TLS 1.3 client from selecting a > > non-ECDHE prime group, for example “ffdhe8192”. > > If I understand the code correctly, both nginx and haproxy call > SSL_CTX_set1_curves_list(), what exactly makes you think that haproxy > does something different?
More to the point: curve and group is the same exact thing in openssl: https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd.html > -curves groups > This is a synonym for the -groups command. https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set1_curves.html > The curve functions are synonyms for the equivalently named group functions > and are identical in every respect. They exist because, prior to TLS1.3, > there was only the concept of supported curves. In TLS1.3 this was renamed to > supported groups, and extended to include Diffie Hellman groups. The group > functions should be used in preference. https://github.com/openssl/openssl/issues/18089#issuecomment-1096748557 > In TLSv1.3 the old "supported_curves" extension was renamed to > "supported_groups". This renaming has been followed through to the OpenSSL > API so that SSL_CTX_set1_curves_list is synonymous with > SSL_CTX_set1_groups_list, and the the -curves command line argument is > synonymous with -groups. So in the above issue you are not just constraining > the EC curves - you are constraining all the groups available for use in > TLSv1.3. This includes FFDH groups - so the above configuration prevents > either ECDH or FFDH being used in TLSv1.3. Setting openssl curves (groups) via SSL_CTX_set1_curves_list just like nginx does is supported since Haproxy 1.8: https://github.com/haproxy/haproxy/commit/e7f2b7301c0a6625654056356cca56853a14cd68 Lukas