I've been running tests on the openssl 1.1.0 release recently and I've noticed 
that if the client doesn't include the supported_groups extension, OpenSSL 
will pick curve with id 0x001d, that is ecdh_x25519, as the curve to do ECDHE 
over.

While this is not incorrect behaviour according to the standard (it is quite 
explicit that if client doesn't provide this extension, server can pick any 
curve it wants), I'm afraid that this will cause interoperability problems.

The majority of servers (71%) support *only* prime256v1 curve and of the ones 
that default to ECDHE key exchange nearly 83% will also default to this curve. 
OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised 
by client.

So it is very likely that any client that doesn't advertise curves will expect 
the server to select prime256v1. At the same time it is very unlikely that it 
will support x25519 (given how new it is).
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to