I've been running tests on the openssl 1.1.0 release recently and I've noticed that if the client doesn't include the supported_groups extension, OpenSSL will pick curve with id 0x001d, that is ecdh_x25519, as the curve to do ECDHE over.
While this is not incorrect behaviour according to the standard (it is quite explicit that if client doesn't provide this extension, server can pick any curve it wants), I'm afraid that this will cause interoperability problems. The majority of servers (71%) support *only* prime256v1 curve and of the ones that default to ECDHE key exchange nearly 83% will also default to this curve. OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised by client. So it is very likely that any client that doesn't advertise curves will expect the server to select prime256v1. At the same time it is very unlikely that it will support x25519 (given how new it is). -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev