On Friday, 16 September 2016 17:26:03 CET Hubert Kario wrote: > I've been running tests on the openssl 1.1.0 release recently and I've > noticed that if the client doesn't include the supported_groups extension, > OpenSSL will pick curve with id 0x001d, that is ecdh_x25519, as the curve > to do ECDHE over. > > While this is not incorrect behaviour according to the standard (it is quite > explicit that if client doesn't provide this extension, server can pick any > curve it wants), I'm afraid that this will cause interoperability problems. > > The majority of servers (71%) support *only* prime256v1 curve and of the > ones that default to ECDHE key exchange nearly 83% will also default to > this curve. OpenSSL 1.0.2h also defaults to this curve if there are no > curves advertised by client. > > So it is very likely that any client that doesn't advertise curves will > expect the server to select prime256v1. At the same time it is very > unlikely that it will support x25519 (given how new it is).
I've filed a bug on github so that it doesn't fall off the radar... https://github.com/openssl/openssl/issues/2219 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev