Re: [openssl-dev] rejecting elliptic_curves/supported_groups in ServerHello (new behavior in master/1.1.1 vs 1.1.0)

Wed, 04 Oct 2017 10:47:16 -0700 

I am attaching a pcap where I set the supported list to contain X25519.
The client extension contains X25519.  However, the server still responds
with keyshare extension secp256r1 in a hello retry request.

This is the case for all the 5 TLS 1.3 ciphers.  Is there another setting
for the server to enable the supported groups?


Thanks,
Mahesh

On Wed, Oct 4, 2017 at 8:02 AM, Dr. Stephen Henson <st...@openssl.org>
wrote:

> On Wed, Oct 04, 2017, Mahesh Bhoothapuri wrote:
>
> >     if (SSL_CTX_set1_groups_list(ctx, "P-521:P-384:P-256") == 0) {
> >            //error
> >     }
> >
>
> If you have the above line you're telling the client to advertise support
> for
> P-521:P-384:P-256 in that order and the server to only use them.
>
> >     The client and server both use SSL_CTX_set1_groups-list to set the
> > supported group list.  Right now,  the server always
> >     has P-256 in the supported groups extension.
> >     When the the groups list is changed to add X25519,  the server
> responds
> > with P-256.   Is there a way to have the server support
> >     multiple specified groups.
> >
> >     Section 9.1 of the rfc states:
> >     "
> >
> > A TLS-compliant application MUST support digital signatures with
> >    rsa_pkcs1_sha256 (for certificates), rsa_pss_sha256 (for
> >    CertificateVerify and certificates), and ecdsa_secp256r1_sha256.  A
> >    TLS-compliant application MUST support key exchange with secp256r1
> >    (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748
> > <https://tools.ietf.org/html/rfc7748>].
> >   "
> >
>
> Yes and OpenSSL does support those but there is nothing stopping a server
> or
> client being configured to support a different set of groups.
>
> >   So, having the server support P-256 satisfies the MUST part.  How
> > can we support X25519 on the server, or
> >
>
> Use X25519 in the supported group list.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>

Attachment: x25519_trace0.pcap
Description: Binary data

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to