Re: Running SSL server without temporary DH parameters.

Wed, 28 Oct 2009 08:05:51 -0700 

On Wed, Oct 28, 2009 at 04:06:07PM +0300, Victor B. Wagner wrote:

> But for some setups, especially in OpenSSL 1.0, which supports EC
> ciphersuites, dh parameters are not neccessary.

This is not entirely accurately, one still needs to designate an ECDH
curve for ECDHE ciphers. Postfix code for this:

    ... set "curve" to the administrator designated value ...

    /*
     * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
     * from RFC 4492 section 5.1.1, or explicitly described curves over
     * binary fields. OpenSSL only supports the "named curves", which provide
     * maximum interoperability. The recommended curve for 128-bit
     * work-factor key exchange is "prime256v1" a.k.a. "secp256r1" from
     * Section 2.7 of http://www.secg.org/download/aid-386/sec2_final.pdf
     */

    if ((nid = OBJ_sn2nid(curve)) == NID_undef) {
        msg_warn("unknown curve \"%s\": disabling EECDH support", curve);
        return (0);
    }
    ERR_clear_error();
    if ((ecdh = EC_KEY_new_by_curve_name(nid)) == 0
        || SSL_CTX_set_tmp_ecdh(server_ctx, ecdh) == 0) {
        msg_warn("unable to use curve \"%s\": disabling EECDH support", curve);
        tls_print_errors();
        return (0);
    }

> So it would be nice to let users live without completely unneccessary
> temporary DH parameters.
> 
> I see two ways of doing so:
> 
> 1. If dh parameters are not specified in the application configuration
> file, add ':!DH' to the end of ciphersuite list, thus restricting
> application to the ciphersuites which do not need tmp DH parameters.
> (which may result in empty cipher list and failure to start).

More precise is "!kEDH", and IIRC OpenSSL does not offer kEDH ciphers
on the wire, when no parameters are provided by the application.

> 2. Check cipher list for any ciphersuite which need DH parameters
> and complain loudly (giving fatal configuration error) 
> if such ciphersuite is enabled, but DH parameters
> are not provided.
> 
> For my typical case (using GOST only) both ways would do the job.
> 
> But which one is generally better and would be more acceptable for
> application authors?

DTRT! When no parameters are provided, don't include kEDH ciphers in
the list of available ciphers, regardless of the user-specified cipherlist.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to