Request for comment on Anonymous, Encrypted SSL approach
Greetings, I've been searching for a way to set up an encrypted SSL connection that doesn't require the use of certificates. Ideally, I'd like to use SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly available, I'd like to fall back to setting up an anonymous but encrypted SSL connection over which I'll manually use SRP for authentication. The SRP portion I have a pretty good handle on but I'm not quite sure about the anonymous SSL portion. I found an anonymous diffie-hellman example by Josue Gomes a while back (http://www.josuegomes.com/dhsample.php) that seems to do exactly what I'd like. However, being anything but a security guru I'd appreciate it if someone in the know could clarify a few things for me and let me know if I'm on the right track. The following few lines are the relevant anonymous diffie-hellman calls distilled from Josue's client/server example. Server: DH* dh = DH_new(); DH_generate_parameters_ex(dh, 2, DH_GENERATOR_2, 0); DH_check(dh, codes); DH_generate_key(dh); SSL_CTX_set_tmp_dh(ctx, dh); SSL_CTX_set_cipher_list(ctx, ADH-AES256-SHA); Client: SSL_CTX_set_cipher_list(ctx, ADH-AES256-SHA); For the most part, this looks pretty straight-forward. I was wondering though if the manual DH generation is actually necessary. I was under the (mistaken?) impression that the DH keys were automatically generated by OpenSSL. Assuming that I do, in fact, need to generate them manually, are the generation parameters used here considered sufficient for general-purpose use or would an alternative set be preferable? Also, the DH_check seems odd. Is it possible for the DH_generate_parameters_ex to fail in such a way that it doesn't return an error code but that DH_check will catch? I've successfully implemented an OpenSSL client/server pair using the key lines mentioned above. However, the first rule in security is if you don't know what you're doing, get input from someone who does. I most certainly don't know what I'm doing here and would greatly appreciate a critique of this approach. Regards, Tom Cocagne __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Request for comment on Anonymous, Encrypted SSL approach
On 09/17/2010 04:40 PM, Tom Cocagne wrote: Greetings, I've been searching for a way to set up an encrypted SSL connection that doesn't require the use of certificates. Ideally, I'd like to use SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly available, I'd like to fall back to setting up an anonymous but encrypted SSL connection over which I'll manually use SRP for authentication. you may want to look at the openssl request tracker entry 1794 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Request for comment on Anonymous, Encrypted SSL approach
On Fri, Sep 17, 2010 at 10:40:45AM -0400, Tom Cocagne wrote: I've been searching for a way to set up an encrypted SSL connection that doesn't require the use of certificates. Ideally, I'd like to use SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly available, I'd like to fall back to setting up an anonymous but encrypted SSL connection over which I'll manually use SRP for authentication. The SRP portion I have a pretty good handle on but I'm not quite sure about the anonymous SSL portion. I found an anonymous diffie-hellman example by Josue Gomes a while back (http://www.josuegomes.com/dhsample.php) that seems to do exactly what I'd like. However, being anything but a security guru I'd appreciate it if someone in the know could clarify a few things for me and let me know if I'm on the right track. On the server-side don't configure any certificates, set the cipherlist to: aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH and configure DH parameters (generated once-only and stored in the file-system). On the client side, set the same cipherlist. The following few lines are the relevant anonymous diffie-hellman calls distilled from Josue's client/server example. Server: DH* dh = DH_new(); DH_generate_parameters_ex(dh, 2, DH_GENERATOR_2, 0); DH_check(dh, codes); DH_generate_key(dh); SSL_CTX_set_tmp_dh(ctx, dh); SSL_CTX_set_cipher_list(ctx, ADH-AES256-SHA); This is too expensive to do each time. For the most part, this looks pretty straight-forward. I was wondering though if the manual DH generation is actually necessary. I was under the (mistaken?) impression that the DH keys were automatically generated by OpenSSL. The keys are negotiated, but the prime-group needs to be set by the server in advance. Examples, for Postfix in: http://www.postfix.org/TLS_README.html#server_cipher If you want do enable EECDH support (OpenSSL 1.0.0 or later), the server should choose a suitable curve: http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade http://www.postfix.org/postconf.5.html#tls_eecdh_strong_curve The underlying C code looks like: int nid; EC_KEY *ecdh; const char *curve; if ((nid = OBJ_sn2nid(curve)) == NID_undef) { msg_warn(unknown curve \%s\: disabling EECDH support, curve); return (0); } ERR_clear_error(); if ((ecdh = EC_KEY_new_by_curve_name(nid)) == 0 || SSL_CTX_set_tmp_ecdh(server_ctx, ecdh) == 0) { msg_warn(unable to use curve \%s\: disabling EECDH support, curve); tls_print_errors(); return (0); } -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org