Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Friday, 16 September 2016 17:26:03 CET Hubert Kario wrote: > I've been running tests on the openssl 1.1.0 release recently and I've > noticed that if the client doesn't include the supported_groups extension, > OpenSSL will pick curve with id 0x001d, that is ecdh_x25519, as the curve > to do

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Saturday, 17 September 2016 16:14:02 CEST David Benjamin wrote: > On Sat, Sep 17, 2016 at 12:06 PM Viktor Dukhovni > > wrote: > > On Sat, Sep 17, 2016 at 03:46:53PM +, Salz, Rich wrote: > > > > If a client offers ECDHE ciphers with no curve list, one might > >

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Friday, 16 September 2016 15:52:30 CEST Salz, Rich wrote: > > The majority of servers (71%) support *only* prime256v1 curve and of the > > ones that default to ECDHE key exchange nearly 83% will also default to > > this curve. > > That's because most people have not moved to OpenSSL 1.1.0 yet.

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Sat, Sep 17, 2016 at 12:06 PM Viktor Dukhovni wrote: > On Sat, Sep 17, 2016 at 03:46:53PM +, Salz, Rich wrote: > > > > If a client offers ECDHE ciphers with no curve list, one might > alternatively just > > > use P-256. It is likely better than the other

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Sat, Sep 17, 2016 at 03:46:53PM +, Salz, Rich wrote: > > If a client offers ECDHE ciphers with no curve list, one might > > alternatively just > > use P-256. It is likely better than the other choices. Most clients will > > send a > > curve list. > > Most will, and I'd rather get

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

> > In other words: only use ECDHE if client specifies a curve list. WFM. > > If a client offers ECDHE ciphers with no curve list, one might alternatively > just > use P-256. It is likely better than the other choices. Most clients will > send a > curve list. Most will, and I'd rather get

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Sat, Sep 17, 2016 at 02:35:20PM +, Salz, Rich wrote: > > When we added X25519 to BoringSSL, we at the same time started made the > > server require clients supply a curve list (and otherwise we'd just pick > > a non-ECDHE cipher), because of this issue. That went in back in December > >

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

> When we added X25519 to BoringSSL, we at the same time started made the > server require clients supply a curve list (and otherwise we'd just pick a > non-ECDHE cipher), because of this issue. That went in back in December 2015 > and it's been running just fine. I'd recommend OpenSSL do the

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On 9/16/16, 11:52, "openssl-dev on behalf of Salz, Rich" wrote: >>OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised >> by client. > >When I made X25519 the default, I didn't think about it. That was

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

On Fri, Sep 16, 2016 at 8:52 AM, Salz, Rich wrote: ... That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not > joking, I think that's a major reason. Well, you've provided them with a reason. ;-) Srsly, thanks for not making the NIST curves the default. -

Re: [openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

> The majority of servers (71%) support *only* prime256v1 curve and of the > ones that default to ECDHE key exchange nearly 83% will also default to this > curve. That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not joking, I think that's a major reason. > OpenSSL 1.0.2h

[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0

I've been running tests on the openssl 1.1.0 release recently and I've noticed that if the client doesn't include the supported_groups extension, OpenSSL will pick curve with id 0x001d, that is ecdh_x25519, as the curve to do ECDHE over. While this is not incorrect behaviour according to the