-
Notifications
You must be signed in to change notification settings - Fork 10.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ECC curve other than 256-bit curve in gRPC SSL transport security #23083
Comments
This issue/PR has been automatically marked as stale because it has not had any update (including commits, comments, labels, milestones, etc) for 30 days. It will be closed automatically if no further update occurs in 7 day. Thank you for your contributions! |
Jiangtao and Mark, any update on this? |
Daniel, do you have a use case? |
@ZhenLian FYI |
We do have a potential use case. An ETA will be much appreciated. Thank you! |
use case of ed25519 |
Foremost, the link in the original issue seems out of date. This should point to
in ssl_transport_security.cc. It has been discussed more frequently about the key algorithms used in gRPC these days, so I spent some time to read the code/articles talking about this. Let me quickly summarize what I have found so far:
|
When the code was originally OpenSSL didn't have any support for automatically using one or a list of elliptic curves for the TLS ephemeral ECDH key, and instead required specifying one manually and P-256 was a reasonable choice. However, now next-generation cryptography guidance, such as CNSA Suite, recommends using ECC P-384 instead of P-256, so to provide interoperability with peers that only support ECC P-384, or more secure, then make OpenSSL use automatic curve selection out of a pre-defined list of appropriate curves. For OpenSSL 1.0.2 this is done by calling SSL_CTX_set_ecdh_auto, but for OpenSSL 1.1.0 and newer this is done just by not calling SSL_CTX_set_tmp_ecdh to force a particular curve. The default groups in OpenSSL and BoringSSL are all curves of equal or greater in bits of security than P-256, so using the extended set of groups doesn't open up an opportunity for a less secure curve to be used.
When the code was originally OpenSSL didn't have any support for automatically using one or a list of elliptic curves for the TLS ephemeral ECDH key, and instead required specifying one manually and P-256 was a reasonable choice. However, now next-generation cryptography guidance, such as CNSA Suite, recommends using ECC P-384 instead of P-256, so to provide interoperability with peers that only support ECC P-384, or more secure, then make OpenSSL use automatic curve selection out of a pre-defined list of appropriate curves. For OpenSSL 1.0.2 this is done by calling SSL_CTX_set_ecdh_auto, but for OpenSSL 1.1.0 and newer this is done just by not calling SSL_CTX_set_tmp_ecdh to force a particular curve. The default groups in OpenSSL and BoringSSL are all curves of equal or greater in bits of security than P-256, so using the extended set of groups doesn't open up an opportunity for a less secure curve to be used.
Right now, SSL transport security in gRPC only support 256-bit curve (hardcoded). See code. We shall revise to support more curves.
The text was updated successfully, but these errors were encountered: