Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2.5.3: missing bits #302

Closed
hdatma opened this issue Apr 13, 2017 · 5 comments
Closed

v2.5.3: missing bits #302

hdatma opened this issue Apr 13, 2017 · 5 comments

Comments

@hdatma
Copy link

hdatma commented Apr 13, 2017

Ref. https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.3-relnotes.txt

  • Curve25519 Key Exchange support.
>openssl ecparam -list_curves | grep 25519
[empty]
  • libtls now handles 4 cipher suite groups:
    "secure" (TLSv1.2+AEAD+PFS)
    "compat" (HIGH:!aNULL)
    "legacy" (HIGH:MEDIUM:!aNULL)
    "insecure" (ALL:!aNULL:!eNULL)
    This allows for flexibility and finer grained control, rather than having
    two extremes (an issue raised by Marko Kreen some time ago).
>openssl ciphers TLSv1.2+AEAD+PFS         
140736644547592:error:14FFF0B9:SSL routines:(UNKNOWN)SSL_internal:no cipher match:ssl_lib.c:1300:
@leonklingele
Copy link

openssl ecparam -list_curves | grep 25519
[empty]

X25519 does not work the same as the other eliptical curves, so it is expected that it
will not show up under ecparam's list. Try the same openssl ecparam -list_curves
operation with OpenSSL 1.1.0, which also has X25519, and you will see the same result.

#114 (comment)

@hdatma hdatma mentioned this issue Apr 14, 2017
Closed
@hdatma
Copy link
Author

hdatma commented Apr 14, 2017

The fact that the specific EC does not work as other ECs does not justify the absence of the same from the listing of available ECs.

Concerning the second part of the OP, namely the listing of a cipher suite group, the error shows that something is wrong again in the same part of the code.

@4a6f656c
Copy link
Contributor

X25519 is a function that uses Curve25519 to perform a Diffie-Helman Key Exchange - it is not a generic Elliptic Curve and hence it does not fit into openssl(1)/libcrypto as one. If you believe otherwise, I'll review a diff that changes this behaviour.

Re the second part, libtls != libssl - if you use libtls and specify "secure" ciphers you will get TLSv1.2 ciphers with AEAD and PFS (the equivalent OpenSSL specification is "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE").

Can we close this now?

@4a6f656c 4a6f656c reopened this Apr 14, 2017
@hdatma
Copy link
Author

hdatma commented Apr 14, 2017

The OP is about the existence of a supported curve that does not appear in the actual list of curves.
Curve25519 is not a "generic" EC? So what? List it with the other curves anyway. Each listed curve has a comment that qualifies it. Just add a comment saying whatever it is that you want to say.

Re the second part. I did not use libtls. I just used the default command to list a cipher suite group, using the group specification from the official LibreSSL release note. The OpenBSD community is rather careful when writing documentations.

Can we close this now?

Fuck yeah.

@hdatma hdatma closed this as completed Apr 14, 2017
@leonklingele
Copy link

@hdatma Curve25519 is a generic curve, but X25519 isn't. X25519 uses Curve25519 as its underlying elliptic curve to perform a DH key exchange. X25519 only uses the X-coordinate, hence its name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hdatma @leonklingele @4a6f656c