improve SSL_CTX_set_tlsext_ticket_key_cb ref impl #12063
Conversation
improve reference implementation code in SSL_CTX_set_tlsext_ticket_key_cb man page change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication of requiring longer keys. Updating this code brings the reference implementation in line with implementation in openssl committed in 2016: commit 05df5c2 Use AES256 for the default encryption algoritm for TLS session tickets add comments where user-implementation is needed to complete code CLA: trivial
|
Should a similar patch be prepared for OpenSSL_1_1_1-stable ? |
|
It's probably best to wait to prepare the 1.1.1 version until the version for master is done/approved, in case anything ends up changing in it. Also, it's interesting that the commit you linked only changed from AES128 to AES256, but left SHA256 instead of going up to SHA384 or SHA512 as is typically paired with AES256. |
|
This matches the algorithms used in |
Yes, they should be reviewed. @mattcaswell please take a look. I'm inclined to swap out sha256 for sha384, though to be honest I'm not entirely convinced we need to be using AES256 here. If we were all TLS 1.3 I'd be more solidly in the "go back to AES128" camp, but given how stateless tickets are used in earlier versions we may want the extra protection, to prevent future computing advances from allowing for decryption of previously captured encrypted traffic. |
|
Also, thank you for noticing the discrepancy and submitting the patch! It is good that we are revisiting what we are actually using in |
That is my inclination too. Let's go with that. |
If we are talking about HMAC here, we are talking about preimage or second preimage attacks and there is absolutely no point in using anything stronger than SHA256 as that has 256 bit security against preimage and second preimage attacks. |
|
Is there a consensus on next steps? Would you like me to extend this patch to update |
|
Regardless of the discussion above this looks like an improvement to me, so I think we should approve as is. However I do think this goes beyond our definition of "CLA: trivial", so we will need a CLA. Needs second review. |
|
Sorry for making this more complicated of a process than it needed to be! |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
|
CLA emailed to legal@opensslfoundation Please let me know if you would like me to update the commit message in this pull request to remove the CLA: trivial tag Thank you. |
|
Close/reopen to kick CLA bot. |
|
Close/reopen to kick CLA bot. |
improve reference implementation code in SSL_CTX_set_tlsext_ticket_key_cb man page change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication of requiring longer keys. Updating this code brings the reference implementation in line with implementation in openssl committed in 2016: commit 05df5c2 Use AES256 for the default encryption algoritm for TLS session tickets add comments where user-implementation is needed to complete code CLA: trivial Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #12063)
|
Pushed to master. Thanks! @gstrauss - if you'd like to prepare a version for 1.1.1 then that would be helpful. |
improve reference implementation code in SSL_CTX_set_tlsext_ticket_key_cb man page change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication of requiring longer keys. Updating this code brings the reference implementation in line with implementation in openssl committed in 2016: commit 05df5c2 Use AES256 for the default encryption algorithm for TLS session tickets add comments where user-implementation is needed to complete code (backport from openssl#12063)
improve reference implementation code in SSL_CTX_set_tlsext_ticket_key_cb man page change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication of requiring longer keys. Updating this code brings the reference implementation in line with implementation in openssl committed in 2016: commit 05df5c2 Use AES256 for the default encryption algorithm for TLS session tickets add comments where user-implementation is needed to complete code (backport from #12063) Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #12391)
improve reference implementation code in
SSL_CTX_set_tlsext_ticket_key_cb man page
change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication
of requiring longer keys. Updating this code brings the reference
implementation in line with implementation in openssl committed in 2016:
commit 05df5c2
Use AES256 for the default encryption algoritm for TLS session tickets
add comments where user-implementation is needed to complete code
CLA: trivial
Checklist