Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 #17763
Conversation
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common.
romen
added
branch: master
| @@ -567,7 +567,7 @@ sub testssl { | |||
|
|
|||
| ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), | |||
| 'test tls1 with PSK via BIO pair'); | |||
| } | |||
| } | |||
There was a problem hiding this comment.
The indentation of the SKIP: { blocks and related closing braces is a bit wonky throughout the file.
A pass could be done to improve the indentation, but I am likely not the right person because I don't fully grasp the convention used for our Perl test recipes.
I can do such a pass in this file if requested, but I would need guidance from @mattcaswell
…EL >= 3 Align option explanations
paulidale
added
approval: review pending
beldmit
added
approval: done
…r SECLEVEL >= 3 Add CHANGES entry: credits to Dmitry Belyavskiy for reporting the issue and proposing the resolution, myself for the final implementation and work on tests.
I pushed a fixup commit with a CHANGES entry. @beldmit @paulidale can you rereview? |
| to the list of ciphersuites providing Perfect Forward Secrecy as | ||
| required by SECLEVEL >= 3. | ||
|
|
||
| *Dmitry Belyavskiy, Nicola Tuveri* |
There was a problem hiding this comment.
Not sure about the order because you did almost all work.
There was a problem hiding this comment.
I stand by it: you reported the issue, proposed its resolution to the OTC, and the work we did independently to implement the actual change is virtually identical.
|
The origin branch on my github fork is reporting failures in the compiler-zoo and windows work flows, but they seem to be due to GitHub timeouts rather than build errors under our control. |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
|
@paulidale please reconfirm |
paulidale
added
approval: ready to merge
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17763)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17763)
|
Merged to
Merged to
Backport to |
|
Thanks everyone for all the feedback! |
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17763) (cherry picked from commit 66914fc)
This is an alternative to #17759 to fix #17743.
It comprises 3 commits:
SSL_kE(EC)?DHwithSSL_k(EC)?DHE, as it the latter spelling is more common and familiar to internal and external developers. Each pair is already reported as aliases in our headers:openssl/ssl/ssl_local.h
Lines 165 to 172 in a044af4
SSL_kDHEPSKandSSL_kECDHEPSKflags to the PFS check for SECLEVEL >= 3The test commit further revises the test binary to improve the
-helpdocumentation, syncing it with the actual behavior (e.g., the default is-dhe2048not-dhe1024;-tls1_2is a supported option, but was not documented as such), and also adds support (and documentation) for-tls1_1and for well-known 4096-bit DH parameters.-dhe4096is added because 2048-bit parameters fail to meet the requirement for >=128 security bitsChecklist