httpd and Curve25519 (X25519)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd and Curve25519 (X25519)

Bryan
OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC
Named Curves x25519, secp256r1, secp384r1 (server preferred order)"
when `tls ecdhe "auto"` is used in the server configuration.

Is it possible to configure httpd to use only x25519?

Trying various ways of specifying this curve, "x25519", "X25519",
"curve25519", and "Curve25519" have been unsuccessful. This curve is
also not returned with `$ openssl ecparam -list_curves`. I believe I
read somewhere that Curve25519 is implemented differently than the
other elliptic curves and this is why it does not display with the
above command. However, somehow it is being utilized by httpd, and so I
wonder if there is a way to enforce the use of only this curve.

Reply | Threaded
Open this post in threaded view
|

Re: httpd and Curve25519 (X25519)

Jacqueline Jolicoeur
On May 14 14:30, Bryan wrote:

> OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC
> Named Curves x25519, secp256r1, secp384r1 (server preferred order)"
> when `tls ecdhe "auto"` is used in the server configuration.
>
> Is it possible to configure httpd to use only x25519?
>
> Trying various ways of specifying this curve, "x25519", "X25519",
> "curve25519", and "Curve25519" have been unsuccessful. This curve is
> also not returned with `$ openssl ecparam -list_curves`. I believe I
> read somewhere that Curve25519 is implemented differently than the
> other elliptic curves and this is why it does not display with the
> above command. However, somehow it is being utilized by httpd, and so I
> wonder if there is a way to enforce the use of only this curve.
>

Do the other short names in /usr/include/openssl/obj_mac.h work?

Reply | Threaded
Open this post in threaded view
|

Re: httpd and Curve25519 (X25519)

Bryan
> Do the other short names in /usr/include/openssl/obj_mac.h work?

`tls ecdhe "X25519"` gives the OK to the configuration, but the site then fails to load in Chromium 58.0.3029.96 or Firefox 53.0.2, which should both have X25519 support.

`tls ecdhe "secp384r1"` gives the OK to the configuration, and the site loads fine in the above browsers, showing at least in Chromium curve "P-384" as the curve. I don't know if you can view the curve in use in Firefox.

`tls ecdhe "auto"` gives the OK to the configuration, and the site loads fine in the above browsers, showing in Chromium curve "X25519" as the curve. Again, I don't know if Firefox shows the curve in use.

`tls ecdhe "secp521r1"` gives the OK to the configuration, and the site loads fine in Firefox, but not Chromium (which does not support this curve).

So, secp384r1 and secp521r1 seem to work as expected.

Reply | Threaded
Open this post in threaded view
|

Re: httpd and Curve25519 (X25519)

Bryan
> `tls ecdhe "X25519"` gives the OK to the configuration, but the site then fails to load in Chromium 58.0.3029.96 or Firefox 53.0.2, which should both have X25519 support.

A little more context.

`$ doas httpd -n` and `$ doas rcctl reload httpd` give the OK with either `tls ecdhe "x25519"` or `tls ecdhe "X25519"`

In /var/log/daemon and /var/log/messages it gives:

For `tls ecdhe "x25519"`:
httpd[99096]: server_tls_init: failed to set tls ecdhe curve: invalid ecdhe curve 'x25519'

For `tls ecdhe "X25519"`:
httpd[99096]: server_tls_init: failed to configure tls - failed to set ECDHE curve

Reply | Threaded
Open this post in threaded view
|

Re: httpd and Curve25519 (X25519)

Joel Sing-3
In reply to this post by Bryan
On Sunday 14 May 2017 14:30:55 Bryan wrote:
> OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC
> Named Curves x25519, secp256r1, secp384r1 (server preferred order)"
> when `tls ecdhe "auto"` is used in the server configuration.
>
> Is it possible to configure httpd to use only x25519?

Not currently.
 
> Trying various ways of specifying this curve, "x25519", "X25519",
> "curve25519", and "Curve25519" have been unsuccessful. This curve is
> also not returned with `$ openssl ecparam -list_curves`. I believe I
> read somewhere that Curve25519 is implemented differently than the
> other elliptic curves and this is why it does not display with the
> above command. However, somehow it is being utilized by httpd, and so I
> wonder if there is a way to enforce the use of only this curve.

It is on the TODO list - there is a change needed to libtls, which will then
allow httpd to specify which EC curves are to be enabled for TLS key exchange
(including X25519).

Reply | Threaded
Open this post in threaded view
|

Re: httpd and Curve25519 (X25519)

Bryan
> > OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC
> > Named Curves x25519, secp256r1, secp384r1 (server preferred order)"
> > when `tls ecdhe "auto"` is used in the server configuration.
> >
> > Is it possible to configure httpd to use only x25519?

> Not currently.

> > Trying various ways of specifying this curve, "x25519", "X25519",
> > "curve25519", and "Curve25519" have been unsuccessful. This curve is
> > also not returned with `$ openssl ecparam -list_curves`. I believe I
> > read somewhere that Curve25519 is implemented differently than the
> > other elliptic curves and this is why it does not display with the
> > above command. However, somehow it is being utilized by httpd, and so I
> > wonder if there is a way to enforce the use of only this curve.

> It is on the TODO list - there is a change needed to libtls, which will then
> allow httpd to specify which EC curves are to be enabled for TLS key exchange
> (including X25519).

Thanks for the information. The "auto" setting is using a nice
selection of curves and prioritizing X25519, but it will be nice to
have the ability to specify only X25519 (or another).

Reply | Threaded
Open this post in threaded view
|

Re: httpd and Curve25519 (X25519)

Kevin Chadwick-4
It would be nice, but thought that I would add that the criticism of
secp256r1 in the eyes of some major cryptographers has moved from far
fetched but being unable to disprove the criticism to making no practical
sense of being true.

On 17 May 2017 19:05, "Bryan" <[hidden email]> wrote:

> > > OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC
> > > Named Curves x25519, secp256r1, secp384r1 (server preferred order)"
> > > when `tls ecdhe "auto"` is used in the server configuration.
> > >
> > > Is it possible to configure httpd to use only x25519?
>
> > Not currently.
>
> > > Trying various ways of specifying this curve, "x25519", "X25519",
> > > "curve25519", and "Curve25519" have been unsuccessful. This curve is
> > > also not returned with `$ openssl ecparam -list_curves`. I believe I
> > > read somewhere that Curve25519 is implemented differently than the
> > > other elliptic curves and this is why it does not display with the
> > > above command. However, somehow it is being utilized by httpd, and so I
> > > wonder if there is a way to enforce the use of only this curve.
>
> > It is on the TODO list - there is a change needed to libtls, which will
> then
> > allow httpd to specify which EC curves are to be enabled for TLS key
> exchange
> > (including X25519).
>
> Thanks for the information. The "auto" setting is using a nice
> selection of curves and prioritizing X25519, but it will be nice to
> have the ability to specify only X25519 (or another).
>
>