Re: SSL Server setup DH/ECDH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Matt,

I tried following code but it is crashing @ SSL_CTX_set_ciphersuites
s_ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
SSL_CTX_set_ciphersuites(s_ctx, "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");

In the debugger I noticed 

s_ctx :: cipher_list & cipher_list_by_id are both NULL
However tls13_ciphersuites is populated.
Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites tries to delete this cipher_list and hence crash ?

Any pointer what I am missing?

-Thanks



On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:


On 06/08/2019 14:58, Chitrang Srivastava wrote:
> Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.
> So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses 
> TLS_1_3_AES_256_SHA_384.
> While without that it uses TLS_1_3_AES_128_SHA_256, which is better in terms of
> performance.

Ah! Right - now I understand.

So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server prefers the
server's ordering of ciphersuites compared to the clients. With that option set
it will use the first ciphersuite that is in the server's list that is also in
the client's list. Without the set it will use the first ciphersuite that is in
the client's list that is also in the server's list. Server operators often
prefer this because it gives more control over which ciphersuite ultimately gets
used. But that's only really useful if you also look at this list of configured
ciphersuites and make sure they are in your preferred order! Otherwise the
option is fairly pointless!

For TLSv1.3 the default list is:

#   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
                                    "TLS_CHACHA20_POLY1305_SHA256:" \
                                    "TLS_AES_128_GCM_SHA256"

If you want a different order you can use the functions
SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html

Matt

>
> Thanks very much,
> Chitrang
>
> Tuesday, August 6, 2019, Matt Caswell <matt@xxxxxxxxxxx
> <mailto:matt@xxxxxxxxxxx>> wrote:
>
>
>
>     On 06/08/2019 12:20, Chitrang Srivastava wrote:
>     > Noticed that if I set  SSL_OP_CIPHER_SERVER_PREFERENCE,
>     TLS_1_3_AES_256_SHA_384
>     > is being used while without that
>     > AES_128_SHA256 is being used and I see client(Chrome) send this as first
>     preference.
>     > Is there anyway where I can always prefer AES-128-SHA256 cipher suite of
>     TLS 1.3?
>
>     Hmmm...are you sure?
>
>     Those names don't look like OpenSSL names for those ciphersuites. I guess you
>     mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a TLSv1.3
>     ciphersuite and the latter is for TLSv1.2 and below. They are mutually
>     exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2 ciphersuites and
>     vice versa.
>
>     SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol version
>     negotiated. OpenSSL negotiates the version *first* before deciding what
>     ciphersuite to use. So it should not be the case that
>     SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3 ciphersuite to be used
>     when a TLSv1.2 ciphersuite was used without it.
>
>     Matt
>
>
>     >
>     > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>
>     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>> wrote:
>     >
>     >
>     >
>     >     On 06/08/2019 11:21, Chitrang Srivastava wrote:
>     >     > Yes , since in my case mostly browser will be used to access
>     webserver running
>     >     > on embedded platform.
>     >     > Another question, since my webserver is running on embedded platform and
>     >     it has
>     >     > limited memory , I have disabled
>     >     > ARIA/CAMELLIA  and few others, is that OK ? because I don't see any
>     ciphers
>     >     > suites which is used in practice.
>     >
>     >     Yes, that should be fine.
>     >
>     >     Matt
>     >
>     >     >
>     >     >
>     >     >
>     >     > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>> wrote:
>     >     >
>     >     >
>     >     >
>     >     >     On 06/08/2019 11:07, Chitrang Srivastava wrote:
>     >     >     > Thanks Matt,
>     >     >     >
>     >     >     > So now I have, which i believe is enough ?
>     >     >     >
>     >     >     > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
>     >     >     > SSL_OP_CIPHER_SERVER_PREFERENCE);
>     >     >     > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
>     >     >
>     >     >     This is fine although it obviously prevents connections from
>     very old
>     >     clients
>     >     >     that don't support TLSv1.2. This might not be a problem for you
>     >     depending on
>     >     >     your situation.
>     >     >
>     >     >     Matt
>     >     >
>     >     >     >
>     >     >     > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>
>     >     >     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>>> wrote:
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     >     >     >     > Hi,
>     >     >     >     >
>     >     >     >     > I am implementing HTTPs server using openssl 1.1.1b.
>     >     >     >     > Is it mandatory to setup these API's while creating ssl
>     context ?
>     >     >     >     >
>     >     >     >     > SSL_CTX_set_tmp_ecdh
>     >     >     >     >
>     >     >     >     > SSL_CTX_set_tmp_dh
>     >     >     >
>     >     >     >     By default OpenSSL will automatically use ECDH if appropriate
>     >     and choose a
>     >     >     >     suitable group so there is no need to call
>     SSL_CTX_set_tmp_ecdh()
>     >     >     unless you
>     >     >     >     want more control over which specific group is used.
>     >     >     >
>     >     >     >     OpenSSL will not use DH unless you specifically configure
>     it. If you
>     >     >     want to
>     >     >     >     make use of DH based ciphersuites then you must either call
>     >     >     SSL_CTX_set_tmp_dh()
>     >     >     >     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents).
>     Calling the
>     >     >     former enables
>     >     >     >     you to configure any arbitrary DH group that you choose.
>     Calling the
>     >     >     latter will
>     >     >     >     enable the built-in DH groups.
>     >     >     >
>     >     >     >     It is not mandatory to call any of the above.
>     >     >     >
>     >     >     >     >
>     >     >     >     > Also any suggestion what all options one should set while
>     >     setting up
>     >     >     >     server like
>     >     >     >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
>     >     >     >
>     >     >     >     Don't use the protocol version specific options at all. Use
>     >     >     >     SSL_CTX_set_min_proto_version() if you want to specify a
>     minimum
>     >     protocol
>     >     >     >     version. SSLv2 is no longer supported at all. SSLv3 is
>     compiled
>     >     out by
>     >     >     default.
>     >     >     >
>     >     >     >     Other options that are worth considering are
>     >     SSL_OP_NO_RENEGOTIATION and
>     >     >     >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you
>     don't need
>     >     >     the others
>     >     >     >     unless there is a specific problem you are trying to solve.
>     >     >     >
>     >     >     >     Matt
>     >     >     >
>     >     >
>     >
>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux