Re: SSL Server setup DH/ECDH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 07/08/2019 12:19, Chitrang Srivastava wrote:
> Hi Matt,
> 
> I tried following code but it is crashing @ *SSL_CTX_set_ciphersuites*
> s_ctx = SSL_CTX_new(TLS_method());
> SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> SSL_OP_CIPHER_SERVER_PREFERENCE);
> SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
> SSL_CTX_set_ciphersuites(s_ctx,
> "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");
> 
> In the debugger I noticed 
> 
> s_ctx :: cipher_list & cipher_list_by_id are both NULL

Well, that is very strange. I just tried the code above and it works just fine
for me.

s_ctx->cipher_list, and s_ctx->cipher_lib_by_id should be populated in the
SSL_CTX_new call:

https://github.com/openssl/openssl/blob/c50fd0f959de5b256d8eefb8ad2a82fcdcb899c3/ssl/ssl_lib.c#L3091-L3101

So you should never have an SSL_CTX object without those things being set.

Matt


> However tls13_ciphersuites is populated.
> Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites tries
> to delete this cipher_list and hence crash ?
> 
> Any pointer what I am missing?
> 
> -Thanks
> 
> 
> 
> On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <matt@xxxxxxxxxxx
> <mailto:matt@xxxxxxxxxxx>> wrote:
> 
> 
> 
>     On 06/08/2019 14:58, Chitrang Srivastava wrote:
>     > Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.
>     > So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses 
>     > TLS_1_3_AES_256_SHA_384.
>     > While without that it uses TLS_1_3_AES_128_SHA_256, which is better in
>     terms of
>     > performance.
> 
>     Ah! Right - now I understand.
> 
>     So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server prefers the
>     server's ordering of ciphersuites compared to the clients. With that option set
>     it will use the first ciphersuite that is in the server's list that is also in
>     the client's list. Without the set it will use the first ciphersuite that is in
>     the client's list that is also in the server's list. Server operators often
>     prefer this because it gives more control over which ciphersuite ultimately gets
>     used. But that's only really useful if you also look at this list of configured
>     ciphersuites and make sure they are in your preferred order! Otherwise the
>     option is fairly pointless!
> 
>     For TLSv1.3 the default list is:
> 
>     #   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
>                                         "TLS_CHACHA20_POLY1305_SHA256:" \
>                                         "TLS_AES_128_GCM_SHA256"
> 
>     If you want a different order you can use the functions
>     SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:
> 
>     https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
> 
>     Matt
> 
>     >
>     > Thanks very much,
>     > Chitrang
>     >
>     > Tuesday, August 6, 2019, Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>
>     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>> wrote:
>     >
>     >
>     >
>     >     On 06/08/2019 12:20, Chitrang Srivastava wrote:
>     >     > Noticed that if I set  SSL_OP_CIPHER_SERVER_PREFERENCE,
>     >     TLS_1_3_AES_256_SHA_384
>     >     > is being used while without that
>     >     > AES_128_SHA256 is being used and I see client(Chrome) send this as first
>     >     preference.
>     >     > Is there anyway where I can always prefer AES-128-SHA256 cipher suite of
>     >     TLS 1.3?
>     >
>     >     Hmmm...are you sure?
>     >
>     >     Those names don't look like OpenSSL names for those ciphersuites. I
>     guess you
>     >     mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a TLSv1.3
>     >     ciphersuite and the latter is for TLSv1.2 and below. They are mutually
>     >     exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2
>     ciphersuites and
>     >     vice versa.
>     >
>     >     SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol version
>     >     negotiated. OpenSSL negotiates the version *first* before deciding what
>     >     ciphersuite to use. So it should not be the case that
>     >     SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3 ciphersuite
>     to be used
>     >     when a TLSv1.2 ciphersuite was used without it.
>     >
>     >     Matt
>     >
>     >
>     >     >
>     >     > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>> wrote:
>     >     >
>     >     >
>     >     >
>     >     >     On 06/08/2019 11:21, Chitrang Srivastava wrote:
>     >     >     > Yes , since in my case mostly browser will be used to access
>     >     webserver running
>     >     >     > on embedded platform.
>     >     >     > Another question, since my webserver is running on embedded
>     platform and
>     >     >     it has
>     >     >     > limited memory , I have disabled
>     >     >     > ARIA/CAMELLIA  and few others, is that OK ? because I don't
>     see any
>     >     ciphers
>     >     >     > suites which is used in practice.
>     >     >
>     >     >     Yes, that should be fine.
>     >     >
>     >     >     Matt
>     >     >
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>
>     >     >     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>>> wrote:
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     On 06/08/2019 11:07, Chitrang Srivastava wrote:
>     >     >     >     > Thanks Matt,
>     >     >     >     >
>     >     >     >     > So now I have, which i believe is enough ?
>     >     >     >     >
>     >     >     >     > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
>     >     >     >     > SSL_OP_CIPHER_SERVER_PREFERENCE);
>     >     >     >     > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
>     >     >     >
>     >     >     >     This is fine although it obviously prevents connections from
>     >     very old
>     >     >     clients
>     >     >     >     that don't support TLSv1.2. This might not be a problem
>     for you
>     >     >     depending on
>     >     >     >     your situation.
>     >     >     >
>     >     >     >     Matt
>     >     >     >
>     >     >     >     >
>     >     >     >     > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell
>     <matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>
>     >     >     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>>
>     >     >     >     > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>
>     >     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>
>     >     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>
>     <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>>>> wrote:
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     >     >     >     >     > Hi,
>     >     >     >     >     >
>     >     >     >     >     > I am implementing HTTPs server using openssl 1.1.1b.
>     >     >     >     >     > Is it mandatory to setup these API's while
>     creating ssl
>     >     context ?
>     >     >     >     >     >
>     >     >     >     >     > SSL_CTX_set_tmp_ecdh
>     >     >     >     >     >
>     >     >     >     >     > SSL_CTX_set_tmp_dh
>     >     >     >     >
>     >     >     >     >     By default OpenSSL will automatically use ECDH if
>     appropriate
>     >     >     and choose a
>     >     >     >     >     suitable group so there is no need to call
>     >     SSL_CTX_set_tmp_ecdh()
>     >     >     >     unless you
>     >     >     >     >     want more control over which specific group is used.
>     >     >     >     >
>     >     >     >     >     OpenSSL will not use DH unless you specifically
>     configure
>     >     it. If you
>     >     >     >     want to
>     >     >     >     >     make use of DH based ciphersuites then you must
>     either call
>     >     >     >     SSL_CTX_set_tmp_dh()
>     >     >     >     >     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents).
>     >     Calling the
>     >     >     >     former enables
>     >     >     >     >     you to configure any arbitrary DH group that you choose.
>     >     Calling the
>     >     >     >     latter will
>     >     >     >     >     enable the built-in DH groups.
>     >     >     >     >
>     >     >     >     >     It is not mandatory to call any of the above.
>     >     >     >     >
>     >     >     >     >     >
>     >     >     >     >     > Also any suggestion what all options one should
>     set while
>     >     >     setting up
>     >     >     >     >     server like
>     >     >     >     >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2
>     |SSL_OP_NO_SSLv3
>     >     >     >     >
>     >     >     >     >     Don't use the protocol version specific options at
>     all. Use
>     >     >     >     >     SSL_CTX_set_min_proto_version() if you want to specify a
>     >     minimum
>     >     >     protocol
>     >     >     >     >     version. SSLv2 is no longer supported at all. SSLv3 is
>     >     compiled
>     >     >     out by
>     >     >     >     default.
>     >     >     >     >
>     >     >     >     >     Other options that are worth considering are
>     >     >     SSL_OP_NO_RENEGOTIATION and
>     >     >     >     >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE.
>     Generally you
>     >     don't need
>     >     >     >     the others
>     >     >     >     >     unless there is a specific problem you are trying to
>     solve.
>     >     >     >     >
>     >     >     >     >     Matt
>     >     >     >     >
>     >     >     >
>     >     >
>     >
> 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux