On 17/11/2019 01:43, Rafael Ferrer wrote: > It's DTLS-OK according to IANA. > https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16 > > > I tested ED25519 certificates on TLS 1.2 and it worked fine. > > openssl s_server -port 4321 -cert server-cert.pem -key server-key.pem > -CAfile client-cert.pem -tls1_2 -sigalgs ed25519 > openssl s_client -bind localhost:1234 -connect localhost:4321 -cert > client-cert.pem -key client-key.pem -CAfile server-cert.pem -tls1_2 > -sigalgs ed25519 > > But I get a "no shared cipher" error (on the server) if I just replace > -tls1_2 with -dtls1_2 on those two commands. > > > The certs and keys are self-signed for both the server and client and > where generated by this command. > > openssl req -x509 -newkey ed25519 -subj "/CN=localhost" -nodes -addext > keyUsage=digitalSignature -keyout key.pem -out cert.pem > This is a really good question. Currently Ed25519 certificates are not supported in DTLS. The function ssl_set_masks() in ssl_lib.c has this code: /* Allow Ed25519 for TLS 1.2 if peer supports it */ if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN && TLS1_get_version(s) == TLS1_2_VERSION) mask_a |= SSL_aECDSA; Note, this explicitly checks for TLSv1.2 and only allows ED25519 if it is true. There is no equivalent code for DTLSv1.2. Technically getting it to support DTLSv1.2 is easy. We just amend the above line to additionally check for DTLSv1.2 and it should work. The question is, is that correct? EdDSA support for TLSv1.2 was specified in RFC8422. That RFC only has one mention of DTLS here: "IANA has assigned one value from the "TLS HashAlgorithm" registry for Intrinsic (8) with DTLS-OK set to true (Y) and this document as reference. This keeps compatibility with TLS 1.3." That's in reference to IANA TLS HashAlgorithm registry. But for the TLS SignatureAlgorithm registry it says this: "IANA has assigned two values in the "TLS SignatureAlgorithm" registry for ed25519 (7) and ed448 (8) with this document as reference. This keeps compatibility with TLS 1.3." This is in the paragraph before the other one, and there is no reference to ed25519/ed448 being "ok" for DTLS, and in fact there is no mention of DTLS anywhere else in this RFC. So, I'm slightly perplexed as to why the IANA registry says something different to this (i.e. DTLS is "ok" for ed25519/ed448). Is this an error in the IANA registry? Or is this an error in the RFC? Or is there some other RFC somewhere that specifies ed25519/ed448 usage in DTLS? I looked to see if there were any errata for RFC8422, but nothing looked relevant. Matt
