Re: Need help in removing secp521r1 from openssl-1.1.1g and adding TLS_GREASE_BA cipher.

[Matt Caswell <matt@xxxxxxxxxxx>]

On 01/07/2021 07:21, vinod mg wrote:
>     1) Supress or a way to remove secp521r1 from the currenlty installed
>     openssl.

You can specify the list of groups by calling SSL_CTX_set1_groups_list 
(or SSL_set1_groups_list) from your application. See:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html

>     2) Add the cipher - "0xbaba   TLS_GREASE_BA   GREASE" like we see in
>     chrome.

This is not a real cipher. It does nothing and is always ignored. 
OpenSSL does not support sending this value.

Matt


>     I am ok with custom install as well, if above cannot be done with
>     already installed openssl package. Please share any wiki I can
>     follow to impliment the same.
>
>     ~]# openssl ecparam -list_curves
>
>     secp224r1 : NIST/SECG curve over a 224 bit prime field
>
>     secp256k1 : SECG curve over a 256 bit prime field
>
>     secp384r1 : NIST/SECG curve over a 384 bit prime field
>
>     /secp521r1 : NIST/SECG curve over a 521 bit prime field/
>
>     prime256v1: X9.62/SECG curve over a 256 bit prime field
>
>
>     I am using below OS and version-
>
>     # cat /etc/redhat-release
>
>     Red Hat Enterprise Linux release 8.3 (Ootpa)
>
>
>     # opensslversion -a
>
>     OpenSSL 1.1.1g FIPS21 Apr 2020
>
>     built on: Thu Mar 25 16:46:53 2021 UTC
>
>     platform: linux-x86_64
>
>     options:bn(64,64) md2(char) rc4(16x,int) des(int) idea(int)
>     blowfish(ptr)
>
>     compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g
>     -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
>     -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
>     -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
>     -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
>     -fasynchronous-unwind-tables -fstack-clash-protection
>     -fcf-protection -Wa,--noexecstack
>     -Wa,--generate-missing-build-notes=yes
>     -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE
>     -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
>     -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
>     -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM
>     -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
>     -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY
>     -DDEVRANDOM="\"/dev/urandom\""
>     -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
>
>     OPENSSLDIR: "/etc/pki/tls"
>
>     ENGINESDIR: "/usr/lib64/engines-1.1"
>
>     Seeding source: os-specific
>
>     engines:rdrand dynamic
>
>
>     Really appriciate your time and help, thanks in advance.
>
>     Thanks,
>     Vinod