The docs are not the easiest to follow so here is what I did to order curves from strongest to weakest.The file is /etc/pki/tls/openssl.conf and should be close to your settings. Set the curves to what you want as I did in the Curve line openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] Curves = P-521:P-384:P-256 On Fri, 2021-07-02 at 15:53 +0100, Matt Caswell wrote: > > On 02/07/2021 14:02, vinod mg wrote: > > --> Is there a way I can compile openssl itself to exclude > > 'secp521r1' > > and install? The reason I ask is because application I am testing > > is > > squid(squid-cache.org <http://squid-cache.org>) for ssl bumping > > purposes > > and it has limited configurability. > > Only by disabling *all* ec groups (via the "no-ec" configure option) > but > that is no solution at all really. I would not recommend that! > > You might try starting squid with the OPENSSL_CONF environment > variable > pointing to a custom OpenSSL config file. Assuming squid doesn't > suppress loading the config file then you can do the same thing as > SSL_CTX_set1_groups_list via the "Groups" SSL_CONF setting. See the > info > here on configuring OpenSSL SSL/TLS settings via config file (see > the > section "SSL Configuration Module"): > > https://www.openssl.org/docs/man1.1.1/man5/config.html > > And see the documentation on "Groups" on this page: > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html > > Matt > > > > > Thanks, > > Vinod > > > > > > On Fri, Jul 2, 2021 at 4:32 PM Matt Caswell <matt@xxxxxxxxxxx > > <mailto:matt@xxxxxxxxxxx>> wrote: > > > > > > > > On 01/07/2021 07:21, vinod mg wrote: > > > 1) Supress or a way to remove secp521r1 from the > > currenlty > > installed > > > openssl. > > > > You can specify the list of groups by calling > > SSL_CTX_set1_groups_list > > (or SSL_set1_groups_list) from your application. See: > > > > > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html > > < > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html > > > > > > > > 2) Add the cipher - "0xbaba TLS_GREASE_BA GREASE" > > like we > > see in > > > chrome. > > > > This is not a real cipher. It does nothing and is always > > ignored. > > OpenSSL does not support sending this value. > > > > Matt > > > > > > > > > > I am ok with custom install as well, if above cannot be > > done with > > > already installed openssl package. Please share any wiki > > I can > > > follow to impliment the same. > > > > > > ~]# openssl ecparam -list_curves > > > > > > secp224r1 : NIST/SECG curve over a 224 bit prime field > > > > > > secp256k1 : SECG curve over a 256 bit prime field > > > > > > secp384r1 : NIST/SECG curve over a 384 bit prime field > > > > > > /secp521r1 : NIST/SECG curve over a 521 bit prime field/ > > > > > > prime256v1: X9.62/SECG curve over a 256 bit prime field > > > > > > > > > I am using below OS and version- > > > > > > # cat /etc/redhat-release > > > > > > Red Hat Enterprise Linux release 8.3 (Ootpa) > > > > > > > > > # opensslversion -a > > > > > > OpenSSL 1.1.1g FIPS21 Apr 2020 > > > > > > built on: Thu Mar 25 16:46:53 2021 UTC > > > > > > platform: linux-x86_64 > > > > > > options:bn(64,64) md2(char) rc4(16x,int) des(int) > > idea(int) > > > blowfish(ptr) > > > > > > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack > > -Wall -O3 > > -O2 -g > > > -pipe -Wall -Werror=format-security -Wp,- > > D_FORTIFY_SOURCE=2 > > > -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack- > > protector-strong > > > -grecord-gcc-switches > > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 > > > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 > > -mtune=generic > > > -fasynchronous-unwind-tables -fstack-clash-protection > > > -fcf-protection -Wa,--noexecstack > > > -Wa,--generate-missing-build-notes=yes > > > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld > > -DOPENSSL_USE_NODELETE > > > -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ > > -DOPENSSL_IA32_SSE2 > > > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > > -DOPENSSL_BN_ASM_GF2m > > > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM > > -DRC4_ASM > > > -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM > > -DECP_NISTZ256_ASM > > > -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY > > > -DDEVRANDOM="\"/dev/urandom\"" > > > > > -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back- > > ends/openssl.config" > > > > > > OPENSSLDIR: "/etc/pki/tls" > > > > > > ENGINESDIR: "/usr/lib64/engines-1.1" > > > > > > Seeding source: os-specific > > > > > > engines:rdrand dynamic > > > > > > > > > Really appriciate your time and help, thanks in advance. > > > > > > Thanks, > > > Vinod > > > > >
