0

I want to ask about how the TLS decide about the key exchange alghoritm (curve selection).

The communication between the client and the server is over the TLS. The server is running on the same computer as the client and both have access to the same certificates. Both the client and server call SSL_CTX_set_cipher_list to set the cipher to ECDHE-ECDSA-AES128-GCM-SHA256.

The certificates and keys applied during communication, were created with ecparam name_curve secp521r1.

When the server calls SSL_CTX_set_ecdh_auto everything work just fine. However, when the server tries to limit the curves to secp521r1, by calling SSL_CTX_set1_curves_list, the client can’t connect. It seems, that the curve secp521r1 is not used for ECDHE.

My question is why?

query
  • 329
  • 7
  • 18

1 Answers1

0

I like to use this web site to describe the TLS protocol.

When a client initially connects, it sends a "Client Hello" packet. In the packet is the section for "supported cipher suites" (see A.5 of the RFC). If the server doesn't support the any of the supported cipher suites then it will reject the connection at that point.

From 7.4.1.2. Client Hello of the RFC:

The cipher suite list, passed from the client to the server in the
ClientHello message, contains the combinations of cryptographic
algorithms supported by the client in order of the client's
preference (favorite choice first). Each cipher suite defines a key
exchange algorithm, a bulk encryption algorithm (including secret key length), a MAC algorithm, and a PRF. The server will select a cipher suite or, if no acceptable choices are presented, return a handshake
failure alert and close the connection. If the list contains cipher
suites the server does not recognize, support, or wish to use, the
server MUST ignore those cipher suites, and process the remaining
ones as usual.

So most likely you have restricted the server options down to what the clients don't support. If the client supported ECDHE-ECDSA-AES128-GCM-SHA256 that it should have worked. I'm also assuming you didn't disable the other required cipher suites needed as well (e.g. bulk encryption algorithm, etc)

UPDATE: I can't say I understand what is happening but looking through the openssl source code, the SSL_CTX_set1_curves_list API is not exposed to the openssl command line in any option I can find.

openssl does expose the "-named_curve" option:

-named_curve curve Specifies the elliptic curve to use. NOTE: this is single curve, not a list.

Note: this allow affect servers not clients.

This uses the SSL_CTX_set_tmp_ecdh / SSL_set_tmp_ecdh API. This makes more sense to me in what you are talking about above to limit ECDH options. I normally expose this API to my options on the server side.

Shane Powell
  • 13,698
  • 2
  • 49
  • 61
  • My point is that because client and server run on the same computer, have access to the same openssl and certificate store, than actually werver should not be able to restrict the client as all is available. The server and the client loaded the same cipher list, use the same certificate with a key created with the same curve. But when the server specifies this curve in SSL_CTX_set1_curves_list(ctx, "P-521") than it doesn't work. The SSL_CTX_set_ecdh_auto makes it work. So it means that the curve P-521 aka secp521r1 is not accepted. Why? I used it for certificates. – query Feb 01 '19 at 22:51
  • I don't know then. You do know that what you are setting has nothing to do with the certificates used, but with the DH key exchange only. Specifically ECDH key exchange. – Shane Powell Feb 01 '19 at 23:07