On Saturday 04 February 2017 15:51:02 Andreas Bartelt wrote: > On 02/04/17 05:26, Joel Sing wrote: > > On Wednesday 01 February 2017 15:41:29 Andreas Bartelt wrote: > >> Hello, > >> > >> after reading the LibreSSL accouncement from today, I assumed that > >> specifying ecdhe "auto" in /etc/httpd.conf would enable X25519, P-256 > >> and P-384 on current. > > > > This is correct. > > > >> I've noticed that "auto" enables only curves x25519 and P-256 (which is > >> what I'd want to use - but somehow unexpected with regard to the > >> announcement). > > > > Why do you believe this is the case? > > Tested with a build of today's current: > - httpd started with ecdhe "auto" in /etc/httpd.conf > - then trying to connect via openssl s_client with -groups P-384 option > doesn't negotiate a cipher suite. > > However, specifying -groups P-256 works. I don't know how to specify > x25519 with OpenBSD's openssl s_client (it's not yet listed in openssl > ecparam -list_curves output) but SSL Labs successfully negotiates via > x25519 and P-256 (but not P-384). P-384 doesn't seem to be enabled with > "auto".
You can just specify X25519 as a group - it will not appear in `openssl ecparam -list_curves' since it is not a standard EC curve. > Another confusing test result: > - httpd started with ecdhe "secp384r1" (P-384) > - then trying to connect via openssl s_client with -groups P-384 option > also doesn't negotiate a cipher suite! > > However, SSL Labs successfully connects to httpd and confirms support > for secp384r1. > > Can you reproduce this? No, it works correctly for me (OpenBSD -current, amd64). With "tls ecdhe auto": $ for group in X25519 P-256 P-384; do openssl s_client -connect localhost:443 -groups $group </dev/null 2>&1 | grep 'Server Temp Key:'; done Server Temp Key: ECDH, X25519, 253 bits Server Temp Key: ECDH, P-256, 256 bits Server Temp Key: ECDH, P-384, 384 bits With "tls ecdhe secp384r1": $ for group in X25519 P-256 P-384; do openssl s_client -connect localhost:443 -groups $group </dev/null 2>&1 | grep 'Server Temp Key:'; done Server Temp Key: ECDH, P-384, 384 bits > >> Diff is attached which clarifies the meaning of "auto" in httpd.conf.5. > > > > There are some documentation improvements that could be used here, however > > the meaning of auto for httpd.conf.5 needs to refer to the meaning of > > "auto" for libtls (currently tls_config_set_ecdhecurve()). Otherwise > > libtls changes and httpd becomes out of date. > > > >> There currently seems to be no way to explicitly specify x25519, or to > >> specify multiple colon separated curves with the ecdhe statement. Would > >> it make sense to change semantics and make the ecdhe statement in > >> httpd.conf consistent with the recent changes to openssl s_client > >> -groups (e.g., to also allow more common names like P-256 instead of > >> prime256v1)? > > > > Yes - tls_config_set_ecdhecurve() needs to change to accept the same colon > > separate list of priority ordered curve names, that SSL_set1_curves_list() > > accepts.