Single ECDH Curve for forward secrecy

Mon Feb 3 17:00:03 CET 2020

Hello again,

I've tried one ugly patch now to try to mitigate the "problem":

diff --git a/src/main/tls.c b/src/main/tls.c
index 78c7370a63..8d9e94ff3e 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3310,9 +3310,9 @@ post_ca:
         */
 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 #ifndef OPENSSL_NO_ECDH
-       if (set_ecdh_curve(ctx, conf->ecdh_curve,
conf->disable_single_dh_use) < 0) {
-               return NULL;
-       }
+       //if (set_ecdh_curve(ctx, conf->ecdh_curve,
conf->disable_single_dh_use) < 0) {
+       //      return NULL;
+       //}
 #endif
 #endif

With this small hot-fix I was able to use different named curves (in my
case x25519 with a current Ubuntu and secp521r1 with an Android which
didn't propagated support for x25519).
I haven't tested for side effects on this, but at least I was able to
log in to my testing WPA2-Enterprise APs.

For clarification: This is the curve used for EC-Diffie-Hellman in the
Server Key Exchange TLS-Record.

Since the ecdh_curve parameter is set with a default value of
prime256v1, leaving out the configuration parameter results in the
choice of prime256v1.

I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2
It seems this OpenSSL version enables all curves if no specific curve is
set.
My suggested fix would be to at least introduce a configuration item to
disable the choice of one specific named curve.

Greetings
Jan-Frederik Rieckers


On 31.01.20 15:59, Alan DeKok wrote:
> On Jan 31, 2020, at 9:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel at uni-bremen.de> wrote:
>> I'll probably write my bachelor thesis about some aspects. I'll
>> definitely share results, if they concern the server side.
> 
>   Thanks.
> 
>> I don't know if that's true. As far as I know OpenSSL itself is
>> perfectly capable of supporting multiple curves.
>>
>> I've tested that with my private HTTPS servers and openssl s_client:
>> `openssl s_client -groups "X25519" -connect <host>`
>> `openssl s_client -groups "prime256v1" -connect <host>`
> 
>   That's the client side... the question is what happens on the server side?  i.e. what API calls are necessary?
> 
>   I think that the curves supplied to OpenSSL are defaults, and it can negotiate more.  See the "cipher_list" configuration, which allows you to specify multiple ciphers.
> 
>> I've also observed at least one server in the eduroam federation which
>> support multiple named curves. (Based on my data from analyzing TLS
>> Handshakes in EAP-TLS)
>>
>> I haven't had the the time to try to modify freeradius locally to ignore
>> the ecdh_curve completely. Unfortunately I'm just beginning to get into
>> the openssl API.
> 
>   Good luck.  It's enormously more complex than it needs to be. :(
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20200203/209e2ec4/attachment.sig>
