Hello again, I've tried one ugly patch now to try to mitigate the "problem": diff --git a/src/main/tls.c b/src/main/tls.c index 78c7370a63..8d9e94ff3e 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -3310,9 +3310,9 @@ post_ca: */ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH - if (set_ecdh_curve(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) { - return NULL; - } + //if (set_ecdh_curve(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) { + // return NULL; + //} #endif #endif With this small hot-fix I was able to use different named curves (in my case x25519 with a current Ubuntu and secp521r1 with an Android which didn't propagated support for x25519). I haven't tested for side effects on this, but at least I was able to log in to my testing WPA2-Enterprise APs. For clarification: This is the curve used for EC-Diffie-Hellman in the Server Key Exchange TLS-Record. Since the ecdh_curve parameter is set with a default value of prime256v1, leaving out the configuration parameter results in the choice of prime256v1. I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2 It seems this OpenSSL version enables all curves if no specific curve is set. My suggested fix would be to at least introduce a configuration item to disable the choice of one specific named curve. Greetings Jan-Frederik Rieckers On 31.01.20 15:59, Alan DeKok wrote:
On Jan 31, 2020, at 9:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I'll probably write my bachelor thesis about some aspects. I'll definitely share results, if they concern the server side.
Thanks.
I don't know if that's true. As far as I know OpenSSL itself is perfectly capable of supporting multiple curves.
I've tested that with my private HTTPS servers and openssl s_client: `openssl s_client -groups "X25519" -connect <host>` `openssl s_client -groups "prime256v1" -connect <host>`
That's the client side... the question is what happens on the server side? i.e. what API calls are necessary?
I think that the curves supplied to OpenSSL are defaults, and it can negotiate more. See the "cipher_list" configuration, which allows you to specify multiple ciphers.
I've also observed at least one server in the eduroam federation which support multiple named curves. (Based on my data from analyzing TLS Handshakes in EAP-TLS)
I haven't had the the time to try to modify freeradius locally to ignore the ecdh_curve completely. Unfortunately I'm just beginning to get into the openssl API.
Good luck. It's enormously more complex than it needs to be. :(
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html