Single ECDH Curve for forward secrecy
Hello, I'm currently doing some research with the TLS client and server implementations in EAP-TLS. I have noticed, that Freeradius forces usage of one specific curve for ECDH Key Exchange. Is there a specific reason for that? ( set_ecdh_curve in src/main/tls.c ) The standard is "prime256v1", which seems to be a good default, since this curve is always in the SupportedGroups extension of the Client TLS Hello. (For all clients I've seen so far) But I'd like to change the default to something like X25519 and fall back on others when this is not possible. Kind regards Jan-Frederik Rieckers
On Jan 31, 2020, at 4:39 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote
I'm currently doing some research with the TLS client and server implementations in EAP-TLS.
Good to hear. Not many people have done this kind of research.
I have noticed, that Freeradius forces usage of one specific curve for ECDH Key Exchange. Is there a specific reason for that? ( set_ecdh_curve in src/main/tls.c )
No, the server *defaults* to one curve. The default can be changed by editing the configuration files. Our general policy is to ship the server with sane defaults. However, we also let the admin change those defaults via the configuration files.
The standard is "prime256v1", which seems to be a good default, since this curve is always in the SupportedGroups extension of the Client TLS Hello. (For all clients I've seen so far)
But I'd like to change the default to something like X25519 and fall back on others when this is not possible.
You can change the configuration in raddb/mods-available/eap: ecdh_curve = "prime256v1" It only supports one curve, largely because of limitations in the OpenSSL API. If OpenSSL supports fallback curves, we can definitely add support for that. Alan DeKok.
On 31.01.20 15:28, Alan DeKok wrote:
On Jan 31, 2020, at 4:39 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote
I'm currently doing some research with the TLS client and server implementations in EAP-TLS.
Good to hear. Not many people have done this kind of research.
I'll probably write my bachelor thesis about some aspects. I'll definitely share results, if they concern the server side.
I have noticed, that Freeradius forces usage of one specific curve for ECDH Key Exchange. Is there a specific reason for that? ( set_ecdh_curve in src/main/tls.c )
No, the server *defaults* to one curve. The default can be changed by editing the configuration files.
Sorry, that was my wrong formulation. That's exactly what I meant.
It only supports one curve, largely because of limitations in the OpenSSL API. If OpenSSL supports fallback curves, we can definitely add support for that.
I don't know if that's true. As far as I know OpenSSL itself is perfectly capable of supporting multiple curves. I've tested that with my private HTTPS servers and openssl s_client: `openssl s_client -groups "X25519" -connect <host>` `openssl s_client -groups "prime256v1" -connect <host>` I've also observed at least one server in the eduroam federation which support multiple named curves. (Based on my data from analyzing TLS Handshakes in EAP-TLS) I haven't had the the time to try to modify freeradius locally to ignore the ecdh_curve completely. Unfortunately I'm just beginning to get into the openssl API. Jan-Frederik Rieckers
On Jan 31, 2020, at 9:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I'll probably write my bachelor thesis about some aspects. I'll definitely share results, if they concern the server side.
Thanks.
I don't know if that's true. As far as I know OpenSSL itself is perfectly capable of supporting multiple curves.
I've tested that with my private HTTPS servers and openssl s_client: `openssl s_client -groups "X25519" -connect <host>` `openssl s_client -groups "prime256v1" -connect <host>`
That's the client side... the question is what happens on the server side? i.e. what API calls are necessary? I think that the curves supplied to OpenSSL are defaults, and it can negotiate more. See the "cipher_list" configuration, which allows you to specify multiple ciphers.
I've also observed at least one server in the eduroam federation which support multiple named curves. (Based on my data from analyzing TLS Handshakes in EAP-TLS)
I haven't had the the time to try to modify freeradius locally to ignore the ecdh_curve completely. Unfortunately I'm just beginning to get into the openssl API.
Good luck. It's enormously more complex than it needs to be. :( Alan DeKok.
Hello again, I've tried one ugly patch now to try to mitigate the "problem": diff --git a/src/main/tls.c b/src/main/tls.c index 78c7370a63..8d9e94ff3e 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -3310,9 +3310,9 @@ post_ca: */ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH - if (set_ecdh_curve(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) { - return NULL; - } + //if (set_ecdh_curve(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) { + // return NULL; + //} #endif #endif With this small hot-fix I was able to use different named curves (in my case x25519 with a current Ubuntu and secp521r1 with an Android which didn't propagated support for x25519). I haven't tested for side effects on this, but at least I was able to log in to my testing WPA2-Enterprise APs. For clarification: This is the curve used for EC-Diffie-Hellman in the Server Key Exchange TLS-Record. Since the ecdh_curve parameter is set with a default value of prime256v1, leaving out the configuration parameter results in the choice of prime256v1. I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2 It seems this OpenSSL version enables all curves if no specific curve is set. My suggested fix would be to at least introduce a configuration item to disable the choice of one specific named curve. Greetings Jan-Frederik Rieckers On 31.01.20 15:59, Alan DeKok wrote:
On Jan 31, 2020, at 9:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I'll probably write my bachelor thesis about some aspects. I'll definitely share results, if they concern the server side.
Thanks.
I don't know if that's true. As far as I know OpenSSL itself is perfectly capable of supporting multiple curves.
I've tested that with my private HTTPS servers and openssl s_client: `openssl s_client -groups "X25519" -connect <host>` `openssl s_client -groups "prime256v1" -connect <host>`
That's the client side... the question is what happens on the server side? i.e. what API calls are necessary?
I think that the curves supplied to OpenSSL are defaults, and it can negotiate more. See the "cipher_list" configuration, which allows you to specify multiple ciphers.
I've also observed at least one server in the eduroam federation which support multiple named curves. (Based on my data from analyzing TLS Handshakes in EAP-TLS)
I haven't had the the time to try to modify freeradius locally to ignore the ecdh_curve completely. Unfortunately I'm just beginning to get into the openssl API.
Good luck. It's enormously more complex than it needs to be. :(
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Feb 3, 2020, at 11:00 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I've tried one ugly patch now to try to mitigate the "problem":
*What* problem? You've asked how to change curves, and you can do that via the configuration file. What is the problem you're solving?
Since the ecdh_curve parameter is set with a default value of prime256v1, leaving out the configuration parameter results in the choice of prime256v1.
You can set the curve to nothing: ecdh_curve = "" See the set_ecdh_curve() function.
I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2 It seems this OpenSSL version enables all curves if no specific curve is set. My suggested fix would be to at least introduce a configuration item to disable the choice of one specific named curve.
You can pretty much do that already. Alan DeKok.
On 03.02.20 17:21, Alan DeKok wrote:
Since the ecdh_curve parameter is set with a default value of prime256v1, leaving out the configuration parameter results in the choice of prime256v1.
You can set the curve to nothing:
ecdh_curve = ""
See the set_ecdh_curve() function.
I'm sorry, I didn't notice this. In my opinion, it seems a little bit odd, that leaving out the option defaults to "prime256v1", but setting it to empty string enables all curves. There's also no documentation for this behavior in the configuration file. Maybe this could be added? Greetings Jan-Frederik Rieckers.
On Feb 3, 2020, at 11:39 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
In my opinion, it seems a little bit odd, that leaving out the option defaults to "prime256v1", but setting it to empty string enables all curves. There's also no documentation for this behavior in the configuration file. Maybe this could be added?
Sure. Patches are always welcome. But in general, *any* configuration item can be set to "" to disable it. Alan DeKok.
participants (2)
-
Alan DeKok -
Jan-Frederik Rieckers