Single ECDH Curve for forward secrecy

[Jan-Frederik Rieckers]

On 31.01.20 15:28, Alan DeKok wrote:
> On Jan 31, 2020, at 4:39 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel at uni-bremen.de> wrote
>> I'm currently doing some research with the TLS client and server
>> implementations in EAP-TLS.
> 
>   Good to hear.  Not many people have done this kind of research.

I'll probably write my bachelor thesis about some aspects. I'll
definitely share results, if they concern the server side.

> 
>> I have noticed, that Freeradius forces usage of one specific curve for
>> ECDH Key Exchange. Is there a specific reason for that?
>> ( set_ecdh_curve in src/main/tls.c )
> 
>   No, the server *defaults* to one curve.  The default can be changed by editing the configuration files.
Sorry, that was my wrong formulation. That's exactly what I meant.

>   It only supports one curve, largely because of limitations in the OpenSSL API.  If OpenSSL supports fallback curves, we can definitely add support for that.

I don't know if that's true. As far as I know OpenSSL itself is
perfectly capable of supporting multiple curves.

I've tested that with my private HTTPS servers and openssl s_client:
`openssl s_client -groups "X25519" -connect <host>`
`openssl s_client -groups "prime256v1" -connect <host>`

I've also observed at least one server in the eduroam federation which
support multiple named curves. (Based on my data from analyzing TLS
Handshakes in EAP-TLS)

I haven't had the the time to try to modify freeradius locally to ignore
the ecdh_curve completely. Unfortunately I'm just beginning to get into
the openssl API.

  Jan-Frederik Rieckers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20200131/fdaaf257/attachment.sig>