Difficulty in understanding TLS1.3 APIs in OpenSSL 1.1.1

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Difficulty in understanding TLS1.3 APIs in OpenSSL 1.1.1

Raja Ashok-2
Hi All,

I feel like some TLS 1.3 configuration APIs in OpenSSL 1.1.1 are uncomfortable in using it. 

1) Configuring Cipher Suit: There is a new API for configuring TLS1.3 cipher suite, which is SSL_set_ciphersuites(). But calling only SSL_set_ciphersuites() does not work. Need to call old API SSL_set_cipher_list() first and then   SSL_set_ciphersuites().

2) Configuring supported groups and temp ECDHE: Configuring temp ECDHE using SSL_set_tmp_ECDH() configures the corresponding curve ID as supported groups. So calling first SSL_set1_groups() and then calling SSL_set_tmp_ECDH() resets the configured groups using SSL_set1_groups().

I feel the configuration APIs introduced in TLS1.3 are little confusing and it should be used in certain order to achieve the required configuration. 

Can some one try to clarify me these API behaviours or is my understanding of using these API is incorrect ?

Regards
R Ashok
Reply | Threaded
Open this post in threaded view
|

Re: Difficulty in understanding TLS1.3 APIs in OpenSSL 1.1.1

Matt Caswell-2


On 27/05/2019 10:26, Raja Ashok wrote:
> Hi All,
>
> I feel like some TLS 1.3 configuration APIs in OpenSSL 1.1.1 are uncomfortable
> in using it. 
>
> *1) Configuring Cipher Suit:* There is a new API for configuring TLS1.3 cipher
> suite, which is /SSL_set_ciphersuites()/. But calling
> only /SSL_set_ciphersuites()/ does not work. Need to call old
> API /SSL_set_cipher_list()/ first and then   /SSL_set_ciphersuites()/.

Hmmm...this shouldn't be the case. Order shouldn't be important. If you are
experiencing that it sounds like a possible bug.

>
> *2) Configuring supported groups and temp ECDHE:* Configuring temp ECDHE using
> /SSL_set_tmp_ECDH()/ configures the corresponding curve ID as supported groups.
> So calling first /SSL_set1_groups()/ and then calling/SSL_set_tmp_ECDH()/ resets
> the configured groups using /SSL_set1_groups()/.

SSL_set_tmp_ECDH() is the old way of doing things (we should probably deprecate
this). You shouldn't need to call this at all. Just use SSL_set1_groups.

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Difficulty in understanding TLS1.3 APIs in OpenSSL 1.1.1

Hubert Kario
On Monday, 27 May 2019 12:11:44 CEST Matt Caswell wrote:

> On 27/05/2019 10:26, Raja Ashok wrote:
> > *2) Configuring supported groups and temp ECDHE:* Configuring temp ECDHE
> > using /SSL_set_tmp_ECDH()/ configures the corresponding curve ID as
> > supported groups. So calling first /SSL_set1_groups()/ and then
> > calling/SSL_set_tmp_ECDH()/ resets the configured groups using
> > /SSL_set1_groups()/.
>
> SSL_set_tmp_ECDH() is the old way of doing things (we should probably
> deprecate this). You shouldn't need to call this at all. Just use
> SSL_set1_groups.
filed https://github.com/openssl/openssl/issues/9014 to track this

probably "good first issue"?
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment