How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

Viktor Dukhovni

[ While I could ask off-list, or RTFS, someone else might have the
  same question later, so might as well ask on-list. ]

Postfix added support for ECDHE ciphers long ago, back when OpenSSL
1.0.0 was shiny and new, and the server-side ECDHE support was
enabled by specifying a single preferred "temp" ECDH curve.  At the
time we allowed users to configure:

    smtpd_tls_eecdh_grade = none | strong | ultra

which was later expanded to:

    smtpd_tls_eecdh_grade = none | strong | ultra | auto

as documented at:

    http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
    http://www.postfix.org/postconf.5.html#tls_eecdh_strong_curve
    http://www.postfix.org/postconf.5.html#tls_eecdh_ultra_curve
    http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves

The "none" setting is documented to disable ECDHE, and did that by
simply doing nothing, that is by not setting a specific ECDH temp
curve and also not calling SSL_CTX_set_ecdh_auto().  But doing
nothing no longer has the same effect in OpenSSL 1.1.0 and later,
where ECDHE curve negotiation is always on, and SSL_CTX_set_ecdh_auto()
is basically a NOOP (that returns "failure" if the requested behaviour
is ECDHE "off").

I thought I might get the same effect by configuring an empty curve
list, but OpenSSL 1.1.x, does not accept an empty list, and in any
case that might also affect DHE support, since IIRC there's now a
unified list of curves and FFDHE groups, and may not be an interface
for configuring just the curves?

Is there still a way to support the "none" setting other than to
modify the cipherlist (ciphers = "!kECDHE:...")?  The Postfix
code that deals with DH settings is separate from the code
that deals with ciphers, and I'd prefer to get these mixed up.

I should say that I understand that turning off ECDHE is increasingly
unwise, interoperability can and will suffer.  So I may well decide
to drop support for "none" and pretend the user meant "auto", but
I'd like to understand the available options first.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

Matt Caswell-2


On 02/12/2018 22:13, Viktor Dukhovni wrote:

>
> [ While I could ask off-list, or RTFS, someone else might have the
>   same question later, so might as well ask on-list. ]
>
> Postfix added support for ECDHE ciphers long ago, back when OpenSSL
> 1.0.0 was shiny and new, and the server-side ECDHE support was
> enabled by specifying a single preferred "temp" ECDH curve.  At the
> time we allowed users to configure:
>
>     smtpd_tls_eecdh_grade = none | strong | ultra
>
> which was later expanded to:
>
>     smtpd_tls_eecdh_grade = none | strong | ultra | auto
>
> as documented at:
>
>     http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
>     http://www.postfix.org/postconf.5.html#tls_eecdh_strong_curve
>     http://www.postfix.org/postconf.5.html#tls_eecdh_ultra_curve
>     http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
>
> The "none" setting is documented to disable ECDHE, and did that by
> simply doing nothing, that is by not setting a specific ECDH temp
> curve and also not calling SSL_CTX_set_ecdh_auto().  But doing
> nothing no longer has the same effect in OpenSSL 1.1.0 and later,
> where ECDHE curve negotiation is always on, and SSL_CTX_set_ecdh_auto()
> is basically a NOOP (that returns "failure" if the requested behaviour
> is ECDHE "off").
>
> I thought I might get the same effect by configuring an empty curve
> list, but OpenSSL 1.1.x, does not accept an empty list, and in any
> case that might also affect DHE support, since IIRC there's now a
> unified list of curves and FFDHE groups, and may not be an interface
> for configuring just the curves?
>
> Is there still a way to support the "none" setting other than to
> modify the cipherlist (ciphers = "!kECDHE:...")?  The Postfix
> code that deals with DH settings is separate from the code
> that deals with ciphers, and I'd prefer to get these mixed up.

AFAIK this can't be done. If you don't want ECDHE then you should not configure
ECDHE ciphersuites.

WRT a unifed lists of curves that's not quite the case. TLSv1.3 has a single
"supported_groups" list for both FFDHE and ECDHE - but OpenSSL does not support
FFDHE in TLSv1.3 so in an OpenSSL context this still only relates to ECDHE groups.

Matt

>
> I should say that I understand that turning off ECDHE is increasingly
> unwise, interoperability can and will suffer.  So I may well decide
> to drop support for "none" and pretend the user meant "auto", but
> I'd like to understand the available options first.
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users