SSL Server setup DH/ECDH

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Server setup DH/ECDH

Chitrang Srivastava
Hi,

I am implementing HTTPs server using openssl 1.1.1b.
Is it mandatory to setup these API's while creating ssl context ?
SSL_CTX_set_tmp_ecdh
SSL_CTX_set_tmp_dh
Also any suggestion what all options one should set while setting up server like
SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3

Thanks,

Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Matt Caswell-2


On 06/08/2019 09:42, Chitrang Srivastava wrote:
> Hi,
>
> I am implementing HTTPs server using openssl 1.1.1b.
> Is it mandatory to setup these API's while creating ssl context ?
>
> SSL_CTX_set_tmp_ecdh
>
> SSL_CTX_set_tmp_dh

By default OpenSSL will automatically use ECDH if appropriate and choose a
suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless you
want more control over which specific group is used.

OpenSSL will not use DH unless you specifically configure it. If you want to
make use of DH based ciphersuites then you must either call SSL_CTX_set_tmp_dh()
or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former enables
you to configure any arbitrary DH group that you choose. Calling the latter will
enable the built-in DH groups.

It is not mandatory to call any of the above.

>
> Also any suggestion what all options one should set while setting up server like
> SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3

Don't use the protocol version specific options at all. Use
SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
version. SSLv2 is no longer supported at all. SSLv3 is compiled out by default.

Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
(possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the others
unless there is a specific problem you are trying to solve.

Matt
Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Chitrang Srivastava
Thanks Matt,

So now I have, which i believe is enough ?

SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);

On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <[hidden email]> wrote:


On 06/08/2019 09:42, Chitrang Srivastava wrote:
> Hi,
>
> I am implementing HTTPs server using openssl 1.1.1b.
> Is it mandatory to setup these API's while creating ssl context ?
>
> SSL_CTX_set_tmp_ecdh
>
> SSL_CTX_set_tmp_dh

By default OpenSSL will automatically use ECDH if appropriate and choose a
suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless you
want more control over which specific group is used.

OpenSSL will not use DH unless you specifically configure it. If you want to
make use of DH based ciphersuites then you must either call SSL_CTX_set_tmp_dh()
or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former enables
you to configure any arbitrary DH group that you choose. Calling the latter will
enable the built-in DH groups.

It is not mandatory to call any of the above.

>
> Also any suggestion what all options one should set while setting up server like
> SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3

Don't use the protocol version specific options at all. Use
SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
version. SSLv2 is no longer supported at all. SSLv3 is compiled out by default.

Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
(possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the others
unless there is a specific problem you are trying to solve.

Matt
Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Matt Caswell-2


On 06/08/2019 11:07, Chitrang Srivastava wrote:
> Thanks Matt,
>
> So now I have, which i believe is enough ?
>
> SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> SSL_OP_CIPHER_SERVER_PREFERENCE);
> SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);

This is fine although it obviously prevents connections from very old clients
that don't support TLSv1.2. This might not be a problem for you depending on
your situation.

Matt

>
> On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     > Hi,
>     >
>     > I am implementing HTTPs server using openssl 1.1.1b.
>     > Is it mandatory to setup these API's while creating ssl context ?
>     >
>     > SSL_CTX_set_tmp_ecdh
>     >
>     > SSL_CTX_set_tmp_dh
>
>     By default OpenSSL will automatically use ECDH if appropriate and choose a
>     suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless you
>     want more control over which specific group is used.
>
>     OpenSSL will not use DH unless you specifically configure it. If you want to
>     make use of DH based ciphersuites then you must either call SSL_CTX_set_tmp_dh()
>     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former enables
>     you to configure any arbitrary DH group that you choose. Calling the latter will
>     enable the built-in DH groups.
>
>     It is not mandatory to call any of the above.
>
>     >
>     > Also any suggestion what all options one should set while setting up
>     server like
>     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
>
>     Don't use the protocol version specific options at all. Use
>     SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
>     version. SSLv2 is no longer supported at all. SSLv3 is compiled out by default.
>
>     Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
>     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the others
>     unless there is a specific problem you are trying to solve.
>
>     Matt
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Chitrang Srivastava
Yes , since in my case mostly browser will be used to access webserver running on embedded platform.
Another question, since my webserver is running on embedded platform and it has limited memory , I have disabled
ARIA/CAMELLIA  and few others, is that OK ? because I don't see any ciphers suites which is used in practice.



On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <[hidden email]> wrote:


On 06/08/2019 11:07, Chitrang Srivastava wrote:
> Thanks Matt,
>
> So now I have, which i believe is enough ?
>
> SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> SSL_OP_CIPHER_SERVER_PREFERENCE);
> SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);

This is fine although it obviously prevents connections from very old clients
that don't support TLSv1.2. This might not be a problem for you depending on
your situation.

Matt

>
> On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     > Hi,
>     >
>     > I am implementing HTTPs server using openssl 1.1.1b.
>     > Is it mandatory to setup these API's while creating ssl context ?
>     >
>     > SSL_CTX_set_tmp_ecdh
>     >
>     > SSL_CTX_set_tmp_dh
>
>     By default OpenSSL will automatically use ECDH if appropriate and choose a
>     suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless you
>     want more control over which specific group is used.
>
>     OpenSSL will not use DH unless you specifically configure it. If you want to
>     make use of DH based ciphersuites then you must either call SSL_CTX_set_tmp_dh()
>     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former enables
>     you to configure any arbitrary DH group that you choose. Calling the latter will
>     enable the built-in DH groups.
>
>     It is not mandatory to call any of the above.
>
>     >
>     > Also any suggestion what all options one should set while setting up
>     server like
>     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
>
>     Don't use the protocol version specific options at all. Use
>     SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
>     version. SSLv2 is no longer supported at all. SSLv3 is compiled out by default.
>
>     Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
>     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the others
>     unless there is a specific problem you are trying to solve.
>
>     Matt
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Matt Caswell-2


On 06/08/2019 11:21, Chitrang Srivastava wrote:
> Yes , since in my case mostly browser will be used to access webserver running
> on embedded platform.
> Another question, since my webserver is running on embedded platform and it has
> limited memory , I have disabled
> ARIA/CAMELLIA  and few others, is that OK ? because I don't see any ciphers
> suites which is used in practice.

Yes, that should be fine.

Matt

>
>
>
> On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 06/08/2019 11:07, Chitrang Srivastava wrote:
>     > Thanks Matt,
>     >
>     > So now I have, which i believe is enough ?
>     >
>     > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
>     > SSL_OP_CIPHER_SERVER_PREFERENCE);
>     > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
>
>     This is fine although it obviously prevents connections from very old clients
>     that don't support TLSv1.2. This might not be a problem for you depending on
>     your situation.
>
>     Matt
>
>     >
>     > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >
>     >
>     >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     >     > Hi,
>     >     >
>     >     > I am implementing HTTPs server using openssl 1.1.1b.
>     >     > Is it mandatory to setup these API's while creating ssl context ?
>     >     >
>     >     > SSL_CTX_set_tmp_ecdh
>     >     >
>     >     > SSL_CTX_set_tmp_dh
>     >
>     >     By default OpenSSL will automatically use ECDH if appropriate and choose a
>     >     suitable group so there is no need to call SSL_CTX_set_tmp_ecdh()
>     unless you
>     >     want more control over which specific group is used.
>     >
>     >     OpenSSL will not use DH unless you specifically configure it. If you
>     want to
>     >     make use of DH based ciphersuites then you must either call
>     SSL_CTX_set_tmp_dh()
>     >     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the
>     former enables
>     >     you to configure any arbitrary DH group that you choose. Calling the
>     latter will
>     >     enable the built-in DH groups.
>     >
>     >     It is not mandatory to call any of the above.
>     >
>     >     >
>     >     > Also any suggestion what all options one should set while setting up
>     >     server like
>     >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
>     >
>     >     Don't use the protocol version specific options at all. Use
>     >     SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
>     >     version. SSLv2 is no longer supported at all. SSLv3 is compiled out by
>     default.
>     >
>     >     Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
>     >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need
>     the others
>     >     unless there is a specific problem you are trying to solve.
>     >
>     >     Matt
>     >
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Chitrang Srivastava
Hi Matt,

I tried following code but it is crashing @ SSL_CTX_set_ciphersuites
s_ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
SSL_CTX_set_ciphersuites(s_ctx, "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");

In the debugger I noticed 

s_ctx :: cipher_list & cipher_list_by_id are both NULL
However tls13_ciphersuites is populated.
Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites tries to delete this cipher_list and hence crash ?

Any pointer what I am missing?

-Thanks



On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <[hidden email]> wrote:


On 06/08/2019 14:58, Chitrang Srivastava wrote:
> Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.
> So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses 
> TLS_1_3_AES_256_SHA_384.
> While without that it uses TLS_1_3_AES_128_SHA_256, which is better in terms of
> performance.

Ah! Right - now I understand.

So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server prefers the
server's ordering of ciphersuites compared to the clients. With that option set
it will use the first ciphersuite that is in the server's list that is also in
the client's list. Without the set it will use the first ciphersuite that is in
the client's list that is also in the server's list. Server operators often
prefer this because it gives more control over which ciphersuite ultimately gets
used. But that's only really useful if you also look at this list of configured
ciphersuites and make sure they are in your preferred order! Otherwise the
option is fairly pointless!

For TLSv1.3 the default list is:

#   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
                                    "TLS_CHACHA20_POLY1305_SHA256:" \
                                    "TLS_AES_128_GCM_SHA256"

If you want a different order you can use the functions
SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html

Matt

>
> Thanks very much,
> Chitrang
>
> Tuesday, August 6, 2019, Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 06/08/2019 12:20, Chitrang Srivastava wrote:
>     > Noticed that if I set  SSL_OP_CIPHER_SERVER_PREFERENCE,
>     TLS_1_3_AES_256_SHA_384
>     > is being used while without that
>     > AES_128_SHA256 is being used and I see client(Chrome) send this as first
>     preference.
>     > Is there anyway where I can always prefer AES-128-SHA256 cipher suite of
>     TLS 1.3?
>
>     Hmmm...are you sure?
>
>     Those names don't look like OpenSSL names for those ciphersuites. I guess you
>     mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a TLSv1.3
>     ciphersuite and the latter is for TLSv1.2 and below. They are mutually
>     exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2 ciphersuites and
>     vice versa.
>
>     SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol version
>     negotiated. OpenSSL negotiates the version *first* before deciding what
>     ciphersuite to use. So it should not be the case that
>     SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3 ciphersuite to be used
>     when a TLSv1.2 ciphersuite was used without it.
>
>     Matt
>
>
>     >
>     > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >
>     >
>     >     On 06/08/2019 11:21, Chitrang Srivastava wrote:
>     >     > Yes , since in my case mostly browser will be used to access
>     webserver running
>     >     > on embedded platform.
>     >     > Another question, since my webserver is running on embedded platform and
>     >     it has
>     >     > limited memory , I have disabled
>     >     > ARIA/CAMELLIA  and few others, is that OK ? because I don't see any
>     ciphers
>     >     > suites which is used in practice.
>     >
>     >     Yes, that should be fine.
>     >
>     >     Matt
>     >
>     >     >
>     >     >
>     >     >
>     >     > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >
>     >     >
>     >     >     On 06/08/2019 11:07, Chitrang Srivastava wrote:
>     >     >     > Thanks Matt,
>     >     >     >
>     >     >     > So now I have, which i believe is enough ?
>     >     >     >
>     >     >     > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
>     >     >     > SSL_OP_CIPHER_SERVER_PREFERENCE);
>     >     >     > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
>     >     >
>     >     >     This is fine although it obviously prevents connections from
>     very old
>     >     clients
>     >     >     that don't support TLSv1.2. This might not be a problem for you
>     >     depending on
>     >     >     your situation.
>     >     >
>     >     >     Matt
>     >     >
>     >     >     >
>     >     >     > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     > <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>>> wrote:
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     >     >     >     > Hi,
>     >     >     >     >
>     >     >     >     > I am implementing HTTPs server using openssl 1.1.1b.
>     >     >     >     > Is it mandatory to setup these API's while creating ssl
>     context ?
>     >     >     >     >
>     >     >     >     > SSL_CTX_set_tmp_ecdh
>     >     >     >     >
>     >     >     >     > SSL_CTX_set_tmp_dh
>     >     >     >
>     >     >     >     By default OpenSSL will automatically use ECDH if appropriate
>     >     and choose a
>     >     >     >     suitable group so there is no need to call
>     SSL_CTX_set_tmp_ecdh()
>     >     >     unless you
>     >     >     >     want more control over which specific group is used.
>     >     >     >
>     >     >     >     OpenSSL will not use DH unless you specifically configure
>     it. If you
>     >     >     want to
>     >     >     >     make use of DH based ciphersuites then you must either call
>     >     >     SSL_CTX_set_tmp_dh()
>     >     >     >     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents).
>     Calling the
>     >     >     former enables
>     >     >     >     you to configure any arbitrary DH group that you choose.
>     Calling the
>     >     >     latter will
>     >     >     >     enable the built-in DH groups.
>     >     >     >
>     >     >     >     It is not mandatory to call any of the above.
>     >     >     >
>     >     >     >     >
>     >     >     >     > Also any suggestion what all options one should set while
>     >     setting up
>     >     >     >     server like
>     >     >     >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
>     >     >     >
>     >     >     >     Don't use the protocol version specific options at all. Use
>     >     >     >     SSL_CTX_set_min_proto_version() if you want to specify a
>     minimum
>     >     protocol
>     >     >     >     version. SSLv2 is no longer supported at all. SSLv3 is
>     compiled
>     >     out by
>     >     >     default.
>     >     >     >
>     >     >     >     Other options that are worth considering are
>     >     SSL_OP_NO_RENEGOTIATION and
>     >     >     >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you
>     don't need
>     >     >     the others
>     >     >     >     unless there is a specific problem you are trying to solve.
>     >     >     >
>     >     >     >     Matt
>     >     >     >
>     >     >
>     >
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL Server setup DH/ECDH

Matt Caswell-2


On 07/08/2019 12:19, Chitrang Srivastava wrote:

> Hi Matt,
>
> I tried following code but it is crashing @ *SSL_CTX_set_ciphersuites*
> s_ctx = SSL_CTX_new(TLS_method());
> SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> SSL_OP_CIPHER_SERVER_PREFERENCE);
> SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
> SSL_CTX_set_ciphersuites(s_ctx,
> "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384");
>
> In the debugger I noticed 
>
> s_ctx :: cipher_list & cipher_list_by_id are both NULL

Well, that is very strange. I just tried the code above and it works just fine
for me.

s_ctx->cipher_list, and s_ctx->cipher_lib_by_id should be populated in the
SSL_CTX_new call:

https://github.com/openssl/openssl/blob/c50fd0f959de5b256d8eefb8ad2a82fcdcb899c3/ssl/ssl_lib.c#L3091-L3101

So you should never have an SSL_CTX object without those things being set.

Matt


> However tls13_ciphersuites is populated.
> Further in update_cipher_list which is called by SSL_CTX_set_ciphersuites tries
> to delete this cipher_list and hence crash ?
>
> Any pointer what I am missing?
>
> -Thanks
>
>
>
> On Tue, Aug 6, 2019 at 7:48 PM Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 06/08/2019 14:58, Chitrang Srivastava wrote:
>     > Yeah I mean TLS 1.3 cipher , sorry I haven't pasted exact names.
>     > So after SSL_OP_CIPHER_SERVER_PREFERENCE, server uses 
>     > TLS_1_3_AES_256_SHA_384.
>     > While without that it uses TLS_1_3_AES_128_SHA_256, which is better in
>     terms of
>     > performance.
>
>     Ah! Right - now I understand.
>
>     So the option SSL_OP_CIPHER_SERVER_PREFERENCE means that the server prefers the
>     server's ordering of ciphersuites compared to the clients. With that option set
>     it will use the first ciphersuite that is in the server's list that is also in
>     the client's list. Without the set it will use the first ciphersuite that is in
>     the client's list that is also in the server's list. Server operators often
>     prefer this because it gives more control over which ciphersuite ultimately gets
>     used. But that's only really useful if you also look at this list of configured
>     ciphersuites and make sure they are in your preferred order! Otherwise the
>     option is fairly pointless!
>
>     For TLSv1.3 the default list is:
>
>     #   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
>                                         "TLS_CHACHA20_POLY1305_SHA256:" \
>                                         "TLS_AES_128_GCM_SHA256"
>
>     If you want a different order you can use the functions
>     SSL_CTX_set_ciphersuites() (or SSL_set_ciphersuites()) to amend it:
>
>     https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
>
>     Matt
>
>     >
>     > Thanks very much,
>     > Chitrang
>     >
>     > Tuesday, August 6, 2019, Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >
>     >
>     >     On 06/08/2019 12:20, Chitrang Srivastava wrote:
>     >     > Noticed that if I set  SSL_OP_CIPHER_SERVER_PREFERENCE,
>     >     TLS_1_3_AES_256_SHA_384
>     >     > is being used while without that
>     >     > AES_128_SHA256 is being used and I see client(Chrome) send this as first
>     >     preference.
>     >     > Is there anyway where I can always prefer AES-128-SHA256 cipher suite of
>     >     TLS 1.3?
>     >
>     >     Hmmm...are you sure?
>     >
>     >     Those names don't look like OpenSSL names for those ciphersuites. I
>     guess you
>     >     mean TLS_AES_256_GCM_SHA384 and AES128-SHA256. The former is a TLSv1.3
>     >     ciphersuite and the latter is for TLSv1.2 and below. They are mutually
>     >     exclusive. If you negotiate TLSv1.3 then you can't use TLSv1.2
>     ciphersuites and
>     >     vice versa.
>     >
>     >     SSL_OP_CIPHER_SERVER_PREFERENCE should not affect the protocol version
>     >     negotiated. OpenSSL negotiates the version *first* before deciding what
>     >     ciphersuite to use. So it should not be the case that
>     >     SSL_OP_CIPHER_SERVER_PREFERENCE suddenly causes a TLSv1.3 ciphersuite
>     to be used
>     >     when a TLSv1.2 ciphersuite was used without it.
>     >
>     >     Matt
>     >
>     >
>     >     >
>     >     > On Tue, Aug 6, 2019 at 3:53 PM Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >
>     >     >
>     >     >     On 06/08/2019 11:21, Chitrang Srivastava wrote:
>     >     >     > Yes , since in my case mostly browser will be used to access
>     >     webserver running
>     >     >     > on embedded platform.
>     >     >     > Another question, since my webserver is running on embedded
>     platform and
>     >     >     it has
>     >     >     > limited memory , I have disabled
>     >     >     > ARIA/CAMELLIA  and few others, is that OK ? because I don't
>     see any
>     >     ciphers
>     >     >     > suites which is used in practice.
>     >     >
>     >     >     Yes, that should be fine.
>     >     >
>     >     >     Matt
>     >     >
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     > <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>>> wrote:
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     On 06/08/2019 11:07, Chitrang Srivastava wrote:
>     >     >     >     > Thanks Matt,
>     >     >     >     >
>     >     >     >     > So now I have, which i believe is enough ?
>     >     >     >     >
>     >     >     >     > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
>     >     >     >     > SSL_OP_CIPHER_SERVER_PREFERENCE);
>     >     >     >     > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);
>     >     >     >
>     >     >     >     This is fine although it obviously prevents connections from
>     >     very old
>     >     >     clients
>     >     >     >     that don't support TLSv1.2. This might not be a problem
>     for you
>     >     >     depending on
>     >     >     >     your situation.
>     >     >     >
>     >     >     >     Matt
>     >     >     >
>     >     >     >     >
>     >     >     >     > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell
>     <[hidden email] <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>>
>     >     >     >     > <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>>>> wrote:
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     >     >     >     >     > Hi,
>     >     >     >     >     >
>     >     >     >     >     > I am implementing HTTPs server using openssl 1.1.1b.
>     >     >     >     >     > Is it mandatory to setup these API's while
>     creating ssl
>     >     context ?
>     >     >     >     >     >
>     >     >     >     >     > SSL_CTX_set_tmp_ecdh
>     >     >     >     >     >
>     >     >     >     >     > SSL_CTX_set_tmp_dh
>     >     >     >     >
>     >     >     >     >     By default OpenSSL will automatically use ECDH if
>     appropriate
>     >     >     and choose a
>     >     >     >     >     suitable group so there is no need to call
>     >     SSL_CTX_set_tmp_ecdh()
>     >     >     >     unless you
>     >     >     >     >     want more control over which specific group is used.
>     >     >     >     >
>     >     >     >     >     OpenSSL will not use DH unless you specifically
>     configure
>     >     it. If you
>     >     >     >     want to
>     >     >     >     >     make use of DH based ciphersuites then you must
>     either call
>     >     >     >     SSL_CTX_set_tmp_dh()
>     >     >     >     >     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents).
>     >     Calling the
>     >     >     >     former enables
>     >     >     >     >     you to configure any arbitrary DH group that you choose.
>     >     Calling the
>     >     >     >     latter will
>     >     >     >     >     enable the built-in DH groups.
>     >     >     >     >
>     >     >     >     >     It is not mandatory to call any of the above.
>     >     >     >     >
>     >     >     >     >     >
>     >     >     >     >     > Also any suggestion what all options one should
>     set while
>     >     >     setting up
>     >     >     >     >     server like
>     >     >     >     >     > SSL_CTX_set_options like SSL_OP_NO_SSLv2
>     |SSL_OP_NO_SSLv3
>     >     >     >     >
>     >     >     >     >     Don't use the protocol version specific options at
>     all. Use
>     >     >     >     >     SSL_CTX_set_min_proto_version() if you want to specify a
>     >     minimum
>     >     >     protocol
>     >     >     >     >     version. SSLv2 is no longer supported at all. SSLv3 is
>     >     compiled
>     >     >     out by
>     >     >     >     default.
>     >     >     >     >
>     >     >     >     >     Other options that are worth considering are
>     >     >     SSL_OP_NO_RENEGOTIATION and
>     >     >     >     >     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE.
>     Generally you
>     >     don't need
>     >     >     >     the others
>     >     >     >     >     unless there is a specific problem you are trying to
>     solve.
>     >     >     >     >
>     >     >     >     >     Matt
>     >     >     >     >
>     >     >     >
>     >     >
>     >
>