Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL: don't set default ECDH curve #14656

Merged

Conversation

ysbaddaden
Copy link
Contributor

@ysbaddaden ysbaddaden commented Jun 3, 2024

Disables the ECDH curve configuration that was limiting the curve selection to insecure curves.

Before (sslscan, openssl 1.1.1f, ubuntu 20.04):

  Server Key Exchange Group(s):
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.2  128 bits  secp256r1 (NIST P-256)

After (sslscan, openssl 1.1.1f, ubuntu 20.04):

  Server Key Exchange Group(s):
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.3  192 bits  secp384r1 (NIST P-384)
TLSv1.3  260 bits  secp521r1 (NIST P-521)
TLSv1.3  128 bits  x25519
TLSv1.3  224 bits  x448
TLSv1.2  128 bits  secp256r1 (NIST P-256)
TLSv1.2  192 bits  secp384r1 (NIST P-384)
TLSv1.2  260 bits  secp521r1 (NIST P-521)
TLSv1.2  128 bits  x25519
TLSv1.2  224 bits  x448

Also, ciphers now use Curve 25519 by default instead of Curve P-256

follow up to #14655
closes #9060

@ysbaddaden ysbaddaden changed the title dont set openssl ecdh curves OpenSSL: don't set default ECDH curve Jun 3, 2024
@beta-ziliani beta-ziliani added this to the 1.13.0 milestone Jun 5, 2024
@straight-shoota straight-shoota modified the milestone: 1.13.0 Jun 5, 2024
@straight-shoota straight-shoota added kind:bug A bug in the code. Does not apply to documentation, specs, etc. topic:stdlib:networking labels Jun 5, 2024
@ysbaddaden ysbaddaden force-pushed the fix/dont-set-openssl-ecdh-curves branch from 8ecc3a7 to d9329fe Compare June 6, 2024 12:14
@ysbaddaden ysbaddaden merged commit 434b084 into crystal-lang:master Jun 6, 2024
61 checks passed
@ysbaddaden ysbaddaden deleted the fix/dont-set-openssl-ecdh-curves branch June 6, 2024 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind:bug A bug in the code. Does not apply to documentation, specs, etc. security topic:stdlib:networking
Projects
None yet
3 participants