[PATCH] SSL: support automatic selection of ECDH temporary key parameters
Piotr Sikora
piotr at cloudflare.com
Mon Apr 7 02:09:41 UTC 2014
Hey Maxim,
> Comments about the patch below, in no particular order:
>
> - Suggested code doesn't seem to allow to use the default list of
> curves, as normally available with just a call to
> SSL_CTX_set_ecdh_auto(); this seems to be what OpenSSL
> recommends to use by default, and we may want to follow.
But isn't that the way nginx usually interacts with OpenSSL? i.e.
always calling SSL_CTX_set_cipher_list(), even with the default
"DEFAULT" value?
Also, right now nginx uses NIST P-256 curve. Calling
SSL_CTX_set_ecdh_auto() without limiting list of supported curves
enables all of them, with preference for the strongest ones, which
means that all modern browsers will start using NIST P-521 and clients
compiled against OpenSSL will start using NIST B-571.
This results in rather significant performance loss:
op op/s
256 bit ecdh (nistp256) 0.0002s 4589.7
521 bit ecdh (nistp521) 0.0006s 1551.9
571 bit ecdh (nistb571) 0.0030s 330.9
and I don't think that it's a good idea to silently change used curve
for users using default configuration.
> - Error messages in the ngx_ssl_ecdh_curve() are way off from
> what's normally used in ngx_event_openssl.c, and probably
> it's not a good idea to use similar messages in the new code.
Right, my bad.
> - If nginx was compiled with OpenSSL 1.0.2, but used with an
> older version, things will not work at all; this is not something
> completely unacceptable, but it's something we may want to
> avoid.
Will look into it.
> - SSL_CTX_set_options(SSL_OP_SINGLE_ECDH_USE) is not used
> with OpenSSL 1.0.2, and this looks just wrong.
Well, it just looks wrong ;)
If you dig into OpenSSL's code, you'll notice that this option is
checked only in 3 places: when setting SSL_CTX_set_tmp_ecdh() /
SSL_set_tmp_ecdh() to see if we need to generate "persistent"
temporary key and during ServerKeyExchange phase to see if we need to
generate ephemeral temporary key. This check consists of 3 conditions
and first two are fulfilled via SSL_CTX_set_ecdh_auto(), so
SSL_OP_SINGLE_ECDH_USE is never check when using it.
Basically,
SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
is equivalent to:
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
Having said that, I don't mind re-adding it, if it's going to make you happier.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list