[PATCH] SSL: support automatic selection of ECDH temporary key parameters
Maxim Dounin
mdounin at mdounin.ru
Mon Apr 7 11:27:47 UTC 2014
Hello!
On Sun, Apr 06, 2014 at 07:09:41PM -0700, Piotr Sikora wrote:
> Hey Maxim,
>
> > Comments about the patch below, in no particular order:
> >
> > - Suggested code doesn't seem to allow to use the default list of
> > curves, as normally available with just a call to
> > SSL_CTX_set_ecdh_auto(); this seems to be what OpenSSL
> > recommends to use by default, and we may want to follow.
>
> But isn't that the way nginx usually interacts with OpenSSL? i.e.
> always calling SSL_CTX_set_cipher_list(), even with the default
> "DEFAULT" value?
The problem is that there is no equivalent "default" value in case
of curves. But I think we can live with it, at least till OpenSSL
folks will introduce one.
> Also, right now nginx uses NIST P-256 curve. Calling
> SSL_CTX_set_ecdh_auto() without limiting list of supported curves
> enables all of them, with preference for the strongest ones, which
> means that all modern browsers will start using NIST P-521 and clients
> compiled against OpenSSL will start using NIST B-571.
>
> This results in rather significant performance loss:
>
> op op/s
> 256 bit ecdh (nistp256) 0.0002s 4589.7
> 521 bit ecdh (nistp521) 0.0006s 1551.9
> 571 bit ecdh (nistb571) 0.0030s 330.9
>
> and I don't think that it's a good idea to silently change used curve
> for users using default configuration.
Agree, preserving prime256v1 as the default looks reasonable.
> > - Error messages in the ngx_ssl_ecdh_curve() are way off from
> > what's normally used in ngx_event_openssl.c, and probably
> > it's not a good idea to use similar messages in the new code.
>
> Right, my bad.
>
> > - If nginx was compiled with OpenSSL 1.0.2, but used with an
> > older version, things will not work at all; this is not something
> > completely unacceptable, but it's something we may want to
> > avoid.
>
> Will look into it.
>
> > - SSL_CTX_set_options(SSL_OP_SINGLE_ECDH_USE) is not used
> > with OpenSSL 1.0.2, and this looks just wrong.
>
> Well, it just looks wrong ;)
>
> If you dig into OpenSSL's code, you'll notice that this option is
> checked only in 3 places: when setting SSL_CTX_set_tmp_ecdh() /
> SSL_set_tmp_ecdh() to see if we need to generate "persistent"
> temporary key and during ServerKeyExchange phase to see if we need to
> generate ephemeral temporary key. This check consists of 3 conditions
> and first two are fulfilled via SSL_CTX_set_ecdh_auto(), so
> SSL_OP_SINGLE_ECDH_USE is never check when using it.
While the SSL_OP_SINGLE_ECDH_USE may be unneeded with current
OpenSSL code in case of SSL_CTX_set_ecdh_auto(), I would prefer to
keep the option set anyway - as nothing stops OpenSSL from
implementing a key cache for this case.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list