Opened 7 years ago

Closed 7 years ago

#2112 closed defect (fixed)

Initialization of ephemeral ECDH (EECDH) when accepting TLS session works incorrectly when linked with OpenSSL 1.1.0x

Reported by: riza Owned by: bennylp
Priority: normal Milestone: release-2.8
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

In OpenSSL 1.1.0 the ephemeral
ECDH is already initialized in automatic mode, so there is really no need to
do anything explicit about it.

=== begin citation ===
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means that
the
     "-no_ecdhe" option has been removed from s_server.
https://www.openssl.org/news/changelog.html#x10
=== end citation ===

The code in ssl_sock_ossl.c falls to branch initializing only prime256v1
(aka secp256r1) elliptic curve in the context, after the call
SSL_CTX_ctrl(ctx,94,1,NULL) is unsuccessful with OpenSSL 1.1.0x. When using
server certificate with EC key based on any other curve, the listener fails
TLS negotiation with misleading alert "no shared cipher", because the
context's curve set applies to both EECDH and ECDSA. (Certificates with RSA
keys work well.) Also, the EECDH itself is limited to use the only (from
today's perspective the weakest acceptable) curve for key negotiation.

Thanks to Tzafrir Cohen for the patch.

Change History (2)

comment:1 Changed 7 years ago by riza

  • Component changed from applications to pjlib
  • Milestone set to release-2.8

comment:2 Changed 7 years ago by riza

  • Resolution set to fixed
  • Status changed from new to closed

In 5787:

Fixed #2112: pjsip initializes EECDH incorrectly when linked with OpenSSL
1.1.0x.

Note: See TracTickets for help on using tickets.