Ticket #2112 (closed defect: fixed)

Opened 6 months ago

Last modified 6 months ago

Initialization of ephemeral ECDH (EECDH) when accepting TLS session works incorrectly when linked with OpenSSL 1.1.0x

Reported by: riza Owned by: bennylp
Priority: normal Milestone: release-2.8
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

In OpenSSL 1.1.0 the ephemeral ECDH is already initialized in automatic mode, so there is really no need to do anything explicit about it.

=== begin citation ===
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means that
the
     "-no_ecdhe" option has been removed from s_server.
https://www.openssl.org/news/changelog.html#x10
=== end citation ===

The code in ssl_sock_ossl.c falls to branch initializing only prime256v1 (aka secp256r1) elliptic curve in the context, after the call SSL_CTX_ctrl(ctx,94,1,NULL) is unsuccessful with OpenSSL 1.1.0x. When using server certificate with EC key based on any other curve, the listener fails TLS negotiation with misleading alert "no shared cipher", because the context's curve set applies to both EECDH and ECDSA. (Certificates with RSA keys work well.) Also, the EECDH itself is limited to use the only (from today's perspective the weakest acceptable) curve for key negotiation.

Thanks to Tzafrir Cohen for the patch.

Change History

comment:1 Changed 6 months ago by riza

  • Component changed from applications to pjlib
  • Milestone set to release-2.8

comment:2 Changed 6 months ago by riza

  • Status changed from new to closed
  • Resolution set to fixed

In 5787:

Fixed #2112: pjsip initializes EECDH incorrectly when linked with OpenSSL
1.1.0x.

Note: See TracTickets for help on using tickets.