-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Module: The default ecdhCurve, prime256v1 (aka NIST P-256) is not safe. #1495
Comments
/cc @indutny |
Good catch, now which curve should we choose? My OpenSSL has these curves defined: https://gist.github.com/silverwind/9e9090833fce8acffa50 I'm having a hard time matching them to the curve names on http://safecurves.cr.yp.to/. Maybe we need to define a custom curve? |
According to http://security.stackexchange.com/a/78624 client support is pretty limited besides @mattcollier The linked SE answer raises some doubts about the 'not safe' statement. |
curve25519 is one of the candidates we adopt in the future but it's not been implemented in openssl yet. |
I think we should aim for secure by default. The curve is configurable with the ecdhCurve option or globally through the I don't know what a good replacement is, though. I don't think http://safecurves.cr.yp.to/ considers any of the existing curves in OpenSSL safe. |
I think this is a non-issue, let me quote above SE answer:
If anything, this should probably be brought up to OpenSSL |
Yeah, exactly. There are nothing we could do about it right now. Perhaps somewhere later when OpenSSL will implement these safe curves. |
I don't think that's true. The FIPS mandated curves are suspect because there is reason to believe the NSA may have influenced the decision making process around them. From https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929:
|
Let's be straight about it. There are three concerns that are mentioned on safecurves.cr.yp.to:
So only ladder and rigidity actually apply. This is not that great, but not totally bad either IMHO |
Yes, it is suspicion. How about adding |
Sounds good to me! |
@indutny Thanks. Probably it is following to Ben's comment. |
I understand there is little to be done at this time because openssl does not currently provide a better alternative. Is there some mechanism in place to keep this issue from being lost and forgotten? Perhaps a "good enough for now" tag? |
I think it is better to put a comment in the source as diff --git a/lib/tls.js b/lib/tls.js
index 3ae7a8f..44ea058 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -33,6 +33,7 @@ exports.DEFAULT_CIPHERS = [
'!CAMELLIA'
].join(':');
+// reconsider this when more safer curve is available.
exports.DEFAULT_ECDH_CURVE = 'prime256v1';
exports.getCiphers = function() { |
I wonder if it's worth to explore client compatibilty for the |
@silverwind how is it different? |
@indutny ah, it's the same. I've just misread that table. |
|
I linked to the relevant openssl issue, openssl/openssl#309. |
Updates for curve25519:
|
X25519 is landed in openssl-1.1.0. openssl/openssl@7173624 |
Nice! What about browser support? |
Chrome Canary (50) has already support it. https://code.google.com/p/chromium/issues/detail?id=579716 |
What's the current status on this one? |
Isn't it only dependant on the OpenSSL update? Since when are clients our concern? 😉 |
It's about the default curve to use. I don't think we'd change it to something that's not very usable in a practical setting yet. And yes, we'd need to upgrade openssl first. |
And there is no OpenSSL 1.1.0 yet AFAIK |
OpenSSL 1.1.0 released, things can start moving ;). |
ping @nodejs/crypto ... what can we do on this one? |
We are waiting this until upgrading the forthcoming OpenSSL-1.1.1 in Node-v9 or v10. |
What about supporting multiple curves and defining a preferred order? Like nginx: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve |
For best out-of-the-box compatibility there should not be one default `ecdhCurve` for the tls client, OpenSSL should choose them automatically. See https://wiki.openssl.org/index.php/Manual:SSL_CTX_set1_curves(3) PR-URL: #16853 Refs: #16196 Refs: #1495 Refs: #15206 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Since OpenSSL 1.1.0 just landed, I think this can be looked at again. |
I think the discussion of the default curve is obsolete since it's default value has changed to 'auto', see af78840. |
Good find, I'll close this. |
There's some concern over the rigidity of prime256v1 because it's a NIST curve. See here for the rabbit hole: nodejs/node#1495 secp521r1 was erroneously copied. Since Mozilla gives no explanation why they recommend certain curves and it included prime256v1, the curves are replaced with NCSC-NL recommendation.
There's some concern over the rigidity of prime256v1 because it's a NIST curve. See here for the rabbit hole: nodejs/node#1495 secp521r1 was erroneously copied. Since Mozilla gives no explanation why they recommend certain curves and it included prime256v1, the curves are replaced with NCSC-NL recommendation. (cherry picked from commit 6792e91)
There's some concern over the rigidity of prime256v1 because it's a NIST curve. See here for the rabbit hole: nodejs/node#1495 secp521r1 was erroneously copied. Since Mozilla gives no explanation why they recommend certain curves and it included prime256v1, the curves are replaced with NCSC-NL recommendation. (cherry picked from commit 6792e91)
There's some concern over the rigidity of prime256v1 because it's a NIST curve. See here for the rabbit hole: nodejs/node#1495 secp521r1 was erroneously copied. Since Mozilla gives no explanation why they recommend certain curves and it included prime256v1, the curves are replaced with NCSC-NL recommendation. (cherry picked from commit 6792e91)
There's some concern over the rigidity of prime256v1 because it's a NIST curve. See here for the rabbit hole: nodejs/node#1495 secp521r1 was erroneously copied. Since Mozilla gives no explanation why they recommend certain curves and it included prime256v1, the curves are replaced with NCSC-NL recommendation. (cherry picked from commit 6792e91)
This document states that the default curve for the ecdhCurve parameter is prime256v1.
https://iojs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
Appendix A of this document indicates that prime256v1 is also known as NIST P-256.
http://www.rfc-editor.org/rfc/rfc4492.txt
This site indicates that NIST P-256 is not secure.
http://safecurves.cr.yp.to/
I recommend that a safe alternative should be chosen as the default and unsafe curves should not be made available.
Also posted to nodejs: nodejs/node-v0.x-archive#18205
The text was updated successfully, but these errors were encountered: