Open Bug 1245531 Opened 9 years ago Updated 1 year ago

Disable deprecated curves (potentially only for TLS 1.3)

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.18
Type:
defect

Tracking

(Not tracked)

People

(Reporter: ekr, Unassigned)

References

(Blocks 1 open bug)

Details

No description provided.
Priority: -- → P3

I don't see any option in about:config to order curves, what am I missing?

See the last table on this page, choosing Safe Curves: https://safecurves.cr.yp.to/index.html

The only perfectly secure curves are:

Curve1174
Curve25519 (the only secure curve in windows that I am aware of)
Curve41417 formerly named Curve3617
Curve383187 authors subsequently recommended switching to M-383
M-221 formerly named Curve2213
M-383
M-511 formerly named Curve511187
E-222
E-382
E-521
Ed448-Goldilocks

Insecure Curves include:

NIST P-224
NIST P-256
secp256k1
NIST P-384
Anomalous
BN(2,254)
brainpoolP256t1
ANSSI FRP256v1
brainpoolP384t1

SafeCurves is joint work by the following authors (alphabetical order):

Daniel J. Bernstein, University of Illinois at Chicago, USA, and Technische Universiteit Eindhoven, Netherlands
Tanja Lange, Technische Universiteit Eindhoven, Netherlands

(In reply to tutudid from comment #1)

Please don't spam multiple bugs with the same comment. There's no way to do this ordering currently in Firefox as libSSL doesn't support it. See bug 1267894.

QA Contact: jjones

Two points:

  1. In TLS, the server is primarily responsible for selecting the curve (in TLS 1.2, entirely, and in TLS 1.3, ultimately, but the client has an initial put in KeyShares). So, exposing the client's preferences is only useful to some extent.

  2. If you want EC at all, it is generally not feasible to disable support for P-256. The reason for this is that a lot of servers do not support X25519 (and the rest of the curves you list, even less so), and it is not presently possible to get valid WebPKI certificates for Ed25519. IOW, if you want to avoid high levels of breakage, you either need to be willing to have P-256 or to allow static RSA.

Yes I was told by Franziskus Kiefer that "It's implemented in NSS but there's no mechanism to do this in Firefox at the moment. That's easy to do though."

Eric Rescoria. In windows Schannel, set to 1.2 tls, and curve whitelist set to only 'Curve25519', connections to windows update use Curve25519; when p256 only is enabled, it uses p256. So I'm not sure what you are talking about. Maybe the libraries you are referring to don't support it, but it works in windows 10.

(In reply to tutudid from comment #4)

Yes I was told by Franziskus Kiefer that "It's implemented in NSS but there's no mechanism to do this in Firefox at the moment. That's easy to do though."

Yes, that's correct. But it would still need to be done, and for the reasons above, it wouldn't have much value.

Eric Rescoria. In windows Schannel, set to 1.2 tls, and curve whitelist set to only 'Curve25519', connections to windows update use Curve25519; when p256 only is enabled, it uses p256. So I'm not sure what you are talking about. Maybe the libraries you are referring to don't support it, but it works in windows 10.

The question isn't what Win10 supports, but what the collection of servers on the Internet support. If you turn off P-256 and connect to a server which doesn't support X25519, then you will either get some non-EC cipher (e.g., static RSA), or if you have disabled non-EC algorithms, a failure. I don't have a scan to hand, but even though Firefox supports both Curve25519 and P-256, we still have a very large fraction of P-256, which suggests that there are still a lot of P-256-only servers.

Severity: normal → S3

I don't think we should disable deprecated curves, we only need to put them in lowest priority in TLS Client Hello, and put safe curves on the front, so server will prefer using X25519 (or X448 etc. in the future) and prevent potential compatibility problem. I afraid that if we totally disable them, user open a site that only supports unsafe curves, such as P-256, the connection will failure, and user may complain about it, or even worse, go to Chromium-based browser camp.

The best way is contact with Chromium and Safari team (or even OpenSSL), to disable them together.

You need to log in before you can comment on or make changes to this bug.