wolfssl [Question] is wolfSSL_set_tmp_dh discouraged in wolfSSL(like OpenSSL)?

trafficstars

Version

master

Description

I am maintaining some legacy code that does wolfSSL_CTX_set_tmp_dh(). The equivalent function in OpenSSL is discouraged and it is recommended to use built-in well-known DH parameters enabled with SSL_CTX_set_dh_auto.

There is no equivalent of SSL_CTX_set_dh_auto in woflSSL: is it necessary to set DH parameters or are there well-known defaults?

Jan 24 '24 03:01 space88man

Hi @space88man

I'll review this with the team tomorrow and provide an update.

Thanks, @embhorn

Jan 24 '24 15:01 embhorn

Hi @space88man

For TLS, by default wolfSSL uses predefined DH param groups. You can over-ride this using wolfSSL_CTX_set_tmp_dh.

Jan 24 '24 17:01 embhorn

Hi @space88man

I believe we've answered your question. For more details or to create a feature request, please email [email protected]

Jan 29 '24 14:01 embhorn

@embhorn - how does this work in practice?

Using: ./configure --enable-all --enable-pkcs11

In examples/echoserver/echoserver.c

332        #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
333           wolfSSL_SetTmpDH_file(ssl, dhParamFile, WOLFSSL_FILETYPE_PEM);
334        #elif !defined(NO_DH)
335            SetDH(ssl);  /* will repick suites with DHE, higher than PSK */
336      #endif

If I comment out the line with wolfSSL_SetTmpDH... then any connection attempt with a DHE_RSA_XXX cipher fails. From the echoserver perspective

# client sends
openssl s_client -connect localhost:11111 -tls1_2 -cipher DHE-RSA-AES256-SHA256

# server reports
./echoserver 
# I dump cipher list just to be sure DHE_RSA_XXX is supported
wolfSSL supported ciphers = TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256:TLS13-AES128-CCM8-SHA256:TLS13-SHA256-SHA256:TLS13-SHA384-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES256-CBC-SHA384:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CCM:DHE-PSK-NULL-SHA384:DHE-PSK-NULL-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM-8:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES256-CCM-8:ECDHE-ECDSA-AES256-CCM8:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA256-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ADH-AES128-SHA:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-NULL-SHA:ECDHE-PSK-NULL-SHA256:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-GCM-SHA256:PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:EDH-RSA-DES-CBC3-SHA:WDM-NULL-SHA256
SSL_accept error = -501, can't match cipher suite
SSL_accept failed

If I restore line 333 I get

New, TLSv1.2, Cipher is DHE-RSA-AES256-SHA256                                                                     
Server public key is 2048 bit                                                                                     
Secure Renegotiation IS supported                                                                                 
Compression: NONE                                                                                                 
Expansion: NONE                                                                                                   
No ALPN negotiated                                                                                                
SSL-Session:                                                                                                      
    Protocol  : TLSv1.2                                                                                           
    Cipher    : DHE-RSA-AES256-SHA256                                                                             
    Session-ID: 36FAE32F4871797F88A7F866C2747FEC2F366466EFBCC585C38518099E5CF714                                  
    Session-ID-ctx:                                                                                               
    Master-Key: D3A395CDC4BBE5C511192E3525686B881F17A7B9BBE522687FC1AA43D3EF94C626D61D2785137F751FE844A729177FD5  
    PSK identity: None                                                                                            
    PSK identity hint: None

Hi @space88man

For TLS, by default wolfSSL uses predefined DH param groups. You can over-ride this using wolfSSL_CTX_set_tmp_dh.

Feb 04 '24 17:02 space88man

Hi @space88man

As it turns out, for TLS1.2, you are required to send the p and g values. You can use the SetDH function to use default values in test.h: https://github.com/wolfSSL/wolfssl/blob/8853096290ee9046c53938946a1da01139de757d/wolfssl/test.h#L2501-L2553

Feb 06 '24 23:02 embhorn

This question has been answered. Please feel free to reopen if there are further concerns.

Feb 21 '24 22:02 embhorn

wolfssl wolfssl copied to clipboard

[Question] is wolfSSL_set_tmp_dh discouraged in wolfSSL(like OpenSSL)?

Version

Description

wolfssl
wolfssl copied to clipboard