disable elliptic curves P-384 and P-521 for TLS. (#5845)

This change disables the non-constant-time implementations of P-384 and P-521.
As a consequence a client using just these curves cannot connect to the server.
This should be no real issues because (all) clients at least support P-256.

Further this change also rejects ECDSA private keys of P-384 and P-521.
While non-constant-time implementations for the ECDHE exchange don't expose an
obvious vulnerability, using P-384 or P-521 keys for the ECDSA signature may allow
pratical timing attacks.

Fixes #5844
master
Andreas Auernhammer 7 years ago committed by kannappanr
parent c733fe87ce
commit 21a3c0f482
  1. 12
      cmd/certs.go
  2. 4
      cmd/http/server.go
  3. 3
      docs/tls/README.md

@ -17,6 +17,8 @@
package cmd package cmd
import ( import (
"crypto"
"crypto/ecdsa"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
@ -142,6 +144,16 @@ func getSSLConfig() (x509Certs []*x509.Certificate, rootCAs *x509.CertPool, tlsC
if cert, err = loadX509KeyPair(getPublicCertFile(), getPrivateKeyFile()); err != nil { if cert, err = loadX509KeyPair(getPublicCertFile(), getPrivateKeyFile()); err != nil {
return nil, nil, nil, false, err return nil, nil, nil, false, err
} }
// Ensure that the private key is not a P-384 or P-521 EC key.
// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
if name := pub.Params().Name; name == "P-384" || name == "P-521" { // unfortunately there is no cleaner way to check
return nil, nil, nil, false, fmt.Errorf("TLS: the ECDSA curve '%s' is not supported", name)
}
}
}
tlsCert = &cert tlsCert = &cert

@ -172,6 +172,9 @@ var defaultCipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
} }
// Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256}
// NewServer - creates new HTTP server using given arguments. // NewServer - creates new HTTP server using given arguments.
func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificate) *Server { func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificate) *Server {
var tlsConfig *tls.Config var tlsConfig *tls.Config
@ -179,6 +182,7 @@ func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificat
tlsConfig = &tls.Config{ tlsConfig = &tls.Config{
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
CipherSuites: defaultCipherSuites, CipherSuites: defaultCipherSuites,
CurvePreferences: secureCurves,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
NextProtos: []string{"http/1.1", "h2"}, NextProtos: []string{"http/1.1", "h2"},
} }

@ -43,6 +43,9 @@ or protect the private key additionally with a password:
```sh ```sh
openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
``` ```
Notice that the NIST curves P-384 and P-521 are not supported yet.
2. **RSA:** 2. **RSA:**
```sh ```sh
openssl genrsa -out private.key 2048 openssl genrsa -out private.key 2048

Loading…
Cancel
Save