0

I have a piece of hardware with an outdated list of default cipher suites. We update that list via configuration, but to get the configuration it first needs to talk to a provisioning server.

I've done a packet capture of the handshake, and the most secure ciphersuite that is supported in the default configuration is TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384. Knowing that ECDH key exchange is not advised due to lack of forward secrecy, I want to enable it nevertheless. But, I don't see this entry listed in the output from openssl ciphers and Nginx ignores my attempts to enable it in config.

My environment is Nginx 1.20 built with OpenSSL 3.0.7 running on Alma Linux 9.3. I have already tried update-crypto-policies --set LEGACY with no luck.

Is there any way to enable this ciphersuite? Is it so dangerously weak that it's been completely removed even from the LEGACY crypto policy (which still allows things like TLS_RSA_PSK_WITH_AES_128_CBC_SHA)?

Improve this question
2
  • OpenSSL 1.1.0 up, including all 3.x, does not implement static-ECDH suites -- or static-DH either, although previous versions back to 0.9.8 supported static-ECDH and 1.0.2 had just added static-DH. This is apparently because the statemachine logic was rewritten for 1.1.0 after the 'SMACK' attacks, and I guess it wasn't considered worth the effort to re-implement the (significantly different) statemachine for static-XXDH, which isn't absolutely insecure in itself but does not provide any real benefit over plain-RSA like ephemeral-XXDH does. ...
    – dave_thompson_085
    Commented Feb 21 at 1:23
  • ... If you don't want to go to the trouble of self-building (and supporting) nginx, or some other real server like apache or nodejs or python(?), with a no-longer-supported OpenSSL, you could build a (much simpler) stunnel or socat to put in front. Or, FWIW, you could use Java LTS versions (8 11 17) but not recent (20 up).
    – dave_thompson_085
    Commented Feb 21 at 1:27

1 Answer 1

Reset to default
1

Got my answer in comments and from the same user's answer on Stack Overflow to a similar question:

The static-ECDH suites were partly implemented in late 0.9.x and fully in 1.0.0-2, although the ones that use GCM (or other AEAD) or SHA-2 are specific to TLS1.2 and thus only work in 1.0.1-2. In contrast, static-DH (now called static-FFDH to avoid ambiguity) suites were not implemented originally, and added in 1.0.2. However 1.1.0 and up (i.e. after SMACK and also Heartbleed) entirely replaced the accreted-over-time handshake logic with a new more rigorous one, and in the process it removed the implementations of both static-ECDH and static-FFDH. It also removed the export suites and the code for SSLv2 which is no longer even buildable, in contrast to SSLv3 which in 1.1.0 up is disabled by default (that was also the first feature-change version after POODLE) but can still be enabled if you really want.

Seems weird that they would just wipe out a family of cipher suites, but it seems they were never that popular.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .