Bug 1080125

Summary: httpd uses hardcoded curve for ECDHE suites
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: erich, hkario, isenfeld, jkaluza, jorton, mfrodl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.6-29.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1153579 (view as bug list) Environment:
Last Closed: 2015-03-05 07:12:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1080128    
Bug Blocks: 1153579    

Description Alicja Kario 2014-03-24 17:47:09 UTC 
Description of problem:
If client prefers nistp384 curve over nistp256 curve, the server still negotiates connection with nistp256 curve. If the client does not support nistp256 curve, the connection won't work at all.

Version-Release number of selected component (if applicable):
mod_ssl-2.4.6-17.el7.x86_64
httpd-2.4.6-17.el7.x86_64
openssl-1.0.1e-33.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure apache with support for ECDHE suites
2. Connect using client that supports only nistp384 curve

Actual results:
The connection is aborted

Expected results:
The connection is successful

Additional info:
Issue requires an enhancement in openssl for automatic selection of curves:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e46c807e4f4eedb36dec70576d1562f252ff69a1

This mechanism is specified as REQUIRED (MUST) by RFC 4492 (Page 10, section 4; http://tools.ietf.org/html/rfc4492#page-10)
Comment 6 Martin Frodl 2014-10-01 15:15:21 UTC 
From what I could tell, the issue has been only partially solved in the new build. If the client does not support nistp256 curve, httpd is willing to negotiate over nistp384. On the other hand, if the client does support nistp256 but prefers another curve (nistp384 for instance), httpd uses nistp256 all the same.

Is such a behaviour OK with you, Hubert? It is not quite clear from the bug report whether you would like to see this fixed as well or if it can be tolerated for the time being. Skimming RFC 4492 I haven't found any explicit mention of the necessity to preserve the order requested by client.
Comment 7 Alicja Kario 2014-10-01 15:56:05 UTC 
Generally it's the client that mandates the preference, but it can overridden server side.

With 1.0.2 and upstream httpd preference of server or client curves is controlled by the `SSLHonorCipherOrder` setting. If it is set to `on`, the server preference for curves should be preserved. If it is `off` then the client preference for curves should be honoured. But both behaviours are acceptable. And since we support only large curves, bad curve selection or ordering from client won't reduce security.

OTOH, if the client advertises only curves unknown to server, the server shouldn't select ECDSA or ECDHE ciphers at all but fallback to DHE and/or RSA depending on enabled ciphers.
Comment 8 Martin Frodl 2014-10-02 09:23:07 UTC 
You're right, the SSLHonorCipherOrder directive was indeed set to 'on' in the test. I updated the test to switch it off and everything seems to be working just fine.
Comment 18 errata-xmlrpc 2015-03-05 07:12:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0325.html