Bug 1080128

Summary: Backport automatic selection of curves for ECDHE
Product: Red Hat Enterprise Linux 7 Reporter: Hubert Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: jkaluza, ksrot, tmraz
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.0.1e-37.el7 Doc Type: Enhancement
Doc Text:
Feature: Allow the TLS server to automatically select the ECC curve from among the curves supported by the TLS client. Reason: In the previous OpenSSL package the curve that TLS server supports could be chosen only by the server implementation and could not be automatically selected from a set which was too restrictive and clients which do not support that pre-selected curve could not use ECDH cipher suites. Result: The server can now automatically choose a curve from the list of curves supported by the client. However this needs to be appropriately enabled by API call in the concrete TLS server implementation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 11:03:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1080127    
Bug Blocks: 1080125, 1153579    

Description Hubert Kario 2014-03-24 17:56:51 UTC 
Description of problem:
According to RFC 4492 (page 10, section 4; http://tools.ietf.org/html/rfc4492#page-10), the server MUST select a curve supported by the client. Current API does allow only hardcoding the selected curve on context initialisation.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-33.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup server that supports all NIST curves, provide nistp256 curve as preferred for ECDHE negotiation
2. Connect to server using client that supports only nistp384 curve

Actual results:
Connection is aborted

Expected results:
Connection is successful

Additional info:
Bug 1080127 will need to be resolved for automatic verification.
Comment 12 Jiri Herrmann 2014-12-12 15:32:22 UTC 
If this Feature should be included in the 7.1 Release Notes, could you please change the Doc Type from Enhancement to "Release Note"?

Note that the Release Notes are intended to list the most prominent and customer-relevant new features rather than every single enhancement.

Cheers,
Jirka
Comment 13 Tomas Mraz 2015-01-02 10:13:00 UTC 
No release note needed.
Comment 15 errata-xmlrpc 2015-03-05 11:03:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0478.html