Red Hat Bugzilla – Bug 1080125
httpd uses hardcoded curve for ECDHE suites
Last modified: 2015-03-05 02:12:32 EST
Description of problem: If client prefers nistp384 curve over nistp256 curve, the server still negotiates connection with nistp256 curve. If the client does not support nistp256 curve, the connection won't work at all. Version-Release number of selected component (if applicable): mod_ssl-2.4.6-17.el7.x86_64 httpd-2.4.6-17.el7.x86_64 openssl-1.0.1e-33.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure apache with support for ECDHE suites 2. Connect using client that supports only nistp384 curve Actual results: The connection is aborted Expected results: The connection is successful Additional info: Issue requires an enhancement in openssl for automatic selection of curves: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e46c807e4f4eedb36dec70576d1562f252ff69a1 This mechanism is specified as REQUIRED (MUST) by RFC 4492 (Page 10, section 4; http://tools.ietf.org/html/rfc4492#page-10)
From what I could tell, the issue has been only partially solved in the new build. If the client does not support nistp256 curve, httpd is willing to negotiate over nistp384. On the other hand, if the client does support nistp256 but prefers another curve (nistp384 for instance), httpd uses nistp256 all the same. Is such a behaviour OK with you, Hubert? It is not quite clear from the bug report whether you would like to see this fixed as well or if it can be tolerated for the time being. Skimming RFC 4492 I haven't found any explicit mention of the necessity to preserve the order requested by client.
Generally it's the client that mandates the preference, but it can overridden server side. With 1.0.2 and upstream httpd preference of server or client curves is controlled by the `SSLHonorCipherOrder` setting. If it is set to `on`, the server preference for curves should be preserved. If it is `off` then the client preference for curves should be honoured. But both behaviours are acceptable. And since we support only large curves, bad curve selection or ordering from client won't reduce security. OTOH, if the client advertises only curves unknown to server, the server shouldn't select ECDSA or ECDHE ciphers at all but fallback to DHE and/or RSA depending on enabled ciphers.
You're right, the SSLHonorCipherOrder directive was indeed set to 'on' in the test. I updated the test to switch it off and everything seems to be working just fine.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0325.html