Viktor Dukhovni:
> [ The devel list majordomo is not doing too well just now, so please
> pardon my use of postfix-users instead. ]
>
> In TLS 1.3 the key exchange parameters, whether elliptic curve (ECDHE or
> ECX, where ECX is one of X25519 or X448) or finite-field (FFDHE), are always
> from a negotiated list of well-known groups (no ad-hoc key exchange
> parameters).
>
> --- OpenSSL 1.1.1
>
> In OpenSSL 1.1.1 the TLS 1.3 implementation supports only EC key exchange
> (ECDHE and ECX), the finite-field (FFDHE) groups are available only for TLS
> 1.0?1.2. The APIs for configuring FFDHE parameters and ECDHE curves are
> separate and setting the supported EC curve list does not affect the choice
> of or the availability of FFDHE groups (server-side only).
>
> When TLS 1.2 is negotiated and "auto" FFDHE group selection is not pre?mpted
> by configuring an explicit set of DH parameters (in Postfix that would be
> via smtpd_tls_dh1024_param_file), the server selects one of the "standard"
> (https://www.rfc-editor.org/rfc/rfc7919#appendix-A) FFDHE groups based on
> the configured security level, the strength of the certificate private key,
> or else the symmetric cipher.
>
> --- OpenSSL 3.0
>
> OpenSSL 3.0 adds support for FFDHE in TLS 1.3. An SSL_CTX or SSL handle now
> has a single "groups" element that stores the combined list of supported EC
> and FFDHE code points. The legacy API for setting the EC curve list is now
> an alias for setting this combined list.
>
> This means that applications not tweaked for OpenSSL 3.0 that explicitly set
> the EC curve list to just some list of EC curves end up disabling the newly
> supported FFDHE groups in TLS 1.3. Whether this is a feature or a bug, it
> is certainly not expected.
>
> --- Postfix
>
> The default list of EC groups compiled into Postfix 3.7 and later is:
>
> tls_eecdh_auto_curves = X25519 X448 prime256v1 secp521r1 secp384r1
>
> this makes no mention of FFDHE groups, so they remain disabled in TLS
> 1.3 even with OpenSSL 3.0 where they are by default supported.
>
> If we wish to interoperate with hypothetical SMTP servers or clients that
> only support FFDHE (perhaps some emergency makes it necessary to disable the
> EC groups), we need to ask OpenSSL to instead enable something along the
> lines of:
>
> X25519 X448 prime256v1 secp521r1 secp384r1 ffdhe2048 ffdhe3072
>
> [ I'm disinclined to by default enable FFDHE at 4096 bits and up, these
> are CPU hogs with no clear security benefit. ]
>
> But doing this in a backwards-compatible way, that still works for any
> users who were brave enough to set "tls_eecdh_auto_curves" expecting
> to just limit the EC groups, means that we'll need two parameters with
> the below defaults:
>
> tls_eecdh_auto_curves = X25519 X448 prime256v1 secp521r1 secp384r1
> tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072
>
> When Postfix is linked with OpenSSL 3.0, the two lists will be merged
> together.
>
> Any comments or questions?
Assuming that these finite fields are different than the finite
fields that elliptic curve cryptography is based on, the proposed
parameter structure seems sensble to me.
[ and sorry about the postfix-devel mishap - we're overdue with
the mailing list migration to a new host ]
Wietse
