Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not detecting 'insufficient' Eliptic Curves - TLS #675

Open
dennisbaaten opened this issue Mar 14, 2022 · 1 comment
Open

Not detecting 'insufficient' Eliptic Curves - TLS #675

dennisbaaten opened this issue Mar 14, 2022 · 1 comment
Assignees
@mxsasha @baknu
Labels
bug Unexpected or unwanted behaviour of current implementations tls
Milestone
tls-update

Comments

@dennisbaaten
Copy link
Contributor

Currently not all Elliptic Curves are detected and/or classified correctly. The IT Security Guidelines for Transport Layer Security (NCSC) lists four EC's that are "Good", one that is "Phase out", and all other curves are "Insufficient":

Good: secp384r1, secp256r1, curve 448, curve 25519
Phase out: secp224r1
Insufficient: Other curves

When some of these of these other curves are offered, they are not detected and the Key Exchange Parameters test passes.

Example:
https://en.internet.nl/site/preac35.portaltalk.net/1528602/#control-panel-14

SSLlabs:
https://www.ssllabs.com/ssltest/analyze.html?d=preac35.portaltalk.net&hideResults=on

secp256r1
secp521r1
brainpoolP512r1
brainpoolP384r1
secp384r1
brainpoolP256r1
secp256k1
sect571r1
sect571k1
sect409k1
sect409r1
sect283k1
sect283r1

Immuniweb:
https://www.immuniweb.com/ssl/preac35.portaltalk.net/zLroHaOP/

P-256 (prime256v1) (256 bits)
P-521 (secp521r1) (521 bits)
brainpoolP512r1 (512 bits)
brainpoolP384r1 (384 bits)
P-384 (secp384r1) (384 bits)
brainpoolP256r1 (256 bits)
secp256k1 (256 bits)
B-571 (sect571r1) (570 bits)
K-571 (sect571k1) (570 bits)
K-409 (sect409k1) (407 bits)
B-409 (sect409r1) (409 bits)
K-283 (sect283k1) (281 bits)
B-283 (sect283r1) (282 bits)
@baknu baknu added the bug Unexpected or unwanted behaviour of current implementations label Oct 21, 2022
@baknu baknu added this to the v1.8 milestone Oct 21, 2022
@baknu baknu changed the title Not detecting 'insufficient' Eliptic Curves Not detecting 'insufficient' Eliptic Curves - TLS Oct 21, 2022
@mxsasha
Copy link
Collaborator

mxsasha commented Apr 11, 2023

We should evaluate this in context of #714 rather than fix in the current code.

@mxsasha mxsasha added the notnow label Apr 26, 2023
@mxsasha mxsasha modified the milestones: v1.8, v1.9 Sep 5, 2023
@mxsasha mxsasha added the tls label Jan 9, 2024
@mxsasha mxsasha modified the milestones: v1.9, tlsupdate Jan 9, 2024
@baknu baknu removed the notnow label Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mxsasha mxsasha

@baknu baknu

Labels
bug Unexpected or unwanted behaviour of current implementations tls
Milestone
tls-update
Development

No branches or pull requests
3 participants
@mxsasha @baknu @dennisbaaten