Sanity Check: Are these key exchange values correct?
teward opened this issue · 2 comments
Using 3.2rc2 from github here
I ran a test today against a site, and something irked me about the output per-cipher. It wasn't until I looked harder I noticed what was irking me: these numbers don't look right.
TLS 1.2
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS 1.3
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
Many of these say ECDH 253 and not ECDH 256 as I would expect from things like an AES_256 cipher or similar. Do these ciphers really only have a ECDH 253 key exchange value, or is this a typo and intended to be ECDH 256, especially for TLS_AES_256_GCM_SHA* ciphers in TLS 1.3 and anything which uses an ECDHE-RSA-AES256-* value?
Hi @teward,
The cipher suite (e.g., TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 or TLS_AES_256_GCM_SHA384) does not indicate what elliptic curve is used to perform the key exchange. So, using either of these cipher suites, key exchange could be performed using elliptic curves of varying strengths: X25519 (253), prime256v1 (256), brainpoolP512r1 (512), etc.
In the case of the server you tested, when TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 or TLS 1.3 was negotiated with the server, key exchange was performed using X25519, which OpenSSL lists as providing 253 bits of security strength.
Ah, check, so that explains that. I need to specify the prime256v1 curve I think on the webserver for that.
Thanks for clearing that up @dcooper16 👍