-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libssl: support for ed25519 server certificates #821
Comments
We added support for the cryptographic primitive in libcrypto. Support
for the signature algorithm has not yet been added to libssl. It is very
easy to do for TLSv1.3 (I have a diff for that somewhere), but it needed
a bit more thought for TLSv1.2 (which is the old implementation).
I cannot guarantee that this will make the 3.7-stable release.
|
Ok, thanks |
Is there a way to speed this port up? |
Is there a way to speed this port up?
Not really. It is definitely too late for new features in this release
cycle - the OpenBSD tree is almost locked for new features. It will have
to wait for LibreSSL 3.8.
We tryied a workaround but it didn't solve the issue.
I'm not sure I follow.
The initial question was why Ed25519 is not offered in the handshake.
What's missing is some code to support the signature algorithm in
libssl. This requires changes in how some signatures are calculated
since Ed25519 works differently from the other, currently supported,
sigalgs. This isn't difficult to do, but it needs to be done and, more
importantly, tested before the release artifacts are built.
Is there a release dated scheduled?
Stable releases are usually around May 1 and November 1, sometimes a bit
earlier.
|
What exactly are you trying to workaround? |
A customer had a server certificate with ED25519. I disabled the server certificate check itself in the client (tls_config_insecure_noverifycert) as a workaround to get at least a connection, but the handshake still failed. Probably because of the ephemeral key. |
As written in the release notes of version 3.7.0, the support of Ed25519 was added.
However I tried out the command line tool s_client of that version and I don't see in Wireshark that the client offers that algorithm.
Do I need to use some special parameter for the client to activate that?
The text was updated successfully, but these errors were encountered: