book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

2.9 Testing Named Groups

Named groups are predefined cryptographic parameters that are used for key exchange. In TLS 1.3, named groups include both elliptic curve (EC) and finite field (DH) parameters. TLS 1.2 and earlier generally use only predefined elliptic curves; the server provides DH parameters on every connection.1 In a handshake, the client and server have to agree on a common named group over which the key exchange will take place, and it’s important that the selected group satisfies desired security requirements.

In practice, there is seldom a need to test servers for named groups. Although there’s a fair number of named groups in various RFCs, OpenSSL is probably the only major client to have extensive support. Historically, you could only use NIST’s P-256 and P-384 EC groups because these were the only widely supported curves. Relatively recently, X25519 and X448 groups were added as an alternative. Because all these curves are strong, there is little need to spend time thinking about them.

You may find yourself testing named group configuration usually to understand what your web server is doing. For example, you may care about X25519 and want to ensure it’s available and preferred. To test for this, use the s_client tool and the -curves switch. For example, here’s how to determine if a single named group is supported:

$ echo | openssl s_client -connect hardenize.com:443 -curves X25519 2>/dev/null | grep "Server Temp Key"
Server Temp Key: X25519, 253 bits

On success, you will see the named group in the output, because that’s the group that was selected for the handshake. On failure, you may see no output, which means that the handshake failed. Alternatively, the server, unable to negotiate an ECDHE suite, may fall back to a DHE suite, indicated by the following output:

Server Temp Key: DH, 2048 bits

If you need to test for named group preference, you need to offer two or more named groups, with your preferred one last. If you see it negotiated, that will mean that the server actively chooses the group it considers most appropriate. Use colons to separate the groups and be aware that the names are case-sensitive.

$ echo | openssl s_client -connect hardenize.com:443 -curves prime256v1:X25519 2>/dev/null | grep "Server Temp Key"
Server Temp Key: X25519, 253 bits
🛈︎
Note

You can get the complete list of elliptic curves supported by OpenSSL using the ecparam tool and the -list_curves switch. To that list, add X25519 and X448. Support for finite field groups is currently not available but should arrive with OpenSSL 3.0.

1

RFC 7919, which came out in 2016, redefined the elliptic_curves TLS extension to support finite field groups and changed the extension name to supported_groups. Although this extension applies to TLS 1.2, support for it is not widespread.

< Prev
^ Table of Contents
Next >