Re: Need help in removing secp521r1 from openssl-1.1.1g and adding TLS_GREASE_BA cipher.

Fri, 02 Jul 2021 04:03:03 -0700 



On 01/07/2021 07:21, vinod mg wrote:

    1) Supress or a way to remove secp521r1 from the currenlty installed
    openssl.



You can specify the list of groups by calling SSL_CTX_set1_groups_list 
(or SSL_set1_groups_list) from your application. See:


https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html


    2) Add the cipher - "0xbaba   TLS_GREASE_BA   GREASE" like we see in
    chrome.



This is not a real cipher. It does nothing and is always ignored. 
OpenSSL does not support sending this value.


Matt




    I am ok with custom install as well, if above cannot be done with
    already installed openssl package. Please share any wiki I can
    follow to impliment the same.

    ~]# openssl ecparam -list_curves

    secp224r1 : NIST/SECG curve over a 224 bit prime field

    secp256k1 : SECG curve over a 256 bit prime field

    secp384r1 : NIST/SECG curve over a 384 bit prime field

    /secp521r1 : NIST/SECG curve over a 521 bit prime field/

    prime256v1: X9.62/SECG curve over a 256 bit prime field


    I am using below OS and version-

    # cat /etc/redhat-release

    Red Hat Enterprise Linux release 8.3 (Ootpa)


    # opensslversion -a

    OpenSSL 1.1.1g FIPS21 Apr 2020

    built on: Thu Mar 25 16:46:53 2021 UTC

    platform: linux-x86_64

    options:bn(64,64) md2(char) rc4(16x,int) des(int) idea(int)
    blowfish(ptr)

    compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g
    -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
    -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
    -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
    -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
    -fasynchronous-unwind-tables -fstack-clash-protection
    -fcf-protection -Wa,--noexecstack
    -Wa,--generate-missing-build-notes=yes
    -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE
    -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
    -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
    -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM
    -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY
    -DDEVRANDOM="\"/dev/urandom\""
    -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"

    OPENSSLDIR: "/etc/pki/tls"

    ENGINESDIR: "/usr/lib64/engines-1.1"

    Seeding source: os-specific

    engines:rdrand dynamic


    Really appriciate your time and help, thanks in advance.

    Thanks,
    Vinod























					Reply via email to