Proper key share selection ranking #8024
Assignees
Comments
Frauschi
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
master
Description
Consider an application that doesn't set a custom set of supported key exchange groups (e.g., using
wolfSSL_CTX_set_groups()), for example NGINX compiled with WolfSSL. When establishing a TLS connection with a browser, multiple key shares are sent to the server (e.g. Firefox sends three in total:X25519MLKEM768,X25519andSECP256R1).Within the server key share selection process, for each key share, a rank value is obtained with
TLSX_KeyShare_GroupRank(). In case no custom groups are set, the order within thepreferredGrouparray insrc/tls.cis used. This results inSECP256R1having the highest rank (as the index in the array is the rank, and a lower number is considered a higher rank). This results in the TLS server selecting the “weakest” key share (in the Firefox example,SECP256R1is selected).Is this the intended behavior? I think that the order in the
preferredGrouparray should reflect something like an actual order based on the achieved security level or something like that.The text was updated successfully, but these errors were encountered: