Saturday, October 1, 2016

Using Supported Elliptic Curves Extension with CyaSSL

Using Supported Elliptic Curves Extension with CyaSSL
 
We are back to talk about TLS extensions again. Today we present the addition of Supported Elliptic Curves on CyaSSL!

RFC 4492 introduces five new ECC-based key exchange algorithms for TLS: ECDH_ECDSA, ECDHE_ECDSA, ECDH_RSA, ECDHE_RSA and ECDH_anon. However, it may be desirable in constrained environments to only support a limited number of curves. When a client uses this extension, servers that understands it MUST NOT negotiate the use of an ECC cipher suite unless they can complete the handshake while respecting the choice of curves specified by the client. This eliminates the possibility that a negotiated ECC handshake will be subsequently aborted due to a client’s inability to deal with the server’s ECC key.

To enable the usage of Supported Elliptic Curves in CyaSSL you can simply do:

./configure --enable-supportedcurves

Using Supported Elliptic Curves on the client side requires additional function calls, which should be one of the following functions:

CyaSSL_CTX_UseSupportedCurve();
CyaSSL_UseSupportedCurve();

CyaSSL_CTX_UseSupportedCurve() is most recommended when the client would like to enable Supported Curves for all sessions. Setting the Supported Elliptic Curves extension at context level will enable it in all SSL objects created from that same context from the moment of the call forward.

CyaSSL_UseSupportedCurve() will enable it for one SSL object only, so it's recommended to use this function when there is no need for Supported Elliptic Curves on all sessions.

These functions can be called more than once to indicate the support of multiple curves.

On the server side no call is required. The server will automatically attend to the client's request selecting ECC cipher suites only if the supported curves are allowed.

All TLS extensions can also be enabled with:

./configure --enable-tlsx

No comments:

Man in the Rain