diff options
| author | Péter Dimitrov <[email protected]> | 2018-11-06 10:54:38 +0100 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2018-11-16 14:32:14 +0100 |
| commit | 7b4d38c6cc95df1301945cd0e63fdf927189e2c1 (patch) | |
| tree | f40ebe3ed077e5a887d71f019c292403b395dcd9 /lib | |
| parent | a1a627f6099fae6e2eeb28feb5b4b316fa1b11c9 (diff) | |
| download | otp-7b4d38c6cc95df1301945cd0e63fdf927189e2c1.tar.gz otp-7b4d38c6cc95df1301945cd0e63fdf927189e2c1.tar.bz2 otp-7b4d38c6cc95df1301945cd0e63fdf927189e2c1.zip | |
ssl: Change defaults for "supported_groups"
Removed strongest Diffie-Hellman groups from defaults (ffdhe3072,
ffdhe4096, ffdhe6144, ffdhe8192) in order to reduce the time spent
with calculating the keys for the key_share extension.
Change-Id: I1cc1914ea4c5093f694989b0153c1bd1c8840eef
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl/src/ssl.erl | 11 | ||||
| -rw-r--r-- | lib/ssl/src/tls_v1.erl | 11 |
2 files changed, 19 insertions, 3 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 524f06d52e..df5628b236 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -51,7 +51,7 @@ %% SSL/TLS protocol handling -export([cipher_suites/0, cipher_suites/1, cipher_suites/2, filter_cipher_suites/2, prepend_cipher_suites/2, append_cipher_suites/2, - eccs/0, eccs/1, versions/0, groups/0, + eccs/0, eccs/1, versions/0, groups/0, groups/1, format_error/1, renegotiate/1, prf/5, negotiated_protocol/1, connection_information/1, connection_information/2]). %% Misc @@ -585,6 +585,13 @@ groups() -> tls_v1:groups(4). %%-------------------------------------------------------------------- +-spec groups(default) -> tls_v1:supported_groups(). +%% Description: returns the default groups (TLS 1.3 and later) +%%-------------------------------------------------------------------- +groups(default) -> + tls_v1:default_groups(4). + +%%-------------------------------------------------------------------- -spec getopts(#sslsocket{}, [gen_tcp:option_name()]) -> {ok, [gen_tcp:option()]} | {error, reason()}. %% @@ -988,7 +995,7 @@ handle_options(Opts0, Role, Host) -> eccs = handle_eccs_option(proplists:get_value(eccs, Opts, eccs()), HighestVersion), supported_groups = handle_supported_groups_option( - proplists:get_value(supported_groups, Opts, groups()), + proplists:get_value(supported_groups, Opts, groups(default)), HighestVersion), signature_algs = handle_hashsigns_option( diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 68ba598612..5665f5310e 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -34,7 +34,7 @@ ecc_curves/1, ecc_curves/2, oid_to_enum/1, enum_to_oid/1, default_signature_algs/1, signature_algs/2, default_signature_schemes/1, signature_schemes/2, - groups/1, groups/2, group_to_enum/1, enum_to_group/1]). + groups/1, groups/2, group_to_enum/1, enum_to_group/1, default_groups/1]). -export([derive_secret/4, hkdf_expand_label/5, hkdf_extract/3, hkdf_expand/4]). @@ -561,6 +561,11 @@ groups(all) -> ffdhe4096, ffdhe6144, ffdhe8192]; +groups(default) -> + [secp256r1, + secp384r1, + secp521r1, + ffdhe2048]; groups(Minor) -> TLSGroups = groups(all), groups(Minor, TLSGroups). @@ -571,6 +576,10 @@ groups(_Minor, TLSGroups) -> CryptoGroups = crypto:ec_curves() ++ [ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192], lists:filter(fun(Group) -> proplists:get_bool(Group, CryptoGroups) end, TLSGroups). +default_groups(Minor) -> + TLSGroups = groups(default), + groups(Minor, TLSGroups). + group_to_enum(secp256r1) -> 23; group_to_enum(secp384r1) -> 24; group_to_enum(secp521r1) -> 25; |