search for: x25519

...problems; I hacked a bit regress/unittests/kex, and benchmarked do_kex_with_key("curve25519-sha256 at libssh.org", KEY_ED25519, 256); Before: 0.3295s per call After: 0.2183s per call That is, 50% speedup; assuming ed25519 (added to openssl in 1.1.1) takes about same time as ecdh/x25519, there are potential for total 200% speedup in KEX. (2) rebased patch against git master; passes regression test; I relied on presence of NID_X25519 for autodetection; probably it makes sense to check if is actually working it autoconf; then again, maybe not (it won't work when cross-compilin...

Hi all, I'm interested in having X448 protocol available as an option, as it gives a larger security margin over X25519. For anyone unfamiliar, it is an Diffie-Hellman elliptic curve key exchange using Curve448 (defined in RFC7748: https://tools.ietf.org/html/rfc7748). Furthermore, it is included in the new TLS 1.3 specification (RFC8846: https://tools.ietf.org/html/rfc8446). A few questions: 1. Wh...

On 09/13/2018 08:18 PM, Damien Miller wrote: > We have any plans to add more crypto options to OpenSSH without a strong > justification, and I don't see one for X448-SHA512 ATM. What I like about it is that it offers ~224 bit security level, whereas X25519 offers ~128 bits (according to RFC7748). Hence, pairing X448 with AES256 would provide a full chain of security in the ~224 bit level, no? It also provides an alternative to the NIST P-curves (like P-521), which some people suspect are back-doored by the NSA. P-521 in ECDSA has been supporte...

...EECDH disabled. I have EDH now, and I've not yet run into a client that doesn't support it. I want EECDH, but I won't use it without safe curves. I'm confident that EECDH with safe curves and a second choice of EDH will support any clients that are worth using. OpenSSL supports X25519, and that is half the battle. Is there a way to change the curve selection in Dovecot? On 2018-12-19 01:49, Tributh via dovecot wrote: > Do you really plan to do this? > RFC 8446 section 9.1: > A TLS-compliant application MUST support key exchange with secp256r1 > (NIST P-256) and S...

...SSL: 1.1.1c Dovecot configuration file: ssl_min_protocol = TLSv1.2 (I tried different version) When I tried to connect with command line: openssl s_client -showcerts -connect server:993 No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2322 bytes and written 392 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiate...

...TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 Is there a better way to do this? Is there a way to disable only the suspect NIST curves and still retain EECDH but with side-channel safe curves like X25519? Thanks, Kurt Fitzner Links: ------ [1] https://blog.cr.yp.to/20140323-ecdsa.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181218/59c56547/attachment.html>

...during the openssl test [ s_server | s_client ] then revealed (TLSv1.2 Record Layer: Handshake Protocol: Client Hello) : Extension: supported_groups (len=10) ??? Type: supported_groups (10) ??? Length: 10 ??? Supported Groups List Length: 8 ??? Supported Groups (4 groups) ??????? Supported Group: x25519 (0x001d) ??????? Supported Group: secp256r1 (0x0017) ??????? Supported Group: secp521r1 (0x0019) ??????? Supported Group: secp384r1 (0x0018) Apparently [ brainpool ] would apparently not fit into any of those groups. Perhaps a bug in OpenSSL 1.1.0h thus.

...(TLSv1.2 Record Layer: Handshake Protocol: Client Hello) : >> >> Extension: supported_groups (len=10) >> ??? Type: supported_groups (10) >> ??? Length: 10 >> ??? Supported Groups List Length: 8 >> ??? Supported Groups (4 groups) >> ??????? Supported Group: x25519 (0x001d) >> ??????? Supported Group: secp256r1 (0x0017) >> ??????? Supported Group: secp521r1 (0x0019) >> ??????? Supported Group: secp384r1 (0x0018) >> >> Apparently [ brainpool ] would apparently not fit into any of those >> groups. Perhaps a bug in OpenSSL 1.1...

...hat i was able to support mulitiple TLS curves. Now i upgraded to 2.2.27 with opnessl1.1.0 and was falling back to historical stages where my server only servers one TLS-curve: secp384r1 right now. One big reason to compile the new ersion with openssl1.1.0 was to bring CHACHA20-POLY1305 ciphers and X25519 curves to modern clients. The ciphers i am estimating are working fine, but X25519 and also secp521r1 ist now longer supported, like it was in dovecot 2.2.25. Is there something broken? Or a new (know missing) config feature? Or is it a bug ? Regards Torsten

Hi all, after upgrading to Dovecot 2.3, I've noticed the new "ssl_curve_list" TLS option in 10-ssl.conf. Setting it to "ssl_curve_list = X25519:P-256" or leaving it blank (auto) does not change anything, Dovecot keeps on negotiating P-384: Server Temp Key: ECDH, P-384, 384 bits When using "-curves X25519" in s_client, it does a fallback to DH: Server Temp Key: DH, 4096 bits I'm on Dovecot 2.3.0 (c8b89eb) with OpenSSL 1...

...gt; -----END CERTIFICATE----- >> subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP >> issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar >> --- >> No client certificate CA names sent >> Peer signing digest: SHA512 >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 2361 bytes and written 295 bytes >> Verification error: unable to verify the first certificate >> --- >> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 >> Server public key is 4096 bit >> Secure Renegotiation...

...+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3041 bytes and written 393 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiate...

...ver certificate -----BEGIN CERTIFICATE----- [ truncated ] -----END CERTIFICATE----- subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2361 bytes and written 295 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiat...

...----- >>> subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP >>> issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar >>> --- >>> No client certificate CA names sent >>> Peer signing digest: SHA512 >>> Server Temp Key: X25519, 253 bits >>> --- >>> SSL handshake has read 2361 bytes and written 295 bytes >>> Verification error: unable to verify the first certificate >>> --- >>> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 >>> Server public key is 4096 bit >&g...

...red Requested Signature Algorithms: > RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 3041 bytes and written 393 bytes > Verification error: unable to verify the first certificate > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression...

...st = TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA- CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS-AES-256-GCM- SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS- AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crtssl_curve_list = X25519:secp521r1:secp384r1ssl_key = # hidden, use -P to show itssl_min_protocol = TLSv1.2ssl_options = no_ticketssl_prefer_server_ciphers = yessubmission_client_workarounds = whitespace-before-pathsubmission_max_mail_size = 50000 ksubmission_relay_host = mta2.example.comsubmission_relay_ssl = starttlssubm...

..._client ] then revealed > (TLSv1.2 Record Layer: Handshake Protocol: Client Hello) : > > Extension: supported_groups (len=10) > ??? Type: supported_groups (10) > ??? Length: 10 > ??? Supported Groups List Length: 8 > ??? Supported Groups (4 groups) > ??????? Supported Group: x25519 (0x001d) > ??????? Supported Group: secp256r1 (0x0017) > ??????? Supported Group: secp521r1 (0x0019) > ??????? Supported Group: secp384r1 (0x0018) > > Apparently [ brainpool ] would apparently not fit into any of those > groups. Perhaps a bug in OpenSSL 1.1.0h thus. > > Tur...

...shake Protocol: Client Hello) : >>> >>> Extension: supported_groups (len=10) >>> ??? Type: supported_groups (10) >>> ??? Length: 10 >>> ??? Supported Groups List Length: 8 >>> ??? Supported Groups (4 groups) >>> ??????? Supported Group: x25519 (0x001d) >>> ??????? Supported Group: secp256r1 (0x0017) >>> ??????? Supported Group: secp521r1 (0x0019) >>> ??????? Supported Group: secp384r1 (0x0018) >>> >>> Apparently [ brainpool ] would apparently not fit into any of those >>> groups. Perh...

...000004) depth=0 ... verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 ... verify error:num=21:unable to verify the first certificate verify return:1 ... --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2311 bytes and written 404 bytes Verification error: unable to verify the first certificate -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190530/3ac17bd6/attachment.html&gt...

> On 05/07/2020 19:43 Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > On 04/07/2020 21:12 la.jolie at paquerette <la.jolie at paquerette.org> wrote: > > > > > > Hello, > > > > I'm trying to configure roundcube / dovecot to work with keycloak. > > I activated xoauth2 oauthbearer in dovecot. > > But a problem