Issue: unexpected ciphers / not supported curve

Mbed TLS Crypto and SSL questions
1

Hi,

using mbedtls2.7.6

I am trying to set up ssl_server2 from examples with simple openssl client using bp256r1 cert/keys on both sides.

ssl_tls.c:4329: |2| <= send alert message
ssl_tls.c:6859: |2| <= handshake
failed
! mbedtls_ssl_handshake returned -0x6980

Last error was: -27008 - SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)

Connection is not established due to not supported cipher suites in server cert.
Allowed curves:

//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED

Furthermore:

#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

In the next step I tried without setting cert/keys (use polarssl defaults) and connection was successfull.
Following nmap output looks the same for both cases:
Checking available cipher suites of ssl_server with server

$ nmap --script ssl-enum-ciphers -p 4433 0.0.0.0

Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-12 17:05 CET
Nmap scan report for 0.0.0.0
Host is up (0.00011s latency).

PORT     STATE SERVICE
4433/tcp open  vop
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (brainpoolP512r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (brainpoolP512r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (brainpoolP512r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (brainpoolP512r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (brainpoolP512r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (brainpoolP512r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

I tried reducing the allowed curves to desired BP256R1 only:

Allowed curves:

//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
//#define MBEDTLS_ECP_DP_BP384R1_ENABLED
//#define MBEDTLS_ECP_DP_BP512R1_ENABLED
//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED

Server is not starting due to following error:

programs/ssl/ssl_server2 

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... failed
  !  mbedtls_x509_crt_parse returned -0x3a00

Last error was: -0x3A00 - PK - Elliptic curve is unsupported (only NIST curves are supported)

But nmap now at least displays:

Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-12 18:33 CET
Nmap scan report for 0.0.0.0
Host is up (0.000064s latency).

PORT     STATE SERVICE
4433/tcp open  vop
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

I like to know why…
1)… cipher suite selection when not using default certificates fails (can provide more dbg output)
2)… nmap is only displaying bp512r1 curves - or not displaying bp256r1 curves
3)… allowing bp256r1 only is giving error "Elliptic curve is unsupported "

Regards,
moatze

2

Hi @moatze
Thank you for your interest in Mbed TLS!

1)… cipher suite selection when not using default certificates fails (can provide more dbg output)

Yes, please provide more information. Please run the ssl_server with parameter debug_level=4, to understand what is the ciphersuite list that the client is sending in its Clienthello message. Please also provide the full command you run in your openssl s_client application.

2)… nmap is only displaying bp512r1 curves - or not displaying bp256r1 curves

As I understand the way nmap works, it starts TLS negotiation numerous times, every time with a different cipersuite, and according to what ciphersuite is negotiated, and what elliptic curve is chosen by the server, it prints the information. The server chooses the ciphersuite, according to its list of elliptic curve preferences and sends the group id through the server key exchange message. You can configure your curve preference using mbedtls_ssl_conf_curves() and by adding the parameter curves with a comma separated curves, according to your order of preferences. I hope I explained it clear.

3)… allowing bp256r1 only is giving error "Elliptic curve is unsupported "

The error you are receiving is MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE which is returned when parsing your CA root certificate. Assuming you are using the default test CA certificate, it is not signed using the brainpool curve, and since this is the only curve defined and supported, you get the failure when you parse it.

Regards,
Mbed TLS Team member
Ron

3

Hi @roneld01,

I’m sorry to respond to that topic so late.
I worked on a different topic in between and when I got back to the problem I had no chance to reproduce it- the TLS connection was successfull.
Unfortunately I cannot tell why it failed beforehand.