Bug 40132 - Expose ECC cipher suites (IETF RFC 4492) in OpenSSL to Apache
Expose ECC cipher suites (IETF RFC 4492) in OpenSSL to Apache
Status: RESOLVED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl
2.5-HEAD
Other other
: P2 enhancement (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2006-07-27 23:51 UTC by Vipul Gupta
Modified: 2014-02-17 13:57 UTC (History)
2 users (show)



Attachments
Patch for exposing ECC cipher suites in OpenSSL to mod_ssl/Apache (8.77 KB, patch)
2006-07-27 23:56 UTC, Vipul Gupta
Details | Diff
Instructions for building and testing an ECC enabled version of Apache (9.63 KB, text/html)
2006-07-27 23:59 UTC, Vipul Gupta
Details
Instructions for building and testing an ECC enabled version of Apache (9.70 KB, text/html)
2006-09-13 20:59 UTC, Vipul Gupta
Details
Patch for exposing ECC cipher suites in openssl-1.0.0-beta2 to Apache 2.2.11 (9.40 KB, patch)
2009-05-05 16:41 UTC, Vipul Gupta
Details | Diff
Updated instructions for building and testing an ECC enabled version of Apache (20.06 KB, text/plain)
2009-05-05 21:48 UTC, Vipul Gupta
Details
ECC patch against trunk (9.43 KB, patch)
2009-11-06 16:33 UTC, Sander Temme
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vipul Gupta 2006-07-27 23:51:41 UTC
Elliptic Curve Cryptography (ECC) is a next generation
public key cryptosystem which is more resource efficient
than RSA and is being endorsed by the NSA (e.g., see
http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm
and http://www.nsa.gov/ia/industry/crypto_suite_b.cfm).
The IETF has recently published RFC 4492 (http://www.ietf.org/rfc/rfc4492.txt)
which describes new ECC-based cipher suites for TLS. 
These cipher suites are being implemented by major vendors
including Microsoft, Red Hat and Sun. A more extensive
list of vendors and products supporting these cipher suites
is available at http://dev.experimentalstuff.com:8082/, e.g.
both Firefox (starting with 2.0), Internet Explorer (starting with
Vista) and OpenSSL support these cipher suites.

We'd like to see these cipher suites exposed to Apache users
and administrators.
Comment 1 Vipul Gupta 2006-07-27 23:56:45 UTC
Created attachment 18657 [details]
Patch for exposing ECC cipher suites in OpenSSL to mod_ssl/Apache

This patch has been successfully tested with Apache 2.2.2
and a development release of OpenSSL 0.9.9 (in particular,
openssl-SNAP-20060724).
Comment 2 Vipul Gupta 2006-07-27 23:59:29 UTC
Created attachment 18658 [details]
Instructions for building and testing an ECC enabled version of Apache

README.html contains the instructions I used for building and
testing an ECC enabled version of Apache 2.2.2 with openssl-SNAP-20060724.

vipul
Comment 3 Vipul Gupta 2006-09-13 20:59:22 UTC
Created attachment 18859 [details]
Instructions for building and testing an ECC enabled version of Apache

The URL for the patch was broken in the previous version.
Comment 4 Sander Temme 2009-01-23 09:30:50 UTC
I would like to apply this, but could you wrap the ECC specific functionality in an #ifndef OPENSSL_NO_EC, OPENSSL_NO_ECDH or OPENSSL_NO_ECDSA instead of the library version: you may have a more recent library that was not compiled with ECC support.  

Also, do you have any thoughts about perl-framework tests for this feature?
Comment 5 Vipul Gupta 2009-01-26 11:50:27 UTC
Hi Sander,

   Very good point. When you say that you'd like to apply this patch, are you talking about the Apache trunk or do you mean for your own experimentation with ECC. I'm no longer actively working on this but would be happy to put in the additional work required if it would benefit the larger Apache user community. Please let me know. As for your other question, sorry I'm not a perl user and don't know what a perl-framework test for this would entail.

thanks,

vipul

Comment 6 Vipul Gupta 2009-05-05 16:41:19 UTC
Created attachment 23614 [details]
Patch for exposing ECC cipher suites in openssl-1.0.0-beta2 to Apache 2.2.11 

I've cleaned up the patch and successfully used it to enable ECC ciphers in Apache 2.2.11 using openssl-1.0.0-beta2. In the process, I've also addressed comment #4 by wrapping ECC-specific functionality in

#if (SSL_LIBRARY_VERSION >= 0x00908000) && !defined(OPENSSL_NO_EC)

This way, if you have a recent version of OpenSSL compiled with OPENSSL_NO_EC, you can pass the same flag when compiling Apache to leave out ECC support even after the patch has been committed. 

NOTE: Be sure to apply the patch posted at https://issues.apache.org/bugzilla/show_bug.cgi?id=45521 to httpd-2.2.11 before applying the ECC patch. Otherwise, you'll see compile-time errors about "STACK undeclared". I wasted a few hours because of this. The patch for Bug 45521 was checked into the Apache trunk after 2.2.11 was released.

Let me know if you encounter any issues.

vipul
Comment 7 Vipul Gupta 2009-05-05 21:48:08 UTC
Created attachment 23615 [details]
Updated instructions for building and testing an ECC enabled version of Apache

This attachment contains updated instructions for building and testing an ECC-enabled version of Apache 2.2.11 with openssl-1.0.0-beta2.
Comment 8 Sander Temme 2009-11-06 16:33:32 UTC
Created attachment 24502 [details]
ECC patch against trunk

Applied the patch to trunk and tested manually.
Comment 9 Vipul Gupta 2009-11-23 15:03:04 UTC
Hi Sander,

  Thank you for seeing this through! The two NSA web pages mentioned in comment #0 have moved and their new URLs are as follows:

The Case for Elliptic Curve Cryptography:
http://www.nsa.gov/business/programs/elliptic_curve.shtml

NSA Suite B Cryptography:
http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

vipul
Comment 10 Sander Temme 2009-11-29 15:11:04 UTC
Implemented in r834378 and r835046.