disable elliptic curves P-384 and P-521 for TLS. (#5845)

This change disables the non-constant-time implementations of P-384 and P-521. As a consequence a client using just these curves cannot connect to the server. This should be no real issues because (all) clients at least support P-256. Further this change also rejects ECDSA private keys of P-384 and P-521. While non-constant-time implementations for the ECDHE exchange don't expose an obvious vulnerability, using P-384 or P-521 keys for the ECDSA signature may allow pratical timing attacks. Fixes #5844
2025-11-21 18:26:04 -05:00 · 2018-04-25 00:47:30 +02:00
parent c733fe87ce
commit 21a3c0f482
3 changed files with 19 additions and 0 deletions
--- a/cmd/http/server.go
+++ b/cmd/http/server.go
@@ -172,6 +172,9 @@ var defaultCipherSuites = []uint16{
 	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 }

+// Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
+var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256}
+
 // NewServer - creates new HTTP server using given arguments.
 func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificate) *Server {
 	var tlsConfig *tls.Config
@@ -179,6 +182,7 @@ func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificat
 		tlsConfig = &tls.Config{
 			PreferServerCipherSuites: true,
 			CipherSuites:             defaultCipherSuites,
+			CurvePreferences:         secureCurves,
 			MinVersion:               tls.VersionTLS12,
 			NextProtos:               []string{"http/1.1", "h2"},
 		}