TLS support for ECDSA
Following the fact that Elliptic Curves algorithms in TLS are more and more used ( http://blog.cloudflare.com/staying-on-top-of-tls-attacks ) , will the support for ECDHE-ECDSA-* and ECDHE-RSA-* ciphersuites be added ?
Support for TLS_ECDHE_ECDSA_* ciphers has been added in release 2017 R2: http://www.rebex.net/total-pack/history.aspx#2017R2
Support for TLS_ECDHE_RSA_* ciphers has been added in release 2016 R3: http://www.rebex.net/total-pack/history.aspx#2016R3
For detailed information, see Elliptic Curve Cryptography HOWTO: https://www.rebex.net/kb/elliptic-curve-plugins/
-
AdminLukas Pokorny (Admin, Rebex) commented
Support for TLS_ECDHE_ECDSA_* ciphers has been added in release 2017 R2: http://www.rebex.net/total-pack/history.aspx#2017R2
For detailed information, see Elliptic Curve Cryptography HOWTO: https://www.rebex.net/kb/elliptic-curve-plugins/
-
AdminLukas Pokorny (Admin, Rebex) commented
Support for TLS_ECDHE_RSA_* ciphers has been added in release 2016 R3: http://www.rebex.net/total-pack/history.aspx#2017R2
Support for TLS_ECDHE_ECDSA_* will follow soon.
-
AdminLukas Pokorny (Admin, Rebex) commented
We have already implemented ECDHE ciphers - these will appear in the next release. ECDSA ciphers should appear in one of the releases after that.
(This applies to TLS. Fro SSH, ECDSA ciphers will be supported in the next release.)These ECDHE ciphers will be supported in the next release:
ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -
raven24 commented
Have you started to implement this or are you planning to do it later on?
-
AdminLukas Pokorny (Admin, Rebex) commented
We will add various kinds of Elliptic Curve algorithms (ECDSA, ECDH, EdDSA) to TLS and SSH rather sooner than later because demand for them is growing rapidly.
We are currently busy with other parts of the components, but we cannot postpone this much longer.Unfortunately, support for elliptic curve algorithms in .NET is very limited (and algorithms that are supported are unsuitable for the kind of usage required by SSH or TLS 1.2), which means that we will either have to implement them ourselves (hard, time consuming and not great from security perspective) or use third-party implementations (but some of our clients won’t like that).
Because of this, we plan to introduce a plugin system for elliptic curve algorithms to make it possible to plug in custom implementations of cryptographic algorithms. We will then provide a set of plugins based on third-party libraries.
We plan to start looking into this in Autumn.
-
Kalle L. Pedersen commented
What is the approximately time frame of this when you say it's on your roadmap? The lack of elliptic curve support is the only thing holding us back from using Rebex.
-
AdminLukas Pokorny (Admin, Rebex) commented
Update: Adding Elliptic Curve cryptography turned out to be more complicated than we originally anticipated, mostly due to lack usable implementations in .NET Framework. We postponed this, but it's still on our roadmap.
-
Anonymous commented
When will this get added? Still connection issues with ECDSA.
-
AdminLukas Pokorny (Admin, Rebex) commented
We got delayed a bit, unfortunately. We will start working on this when we are done with TLS 1.2.
-
oki commented
any news about this? +3
-
AdminLukas Pokorny (Admin, Rebex) commented
Yes, we plan to add support for Elliptic Curve ciphers later this year to both SSL/TLS and SSH.