Feature #2833

Using X25519 Key exchange

Added by codarren over 1 year ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


I am on lighttpd/1.4.48-devel-lighttpd-1.4.47-1-g6a17133 (ssl) - a light and fast webserver
compiled with openssl dev version 1.1.1
By default, the key exchange algorithm on lighttpd is "prime256v1"

When i do an openssl test on the server, the response is:
Server Temp Key: ECDH, P-256, 256 bits

I tried to specify the ec curve to use in lighttpd.conf: = "x25519"

I get an error:
lighttpd26839: Starting lighttpd: 2017-10-25 14:30:01: (mod_openssl.c.771) SSL: Unknown curve name x25519

when I tried using : = "X25519"

I get error: Starting lighttpd: 2017-10-25 14:31:23: (mod_openssl.c.782) SSL: Unable to create curve X25519

Am I doing something wrong? Most websites are using X25519 as key exchange algorithm

Best Regards,

Associated revisions

Revision 76b9b1fa (diff)
Added by gstrauss about 1 year ago

[mod_openssl] elliptic curve auto selection (fixes #2833)

elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled

"Using X25519 Key exchange"

"SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
It has been removed from OpenSSL 1.1.0.
Here is the relevant CHANGES entry:
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
exclude it using the list of supported ciphers. This also means
that the "-no_ecdhe" option has been removed from s_server.
[Kurt Roeckx]



Updated by stbuehler over 1 year ago

  • Status changed from New to Invalid
  • Target version deleted (1.4.48)

lighttpd only forwards the curve name to openssl (namely the OBJ_sn2nid function). openssl ecparam -list_curves might show which curves are supported on your system.


Updated by vimacs about 1 year ago

You can use the following patch. Now OpenSSL enables ECDH and has default curves enabled by default (including X25519), so I think can also be deprecated.

diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index af69068f..4725bfb5 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -834,19 +834,26 @@ network_init_ssl (server *srv, void *p_d)
                 return -1;
         } else {
+      #if OPENSSL_VERSION_NUMBER < 0x10002000
             /* Default curve */
             nid = OBJ_sn2nid("prime256v1");
+      #else
+            nid = 0;
+            SSL_CTX_set_ecdh_auto(ctx, 1);
+      #endif
-        ecdh = EC_KEY_new_by_curve_name(nid);
-        if (ecdh == NULL) {
-            log_error_write(srv, __FILE__, __LINE__, "ss",
-                            "SSL: Unable to create curve",
-                            s->ssl_ec_curve->ptr);
-            return -1;
+        if (nid) {
+            ecdh = EC_KEY_new_by_curve_name(nid);
+            if (ecdh == NULL) {
+                log_error_write(srv, __FILE__, __LINE__, "ss",
+                                "SSL: Unable to create curve",
+                                s->ssl_ec_curve->ptr);
+                return -1;
+            }
+            SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
+            SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
+            EC_KEY_free(ecdh);
-        SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
-        SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
-        EC_KEY_free(ecdh);

Updated by gstrauss about 1 year ago

Thanks for submitting this patch.

A quick read of your patch:

+            SSL_CTX_set_ecdh_auto(ctx, 1);

won't compile since ctx should be s->ssl_ctx

How have you tested this?

+      #if OPENSSL_VERSION_NUMBER < 0x10002000

How did you choose that version? Is it compatible with LibreSSL value for OPENSSL_VERSION_NUMBER?


Updated by gstrauss about 1 year ago

At least on my build of openssl 1.1.0g, openssl/ssl.h contains:

#if OPENSSL_API_COMPAT < 0x10100000L
/* Provide some compatibility macros for removed functionality. */
# define SSL_CTX_set_ecdh_auto(dummy, onoff)      ((onoff) != 0)

Please review what should actually be used instead of SSL_CTX_set_ecdh_auto(ctx, 1); to avoid using deprecated functions. If this is needed for versions > x and < y, then please specify those openssl versions.


Updated by gstrauss about 1 year ago

  • Tracker changed from Bug to Feature
  • Status changed from Invalid to Patch Pending
  • Target version set to 1.4.49

Updated by vimacs about 1 year ago

Oh, it's SSL_CTX_set_ecdh_auto(s->ssl_ctx, 1);

In there is also:

#undef SSL_CTX_set_ecdh_auto
#define SSL_CTX_set_ecdh_auto(A, B) do {} while(0)
I checked out the OpenSSL code, and found the commits about CCL_{CTX_}set_ecdh_auto():
  • It's added in e46c807e4f4eedb36dec70576d1562f252ff69a1 (0x10002000L 1.0.2-dev)
  • It's removed in fe6ef2472db933f01b59cad82aa925736935984b (0x10100000L 1.1.0-dev)
  • Compat macros are re-added in 2ecb9f2d18614fb7b7b42830a358b7163ed43221 (0x10100007L 1.1.0-pre7-dev)

So to test SSL_CTX_set_ecdh_auto(s->ssl_ctx, 1), we need to test it with OpenSSL 1.0.2 series.


Updated by gstrauss about 1 year ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom