Add Support for more ECC Curves

[alexw91]

Problem: Right now s2n only supports 2 ECC Curves (secp256r1 and secp384r1).

Proposed Solution: We should implement all the recommended ECC Curves from the Elliptic curve groups section in the IANA List. This means adding support for x25519 and x448.

[agray256]

Related to Issue #356, x255519 will be enabled with TLS1.3

[alexeblee]

Echoing the comment made by @raycoll in #356, we should have an API to configure the list of curves supported. Not all endpoints will want to enable all new curves, including x25519.

[ttjsu-aws]

Update: s2n now supports Curve x25519. https://github.com/awslabs/s2n/issues/356

[alexeblee]

Other curves that different TLS clients may use are secp521r1, secp256k1, and sect283r1. Secp521r1 tends to be a more popular curve.

[kristo-aun]

Here-here! Would be very happy to have Secp521r1 curve support in apigw mTLS. This is a showstopper for moving national ID-card based solutions to AWS cloud, if your government is issuing them with P-521 public keys.

[alexeblee]

This one seems fixed! As an aside, I don't think we do any restrictions on curve and server cert selection. I was looking through unit tests to confirm and noticed we only have p256 and p384 certs in the unit test pems. I'll follow up with an issue or test for this.

[curtdept]

@alexeblee @alexw91 APIGW is still limited to P-256 and P-384. I get this error trying to upload a truststore with a P-521 in it. We make a lot of hardware/iot stuff and this is limited us from using the API Gateway product with mTLS.

Certificate is using EC curves not in list - SecP256R1Curve, SecP384R1Curve

[curtdept]

@zaherd you folks have any timeline on this at all?

[maddeleine]

Hi @curtdept, I'm not exactly sure what your question is referring to. s2n now supports all the recommended ECC Curves in the IANA List except for x448. We don't have any insights on when these curves will become available in API Gateway as this is outside of our control.

[curtdept]

@maddeleine thanks :) any idea how one goes about contacting the gw team to get this added?

[maddeleine]

@curtdept, unfortunately not, I don't know if they have a venue for processing customer requests.

[anjgola]

Thank you for your feedback on needing support for additional certificates. API Gateway team has made a note of this request to be taken into consideration while planning. As of now, we are unable to share a timeline of when this feature will be available. -APIGW

[curtdept]

@anjgola thank you, appreciate the reply.