Tls.Packet.HANDSHAKE_FAILURE with ec-curve secp384r1

[mro]

when following the server config recommendation https://bettercrypto.org/#_lighttpd

ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
ssl.ec-curve = "secp384r1"

the handshake breaks:

utop # #require "cohttp-lwt-unix";;
…
utop # Cohttp_lwt_unix.Client.get (Uri.of_string "https://news.mro.name/");;
Exception: Tls_lwt.Tls_alert Tls.Packet.HANDSHAKE_FAILURE.
Raised at file "src/core/lwt.ml", line 3027, characters 28-29
Called from file "src/unix/lwt_main.ml", line 27, characters 10-20
Called from file "src/unix/lwt_main.ml", line 114, characters 8-13
Re-raised at file "src/unix/lwt_main.ml", line 120, characters 10-13
Called from file "toplevel/toploop.ml", line 208, characters 17-27

Removing the server config option works:

utop # Cohttp_lwt_unix.Client.get (Uri.of_string "https://l.mro.name/");;

Installed versions:

opam list |grep 'conduit\|tls\|ssl\|cohttp'
cohttp                  2.5.3        An OCaml library for HTTP clients and servers
cohttp-lwt              2.5.3        CoHTTP implementation using the Lwt concurrency library
cohttp-lwt-unix         2.5.3        CoHTTP implementation for Unix and Windows using Lwt
conduit                 2.1.0        A network connection establishment library
conduit-lwt             2.1.0        A portable network connection establishment library using Lwt
conduit-lwt-unix        2.2.2        A network connection establishment library for Lwt_unix
tls                     0.12.3       Transport Layer Security purely in OCaml

Should I go with another curve (which one?) or will ocaml-tls implement secp384r1?

Maybe related to #571

[mseri]

I believe it is not supported by ‘ocaml-tls’. You can see here the supported protocols: https://github.com/mirleft/ocaml-tls/blob/master/lib/ciphersuite.ml

May be worth trying using ssl. With the current version of cohttp/conduit (pre 3.0.0) you can use the env variable CONDUIT_TLS to specify what to use: CONDUIT_TLS=native will use the tls library and CONDUIT_TLS=openssl will use the ssl library

[mro]

ok, i see. Sadly I came here in order to avoid openssl installation issues. https://github.com/ocaml/opam-repository/issues/16330 So that doesn't no help here.

@mseri can you hint me, which curve to pick in the server settings? The ciphersuite page above doesn't mention the word 'curve', so I'm clueless.

[mseri]

Let me ping @hannesm that know tls way better than me

[hannesm]

what ocaml-tls implements is (similar to what is required by TLS 1.3):

• RSA (DH)
• NIST P256 - using the fiat library, interfacing fiat-crypto which is implemented and verified in Coq
• 25519 - using the hacl_x25519 library which interfaces hacl-star which is implemented and verified in F*

So, if you use either P256 (instead of P384) or 25519, that should work fine. The P384 could as well be interfaced and implemented via fiat if strongly desired.

[mro]

I poked around configuring the server with values from $ openssl ecparam -list_curves without success. Finally commented it out, still got an A+ at https://www.ssllabs.com/ssltest/analyze.html?d=paste.mro.name and working 🐫 handshake! 🎉

[mro]

@hannesm @mseri thanks!