Add support for a second key_share in the ClientHello

[mattcaswell]

FIPS 140-3 does not allow X25519. This is problematic for FIPS compliant servers talking to OpenSSL clients (non-FIPS). The default key exchange method in TLSv1.3 for an OpenSSL client since 1.1.1 is X25519. We send a single key_share which is always X25519 unless explicitly configured otherwise.

This is a problem because a FIPS compliant server will find the key_share unacceptable and issue a HelloRetryRequest. This adds a whole extra round trip to the handshake time - which is going to be slow.

We should add support for a second key_share in the ClientHello and send a P-256 based key_share.

[paulidale]

I'm sure that x25519 will become FIPS approvable in due course. We could just wait until then. It might happen sooner, it's not uncommon for the rules to change once their impact is realised.

[mattcaswell]

We could. But I think this is a good feature to add anyway. We only didn't do it when we first implemented TLSv1.3 to keep the scope constrained. It was always something to come back and revise.

[paulidale]

That's a much better reason than "FIPS" in this case.

[t8m]

@paulidale My impression from NIST CAVP guys was that there are no plans making X25519 and X448 approved algorithm.

I can try to look for them and ask them directly.

[t8m]

OK, it was quite clearly said by CMVP guys during the CMUF session that even on the FIPS 140-2 the X25519 and X448 aren't allowed for KEX because it is a different algorithm than the NIST ECDH KEX. Maybe this is a bogus argument and we can survive the 140-2 module having this as allowed algorithm, but...

So to have this allowed (and approved) in FIPS 140-3 module this would have to be standardized and tested and there is no standardization of X25519 and X448 underway, so even if started right now, it would take more than a year to get it standardized.

[t8m]

It really seems to me that the left hand of NIST does not know what the right hand is doing. I.e., the SP 800-186 says that these curves are allowed to be used but then a guy from CMVP says it isn't. Crazy.

[paulidale]

Yep, that's a good summary of FIPS :(

And depending on the reviewer and how your lab pushing it, you might get it accepted or not.