TLS Module: The default ecdhCurve, prime256v1 (aka NIST P-256) is not safe. #18205
Comments
|
I was looking at this also. We may end up wanting to follow a similar path as the recent RC4/cipher-list issue and add a command line switch / environment variable combination for overriding the default curve in addition to selecting a more secure default. |
|
@mattcollier Thank you! What safe curves would you recommend? |
|
Added to the 0.12.4 milestone so that we at least consider that for the release after 0.12.3. |
|
The creators of the safe curves site (Daniel J. Bernstein and Tanja Lange) promote the use of curve25519 in this presentation given at the 31st Chaos Communication Congress on December 27th, 2014. According to the wikipedia article about curve25519, there are a number of notable projects that utilize this curve as a default. A search in the openssl-dev mailing list archive does not turn up much in the way of recent activity towards implementing curve25519. Bertstein and Lange are also contributors to the NaCl: Networking and Cryptography library |
|
@mattcollier Thank you for the additional info, it is very much appreciated! |
|
This is reported to the current repo as nodejs/node#1495, no reason to keep a duplicate open here. |
This document states that the default curve for the ecdhCurve parameter is prime256v1.
https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
Appendix A of this document indicates that prime256v1 is also known as NIST P-256.
http://www.rfc-editor.org/rfc/rfc4492.txt
This site indicates that NIST P-256 is not secure.
http://safecurves.cr.yp.to/
I recommend that a safe alternative should be chosen as the default and unsafe curves should not be made available.
The text was updated successfully, but these errors were encountered: