Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-116227

Wrong group in keyshares when adding brainpool support in openSSL.

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-9.7
    • crypto-policies
    • None
    • No
    • Low
    • rhel-security-crypto-spades
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      When we enable Brainpool without PQ support, we have the `brainpoolP256r1` keyshare to be sent in ClientHello. This is a TLS1.2 group, so the client finds it invalid and sends an empty keyshare (https://github.com/openssl/openssl/issues/28281), and then the server aboards. With the latest OpenSSL change (https://github.com/openssl/openssl/pull/28283), the client will abort right away.

      TSL1.2 doesn't support keyshare, so we just need to move the asterisk to `brainpoolP256r1tls13`.

      What is the impact of this issue on you?

      low

      Please provide the package NVR for which the bug is seen:

      crypto-policies-20250905-1.git377cc42.el9_7.noarch

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. create BRAINPOOL-FIRST subpolicy
        $ echo -e "group = +BRAINPOOL*" > BRAINPOOL-FIRST.pmod
      1. Apply the policy
        update-crypto-policies --no-reload --set DEFAULT:BRAINPOOL-FIRST
      1. See the OpenSSL backend config
        cat /etc/crypto-policies/back-ends/opensslcnf.config

      Expected results

      Asterisk will be on the TLS-1.3 group (`brainpoolP256r1tls13`)

      Actual results

      Asterisk is on the TLS-1.2 group (`brainpoolP256r1`)

              asosedki@redhat.com Alexander Sosedkin
              omoris Ondrej Moris
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: