Add support of X448 and X25519 key exchange algorithm, and prefer using X448/X25519
Posted: Fri Aug 26, 2022 2:30 am
Nowadays, OpenVPN doesn't support X448 (Ed448-Goldilocks) and X25519, which are recommend by SafeCurves and RFC 7748:
RFC 7748: Elliptic Curves for Security
https://datatracker.ietf.org/doc/html/rfc7748
SafeCurves: choosing safe curves for elliptic-curve cryptography
https://safecurves.cr.yp.to/
But until OpenVPN 2.5.7, OpenVPN supports none of them:
In fact, OpenSSL 3.0.1 has been supports X25519 and X448:
I wish OpenVPN supports them. Last but not least, prefer using X448, X25519, then using other curves.
RFC 7748: Elliptic Curves for Security
https://datatracker.ietf.org/doc/html/rfc7748
SafeCurves: choosing safe curves for elliptic-curve cryptography
https://safecurves.cr.yp.to/
But until OpenVPN 2.5.7, OpenVPN supports none of them:
Code: Select all
secp224r1
secp256k1
secp384r1
secp521r1
prime256v1
Code: Select all
openssl list -key-exchange-algorithms
Code: Select all
{ 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
{ 1.3.101.110, X25519 } @ default
{ 1.3.101.111, X448 } @ default
ECDH @ default
TLS1-PRF @ default
HKDF @ default
{ 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default