|
I've done some preliminary investigation with local containers. Testing was done with an ArchLinux host running OpenSSL 1.1.1a and a CentOS 7 container running OpenSSL 1.02k. The shell running on ArchLinux was modified to set SSL_CTX_set1_curves_list(ctx, "P-521:P-384");, which forces it to only advertise support for P-521 and P-384. The following subsections outline the tests performed.
Running a pre-SERVER-36616 mongod server on CentOS, with an ArchLinux shell.
The server negotiated Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d). This is the expected pre-epic behavior, before we could detect ECHDE auto negotiation support at runtime.
Running a post-SERVER-36616 mongod server on CentOS, with an ArchLinux shell.
The server negotiates Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030). In the Server Key Exchange, it selected
EC Diffie-Hellman Server Params
|
Curve Type: named_curve (0x03)
|
Named Curve: secp521r1 (0x0019)
|
Pubkey Length: 133
|
Pubkey: ...
|
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
|
Signature Length: 256
|
Signature: ...
|
This demonstrates that the server respected the ECDHE curves advertised by the client, and so had activated ECHDE curve autonegotiation and did not rely on the hardcoded P-256 fallback logic.
|