Netty tcnative with OpenSSL and supported groups (elliptic curves)

Question

I have a server using JRE8, netty 4.1.x and netty-tcnative 2.0.36. By default SslProvider.OPENSSL is configured.

SslContextBuilder contextBuilder = SslContextBuilder.forServer(keyMngrFactory)
                    .sslProvider(SslProvider.OPENSSL)
                    .enableOcsp(true);

Server is configured with TLS 1.2 and TLS_ECDHE_RSA* cipher suites.

I need to be able to restrict (whitelist) the elliptic curves (supported_groups extension) used for ECDHE ephemeral key exchange during SSL handshake. However, with SslProvider.OPENSSL, server does not seem to honour the system property -Djdk.tls.namedGroups. Instead, server always uses P-256 for ephemeral key exchange.

If I switch to SslProvider.JDK, above system property (-Djdk.tls.namedGroups) is reflecting during ECDHE ephemeral key exchange. However, I can't switch my production application to use JDK provider.

I came across https://github.com/netty/netty-tcnative/issues/567 - Based on this, I believe there is no support to restrict the supported_groups extension. But not sure if there is any alternative approach.

My queries:

1. While using SslProvider.OPENSSL with netty-tcnative, can we restrict the elliptic curves (supported group/named group) to be used for key exchange?
2. If yes, how to configure the same?

Answer 1

Neety-tcnative has been updated through this PR - https://github.com/netty/netty-tcnative/pull/661 to support this feature.