Add support for TLS 1.3 Brainpool curves #9701
Merged
+475
−63
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Frauschi
force-pushed
the
brainpool-tls13
branch
from
5ccc512 to
570c9ae
Compare
When both TLS 1.3 and Brainpool curves are enabled, three new groups can be used for the ECDHE key exchange according to RFC 8734: * WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31) * WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32) * WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33) Also ensure that the existing TLS 1.2 curves are sent properly. The TLS client application is updated to support handshakes via Brainpool curves using the new argument "--bpKs".
This also fixes TLS 1.2 authentication to only succeed in case the brainpool curve was present in the supported_groups extension.
Frauschi
force-pushed
the
brainpool-tls13
branch
from
570c9ae to
bde1bf6
Compare
dgarske
approved these changes
Jan 22, 2026
Contributor
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
Over to @SparkiDev . Thank you @Frauschi
SparkiDev
approved these changes
Jan 23, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds support for RFC 8734, allowing ECC Brainpool curves to be used for TLS 1.3 key exchange and peer authentication. Furthermore, Brainpool usage for TLS 1.2 has been improved to more closely match RFC 8422.
Why?
Although IETF initially deprecated Brainpool curves for TLS 1.3 due to little usage, the German BSI (Federal Office for Information Security) still mandates their usage for critical infrastructure and the energy sector (e.g. in BSI TR-03116-3 or BSI TR-03116-4) for both TLS 1.2 and TLS 1.3 in addition to NIST SECP curves (TLS 1.3 itself is optional, but when it is used, the Brainpool curves must be supported to be compliant). Hence, support for these curves was added to TLS 1.3 via RFC 8734, adding new identifiers for key exchange and signatures.
Until now, wolfSSL only formally supports Brainpool curves for TLS 1.2 (although not fully standard conformant, see below). It is technically possible to use Brainpool certificates with TLS 1.3 at the moment, but their usage is fully “hidden” behind the NIST SECP ECDSA signature identifiers instead of the specific ones from RFC 8734, which is actually not allowed by RFC 8446. This fact currently limits users who need compliance with BSI regulations to TLS 1.2. The upgrade to TLS 1.3 is especially important with the transition to PQC in mind, as PQC will only be available for TLS 1.3. Although there are currently no specific regulations from the BSI regarding PQC, their future support is already anticipated.
Currently, only OpenSSL and Bouncy Castle also support the new identifiers of RFC 8734. All other TLS libraries, especially for embedded use, only support the TLS 1.2 identifiers.
TLS 1.3 Support
To make ECC Brainpool curves work in TLS 1.3, new identifiers are added for the key exchange (
NamedGroups) as well as for the handshake signatures (SignatureScheme).For the ECDHE key exchange, the following three new NamedGroups are available:
WOLFSSL_ECC_BRAINPOOLP256R1TLS13(31)WOLFSSL_ECC_BRAINPOOLP384R1TLS13(32)WOLFSSL_ECC_BRAINPOOLP512R1TLS13(33)For the handshake signature, the following three new
SignatureSchemesare supported:ECDSA_BRAINPOOLP256R1TLS13_SHA256(0x081A)ECDSA_BRAINPOOLP384R1TLS13_SHA384(0x081B)ECDSA_BRAINPOOLP512R1TLS13_SHA512(0x081C)When Brainpool curves are enabled (via
--enable-brainpoolorHAVE_ECC_BRAINPOOL) in addition to TLS 1.3, these identifiers are added automatically to the respective extensions in the handshake. For the handshake, their usage can also be enforced by the user via the existingwolfSSL_CTX_set_groups(),wolfSSL_set_groups()orwolfSSL_UseKeyShare()APIs. When the TLS endpoint uses a Brainpool certificate, the appropriateSignatureSchemeis used for theCertificateVerifymessage during authentication if the peer offered support in theSignatureSchemesextension of theClientHelloorCertificateRequestmessage. If no support for these is offered, the handshake is aborted properly.TLS 1.2 changes
In the TLS 1.2 case, the existing behavior when a Brainpool certificate is used has not been fully conformant to RFC 8422. The handshake may only succeed when the client advertises Brainpool support in the
elliptic_curvesextension in addition to advertising ECDSA support in thesignature_algorithmsextension. This fact has not been handled properly as of now, with the handshake simply proceeding. This is changed in this PR by checking the advertised curve support for Brainpool curves and aborting the handshake in case the curve used in the certificate is not present in the list.Testing
Next to thorough internal testing using the client and server examples (both applications have been modified to support the new identifiers; some new tests are also added to the testsuite), interoperability with OpenSSL (>= version 3.2) has been tested successfully.