secp521r1 removed from 1.4.6

Maxim Dounin mdounin at
Thu Mar 13 16:27:07 UTC 2014


On Thu, Mar 13, 2014 at 11:43:37AM -0400, nginxu14 wrote:

> Hi, It seems that secp521r1 has been removed from 1.4.6. Trying to use it in
> ssl_ecdh_curve doesnt work but worked in 1.4.5.
> Was this just a mistake or is there a reason why it has been removed?

It wasn't - nginx just uses what's available from your OpenSSL 
library.  Use

$ openssl ecparam -list_curves

to find out which curves are supported by OpenSSL library on your 

As long as you are using CentOS 6, likely you've hit something 
similar to what's described in this ticket:

I.e., the ssl_ecdh_curve directive is now actually used and the 
value is rejected as not supported by OpenSSL on you host, rather 
than being ignored.

Maxim Dounin

More information about the nginx mailing list