Setting ssl_ecdh_curve to secp384r1 does not work

Florian Reinhart florian at
Wed Jul 6 07:15:59 UTC 2016

Hi Maxim!

Thanks for investigating this! I thought ssl_ecdh_curve was only used to specific curves for ECDHE.

Is there any way to know what curves "auto" will include on my system?


> On 05 Jul 2016, at 20:16, Maxim Dounin <mdounin at> wrote:
> Hello!
> On Tue, Jul 05, 2016 at 05:02:07PM +0200, Florian Reinhart wrote:
>> It is the same certificate on both servers and it is indeed a 
>> secp256r1 aka prime256v1 certificate. So does this mean, I have 
>> to use prime256v1 for ssl_ecdh_curve with this certificate? It’s 
>> still strange that it used to work before...
> Since version 1.11.0 nginx uses the new SSL_CTX_set1_curves_list() 
> interface if available to configure supported curves, instead of 
> previously used EC_KEY_new_by_curve_name()/SSL_CTX_set_tmp_ecdh().  
> This new interface is generally better as it allows configuring 
> multiple curves.
> I've just tested, and it looks like this new interface is also 
> more strict.  With previous interface it was possible to use any 
> certificate regardless of the ssl_ecdh_curve setting, and that's 
> why it worked for you in older versions.  The new interface does 
> not allow to use curves which are not listed at all, including 
> certificates using these curves.
> Solution would be to list all curves you want to use, including 
> curves used by certificates, e.g.:
>    ssl_ecdh_curve secp384r1:prime256v1;
> Or, better yet, just leave the default ("auto"), it will allow 
> most common curves as supported by OpenSSL.
> -- 
> Maxim Dounin
> _______________________________________________
> nginx mailing list
> nginx at

More information about the nginx mailing list