Setting ssl_ecdh_curve to secp384r1 does not work
Maxim Dounin
mdounin at mdounin.ru
Wed Jul 6 16:08:19 UTC 2016
Hello!
On Wed, Jul 06, 2016 at 09:15:59AM +0200, Florian Reinhart wrote:
> Is there any way to know what curves "auto" will include on my
> system?
This is not currently possible, AFAIK, and depends on the OpenSSL
library used. Here is a short summary for varions OpenSSL version
I've previously looked into:
- OpenSSL 1.0.2, 1.0.2a: all curves supported, strongest first.
Full list is available via "openssl ecparam -list_curves".
- OpenSSL 1.0.2b ... 1.0.2h: limited default list with at least
256 bits, prime256v1 (aka P-256) first. List in OpenSSL 1.0.2g
is as follows:
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
- Upcoming OpenSSL 1.1.0 uses X25519:P-256:P-521:P-384 (aka
X25519:secp256r1:secp521r1:secp384r1).
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list