Setting ssl_ecdh_curve to secp384r1 does not work

Maxim Dounin mdounin at
Wed Jul 6 16:08:19 UTC 2016


On Wed, Jul 06, 2016 at 09:15:59AM +0200, Florian Reinhart wrote:

> Is there any way to know what curves "auto" will include on my 
> system?

This is not currently possible, AFAIK, and depends on the OpenSSL 
library used.  Here is a short summary for varions OpenSSL version 
I've previously looked into:

- OpenSSL 1.0.2, 1.0.2a: all curves supported, strongest first.
  Full list is available via "openssl ecparam -list_curves".

- OpenSSL 1.0.2b ... 1.0.2h: limited default list with at least
  256 bits, prime256v1 (aka P-256) first.  List in OpenSSL 1.0.2g 
  is as follows:


- Upcoming OpenSSL 1.1.0 uses X25519:P-256:P-521:P-384 (aka 

Maxim Dounin

More information about the nginx mailing list