About ssl_ecdh_curve auto

Maxim Dounin mdounin at mdounin.ru
Wed Oct 26 04:24:30 UTC 2022


On Wed, Oct 26, 2022 at 06:22:54AM +0300, Sergey A. Osokin wrote:


> It's also possible to see the list of the elliptic curve parameters with
> the following command:
> % openssl ecparam -list_curves

Fun fact: this list only includes standard curves, but not custom 
curves such as X25519 or X448, so it is more or less useless.

Not to mention this list has nothing to do with the default list 
of supported curves as used by default (and with "ssl_ecdh_curve 
auto;" in nginx).  As far as I understand, there are no 
user-friendly ways to extract this default list from OpenSSL.  The 
best ways I'm aware of include looking into the code or SSL 
handshakes on the wire.

Maxim Dounin

More information about the nginx mailing list