About ssl_ecdh_curve auto

Maxim Dounin mdounin at mdounin.ru
Wed Oct 26 04:07:43 UTC 2022


On Tue, Oct 25, 2022 at 11:25:39AM -0400, wordlesswind wrote:

> I deployed ECDSA P-256 certificate issued by Let's Encrypt E1 on nginx, and
> I noticed something about "ssl_ecdh_curve auto;".
> When I set ssl_protocols to "TLSv1.2 TLSv1.3", ssl_ecdh_curve has only
> prime256v1. When set to TLSv1.3, x448 is missing and is the preferred order
> for the server.
> As far as I know, the full list of nginx support should be x25519, x448,
> secp256r1, secp384r1, secp521r1.
> So what caused the difference in "ssl_ecdh_curve auto;"?

The list of curves supported with "ssl_ecdh_curve auto;" depends 
on the SSL library being used.

In recent OpenSSL versions the list is as follows: X25519, 
secp256r1, X448, secp521r1, secp384r1.  In BoringSSL, the list is: 
X25519, secp256r1, secp384r1.  In LibreSSL the list is: X25519, 
secp256r1, secp384r1.  In all cases preferred order is as set by 
the ssl_prefer_server_ciphers directive.  In no cases I see any 
difference based on the SSL protocols being used (though in theory 
there might be some, and certainly there is a difference in 
testing, see below).

If you see different behaviour, first of all you may want to check 
the SSL library you are using (shown by "nginx -V").

It might also make sense to check how do you test things.

In particular, when testing with a P-256 certificate over TLSv1.2 
and below it is important to include P-256 (aka prime256v1, aka 
secp256r1) in the client list of supported elliptic curves, or the 
handshake will fail even if another curve is expected to be used 
for ephemeral key exchange.  This is, however, not needed with 
TLSv1.3, since signature algorithms in TLSv1.3 explicitly include 
elliptic curves being used.

For example, the following command will be able to establish 
connection with TLSv1.3, but will fail with TLSv1.2 due to no 
P-256 in the supported curves:

openssl s_client -connect -curves X448

But the following one will use X448 with both TLSv1.2 and TLSv1.3:

openssl s_client -connect -curves X448:prime256v1

Hope this helps.

Maxim Dounin

More information about the nginx mailing list