About ssl_ecdh_curve auto
mdounin at mdounin.ru
Wed Oct 26 04:07:43 UTC 2022
On Tue, Oct 25, 2022 at 11:25:39AM -0400, wordlesswind wrote:
> I deployed ECDSA P-256 certificate issued by Let's Encrypt E1 on nginx, and
> I noticed something about "ssl_ecdh_curve auto;".
> When I set ssl_protocols to "TLSv1.2 TLSv1.3", ssl_ecdh_curve has only
> prime256v1. When set to TLSv1.3, x448 is missing and is the preferred order
> for the server.
> As far as I know, the full list of nginx support should be x25519, x448,
> secp256r1, secp384r1, secp521r1.
> So what caused the difference in "ssl_ecdh_curve auto;"?
The list of curves supported with "ssl_ecdh_curve auto;" depends
on the SSL library being used.
In recent OpenSSL versions the list is as follows: X25519,
secp256r1, X448, secp521r1, secp384r1. In BoringSSL, the list is:
X25519, secp256r1, secp384r1. In LibreSSL the list is: X25519,
secp256r1, secp384r1. In all cases preferred order is as set by
the ssl_prefer_server_ciphers directive. In no cases I see any
difference based on the SSL protocols being used (though in theory
there might be some, and certainly there is a difference in
testing, see below).
If you see different behaviour, first of all you may want to check
the SSL library you are using (shown by "nginx -V").
It might also make sense to check how do you test things.
In particular, when testing with a P-256 certificate over TLSv1.2
and below it is important to include P-256 (aka prime256v1, aka
secp256r1) in the client list of supported elliptic curves, or the
handshake will fail even if another curve is expected to be used
for ephemeral key exchange. This is, however, not needed with
TLSv1.3, since signature algorithms in TLSv1.3 explicitly include
elliptic curves being used.
For example, the following command will be able to establish
connection with TLSv1.3, but will fail with TLSv1.2 due to no
P-256 in the supported curves:
openssl s_client -connect 127.0.0.1:8443 -curves X448
But the following one will use X448 with both TLSv1.2 and TLSv1.3:
openssl s_client -connect 127.0.0.1:8443 -curves X448:prime256v1
Hope this helps.
More information about the nginx