Welcome! Log In Create A New Profile

Advanced

Add support for multiple elliptic curves with preferrence

Posted by jdl 
jdl
Add support for multiple elliptic curves with preferrence
January 06, 2016 03:58AM
Hello,

With the apparition of HTTP/2, if we want to set up a server compliant with RFC7540 (describing the protocol), we MUST support the cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with the P-256 elliptic curve. (As described here: https://tools.ietf.org/html/rfc7540#section-9.2.2)

As this elliptic curve is probably the weakest one available, I think it could be useful to support several one, allowing server admins to support stronger curves, but keeping this one for compatibility/compliance reasons.
Currently, the directive "ssl_ecdh_curve" does not seem to be a multi-valued attribute like "ssl-ciphers" can be.

Allowing several curves with server preference would help to improve security and compatibility.

Examples:

ssl_ecdh_curve "brainpoolP512r1:secp521r1:prime256v1";
ssl_prefer_server_ecdh_curve on;

or

ssl_ecdh_curve brainpoolP512r1 secp521r1 prime256v1;
ssl_prefer_server_ecdh_curve off;
Re: Add support for multiple elliptic curves with preferrence
June 23, 2016 05:23AM
Starting with nginx 1.11.0 and when using OpenSSL 1.0.2+, it's possible, see http://nginx.org/r/ssl_ecdh_curve for details.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 188
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready