Hi everyone,

I'm using Nginx with LibreSSL 2.3.4 and I want to know if someone know how to use the "new" "ssl_ecdh_curve" directive in nginx 1.11.0 which allow to use more than one curve.

Per example, I want to use to following curves on my server:
-secp384r1
-secp521r1
-sect571r1


The official announcement says :

Feature: the "ssl_ecdh_curve" directive now allows specifying a listof curves when using OpenSSL 1.0.2 or newer; by default a list built into OpenSSL is used.


What syntax do we have to use for a list of curves?

I've tried both :

ssl_ecdh_curve secp384r1:secp521r1:sect571r1;

or

ssl_ecdh_curve secp384r1;
ssl_ecdh_curve secp521r1;
ssl_ecdh_curve sect571r1;

or

ssl_ecdh_curve secp384r1 secp521r1 sect571r1;

but nothing works with a nginx -t.


If someone has an idea :)

Thanks, and regards,
Nicolas

I want to know that too
And the official document is not updated yet to explain this feature
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve

Hi PikachuEXE,

I found by myself.

LibreSSL is not compatible with this feature so you have to build Nginx against openssl 1.0.2+

I've made a script that do that under Debian 8 with adding support for CHACHA20_POLY1305 too.

Take a look at : https://github.com/stylersnico/nginx-openssl-chacha

See the nginx.conf file for the syntax :)

BR,
Nicolas

Hi nicolassimond,

Thanks for your info.
I am using OpenSSL 1.0.2h

What I want to know are
- what's the syntax (which is included in your reply thx :D )
- How does Nginx use the config if multiple values provided (which should be different from single value)