Welcome! Log In Create A New Profile

Advanced

Re: About ssl_ecdh_curve auto

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
October 26, 2022 12:08AM
Hello!

On Tue, Oct 25, 2022 at 11:25:39AM -0400, wordlesswind wrote:

> I deployed ECDSA P-256 certificate issued by Let's Encrypt E1 on nginx, and
> I noticed something about "ssl_ecdh_curve auto;".
>
> When I set ssl_protocols to "TLSv1.2 TLSv1.3", ssl_ecdh_curve has only
> prime256v1. When set to TLSv1.3, x448 is missing and is the preferred order
> for the server.
>
> As far as I know, the full list of nginx support should be x25519, x448,
> secp256r1, secp384r1, secp521r1.
>
> So what caused the difference in "ssl_ecdh_curve auto;"?

The list of curves supported with "ssl_ecdh_curve auto;" depends
on the SSL library being used.

In recent OpenSSL versions the list is as follows: X25519,
secp256r1, X448, secp521r1, secp384r1. In BoringSSL, the list is:
X25519, secp256r1, secp384r1. In LibreSSL the list is: X25519,
secp256r1, secp384r1. In all cases preferred order is as set by
the ssl_prefer_server_ciphers directive. In no cases I see any
difference based on the SSL protocols being used (though in theory
there might be some, and certainly there is a difference in
testing, see below).

If you see different behaviour, first of all you may want to check
the SSL library you are using (shown by "nginx -V").

It might also make sense to check how do you test things.

In particular, when testing with a P-256 certificate over TLSv1.2
and below it is important to include P-256 (aka prime256v1, aka
secp256r1) in the client list of supported elliptic curves, or the
handshake will fail even if another curve is expected to be used
for ephemeral key exchange. This is, however, not needed with
TLSv1.3, since signature algorithms in TLSv1.3 explicitly include
elliptic curves being used.

For example, the following command will be able to establish
connection with TLSv1.3, but will fail with TLSv1.2 due to no
P-256 in the supported curves:

openssl s_client -connect 127.0.0.1:8443 -curves X448

But the following one will use X448 with both TLSv1.2 and TLSv1.3:

openssl s_client -connect 127.0.0.1:8443 -curves X448:prime256v1

Hope this helps.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Reply Quote
RSS
Subject Author Posted

About ssl_ecdh_curve auto

wordlesswind October 25, 2022 11:25AM

Re: About ssl_ecdh_curve auto

Sergey A. Osokin October 25, 2022 11:24PM

Re: About ssl_ecdh_curve auto

Maxim Dounin October 26, 2022 12:26AM

Re: About ssl_ecdh_curve auto

Maxim Dounin October 26, 2022 12:08AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 198
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready