<div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Hi,</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I would like to ask if anyone here has actually been able to
trim the EC Supported Groups in the Client Hello with a TLS-ECDHE cipher
using the APIs described in the <a href="https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set1_curves.html">OpenSSL v1.0.2 manpage for SSL_CTX_set1_curves()</a></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:11pt"> </span><br></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">My shared objects are built using OpenSSL v1.0.2t with FIPS
Object Module v2.0.5 . <span style="font-size:11pt">The TLS handshake pcap has always shown </span><span style="font-size:10pt;font-family:"Lucida Console"">myCipher</span><span style="font-size:11pt"> (</span><span style="font-size:9pt;font-family:"Lucida Console"">"ECDHE-RSA-AES128-GCM-SHA256")</span><span style="font-size:11pt">
in the Client Hello correctly, </span><span style="font-size:11pt">accompanied with 13 curves in the Supported Group Extension. </span><span style="font-size:11pt">However, enhancing </span><span style="font-size:10pt;font-family:"Lucida Console"">SSL_CTX myCtx</span><span style="font-size:11pt"> to restrict the curves to just 3 (P-521:P384:P256)
still show the same 13 curves as in the pcap. The man page doesn't suggest nor do i see any </span>reason<span style="font-size:11pt"> why FIPS should prevent this from working.</span></p>

<p class="MsoNormal" style="background:rgb(239,240,241);vertical-align:baseline;margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9pt;font-family:"Lucida Console"">//existing
working code</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:"Lucida Console"">if((myCtx
= SSL_CTX_new(SSL_METHOD *)TLSv1_2_method()) == NULL)</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:"Lucida Console""> return;</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:"Lucida Console"">if((SSL_CTX_set_cipher_list(myCtx,
myCipher) != 1))</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:"Lucida Console""> return;</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9pt;font-family:"Lucida Console""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9pt;font-family:"Lucida Console"">//enhancement,
not working</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:"Lucida Console"">if(SSL_CTX_set1_curves(myCtx,
"P-521:P-384:P-256", 3)) != 1))</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:"Lucida Console""> return;</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9pt;font-family:"Lucida Console""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9pt;font-family:"Lucida Console"">The
API returns 0 (suggesting no error), but pcap shows no change, i.e. still shows the std. 13 curves.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><span style="font-family:Calibri,sans-serif">Trying a code snippet involving </span><font face="monospace">SSL_CONF_cmd(myConfCtx, "-named-curve", "P-256") </font><font face="Calibri, sans-serif">suggested in </font><a href="https://superuser.com/questions/912311/how-to-force-a-server-to-use-a-specific-elliptic-curve-at-the-beginning-of-the-h" style="font-family:Calibri,sans-serif">this link</a><font face="Calibri, sans-serif"> , available prior to </font><span style="font-family:"Lucida Console";font-size:10pt">SSL_CTX_set1_curves()</span><font face="Calibri, sans-serif"> introduction in v1.0.2, didn’t help
either.</font></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><font face="Calibri, sans-serif"><br></font></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><font face="Calibri, sans-serif">Thank you for any guidance you can provide.</font></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><font face="Calibri, sans-serif">Rohit</font></p></div>