[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0
Salz, Rich
rsalz at akamai.com
Fri Sep 16 15:52:30 UTC 2016
> The majority of servers (71%) support *only* prime256v1 curve and of the
> ones that default to ECDHE key exchange nearly 83% will also default to this
> curve.
That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not joking, I think that's a major reason.
> OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised
> by client.
When I made X25519 the default, I didn't think about it. That was probably a mistake. Good catch!
> So it is very likely that any client that doesn't advertise curves will expect the
> server to select prime256v1. At the same time it is very unlikely that it will
> support x25519 (given how new it is).
Well the major browsers support it now, so once servers start upgrading to 1.1.0 it will be less of an issue. But maybe the community thinks the current behavior is a bug?
More information about the openssl-dev
mailing list