[openssl-dev] X25519 is the default curve for ECDHE in OpenSSL 1.1.0
Hubert Kario
hkario at redhat.com
Mon Sep 19 13:10:16 UTC 2016
On Friday, 16 September 2016 15:52:30 CEST Salz, Rich wrote:
> > The majority of servers (71%) support *only* prime256v1 curve and of the
> > ones that default to ECDHE key exchange nearly 83% will also default to
> > this curve.
>
> That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not
> joking, I think that's a major reason.
> > OpenSSL 1.0.2h also defaults to this curve if there are no curves
> > advertised by client.
>
> When I made X25519 the default, I didn't think about it. That was probably
> a mistake. Good catch!
> > So it is very likely that any client that doesn't advertise curves will
> > expect the server to select prime256v1. At the same time it is very
> > unlikely that it will support x25519 (given how new it is).
>
> Well the major browsers support it now, so once servers start upgrading to
> 1.1.0 it will be less of an issue. But maybe the community thinks the
> current behavior is a bug?
if client advertised curves, and the curves include stuff besides prime256v1 I
*expect* the other stuff to be negotiated, unless it's smaller than 256 bits,
but it's not what I was talking about
I'm talking only about the case of "no curves advertised at all" i.e.
supported_groups extension missing completely from client hello
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160919/952ee2aa/attachment.sig>
More information about the openssl-dev
mailing list