[openssl-users] How to choose ECDH and ECDHE with curve more than 192

Rakesh T rakesht at cdac.in
Fri Jun 17 05:02:20 UTC 2016




I am using tomcat server, where I came across a situation where
TestSSLServer(http://www.bolet.org/TestSSLServer/)  tool reports the below, 


Highly appreciate your expertise in recommending a solution to the finding
where I can choose ECDH curve size greater than 192. In the server the
suites are just ECDH or ECDHE. I wonder how to restrict the curve value for
the EC.


How can i resolve this at the server end.


Minimum EC size (no extension):   256

Minimum EC size (with extension): 160

Supported curves (size and name) ('*' = selected by server):

    162  sect163k1 (K-163)

    162  sect163r1

    162  sect163r2 (B-163)

    192  sect193r1

    192  sect193r2

    231  sect233k1 (K-233)

    232  sect233r1 (B-233)

    237  sect239k1

    281  sect283k1 (K-283)

    282  sect283r1 (B-283)

    407  sect409k1 (K-409)

    408  sect409r1 (B-409)

    569  sect571k1 (K-571)

    570  sect571r1 (B-571)

    160  secp160k1

    160  secp160r1

    160  secp160r2

    192  secp192k1

    192  secp192r1 (P-192)

    224  secp224k1

    224  secp224r1 (P-224)

    256  secp256k1

  * 256  secp256r1 (P-256)

    384  secp384r1 (P-384)

    521  secp521r1 (P-521)


WARN[SK004]: Server supports ECDH parameters smaller than 192 bits


Thanks and highly appreciate your advice.



Thanks & Regards

Raakesh. T


[ C-DAC is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160617/d0747ec3/attachment-0001.html>

More information about the openssl-users mailing list