[openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

Viktor Dukhovni openssl-users at dukhovni.org
Sun Dec 2 22:13:18 UTC 2018

[ While I could ask off-list, or RTFS, someone else might have the
  same question later, so might as well ask on-list. ]

Postfix added support for ECDHE ciphers long ago, back when OpenSSL
1.0.0 was shiny and new, and the server-side ECDHE support was
enabled by specifying a single preferred "temp" ECDH curve.  At the
time we allowed users to configure:

    smtpd_tls_eecdh_grade = none | strong | ultra

which was later expanded to:

    smtpd_tls_eecdh_grade = none | strong | ultra | auto

as documented at:


The "none" setting is documented to disable ECDHE, and did that by
simply doing nothing, that is by not setting a specific ECDH temp
curve and also not calling SSL_CTX_set_ecdh_auto().  But doing
nothing no longer has the same effect in OpenSSL 1.1.0 and later,
where ECDHE curve negotiation is always on, and SSL_CTX_set_ecdh_auto()
is basically a NOOP (that returns "failure" if the requested behaviour
is ECDHE "off").

I thought I might get the same effect by configuring an empty curve
list, but OpenSSL 1.1.x, does not accept an empty list, and in any
case that might also affect DHE support, since IIRC there's now a
unified list of curves and FFDHE groups, and may not be an interface
for configuring just the curves?

Is there still a way to support the "none" setting other than to
modify the cipherlist (ciphers = "!kECDHE:...")?  The Postfix
code that deals with DH settings is separate from the code
that deals with ciphers, and I'd prefer to get these mixed up.

I should say that I understand that turning off ECDHE is increasingly
unwise, interoperability can and will suffer.  So I may well decide
to drop support for "none" and pretend the user meant "auto", but
I'd like to understand the available options first.


More information about the openssl-users mailing list