Is X25519/X448 supported for TLSv1.2?

John Jiang john.sha.jiang at
Fri Jun 14 01:05:32 UTC 2019

On Thu, Jun 13, 2019 at 12:28 PM Viktor Dukhovni <openssl-users at>

> On Thu, Jun 13, 2019 at 10:49:14AM +0800, John Jiang wrote:
> > I got the point: the server certificate is ECDSA with curve secp256r1.
> > It works with RSA certificate and curves
> > sepc256r1/sepc384r1/sepc521r1/x25519/x448.
> See
> When using ECDSA with TLSv1.2, the group list MUST include the group
> used in the certificate.  Otherwise, you get no shared cipher as
> you reported.

How about this point in TLSv1.3?
With my testing, the case "ECDSA certificate with curve secp256r1 + named
group secp521r1" work fine with OpenSSL s_server and s_client.

> You can *prefer* X25519, but you cannot only offer
> X25519.
Just an intentional test.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list