Is X25519/X448 supported for TLSv1.2?

Viktor Dukhovni openssl-users at
Fri Jun 14 01:44:46 UTC 2019

On Fri, Jun 14, 2019 at 09:05:32AM +0800, John Jiang wrote:

> > See
> >
> > When using ECDSA with TLSv1.2, the group list MUST include the group
> > used in the certificate.  Otherwise, you get no shared cipher as
> > you reported.
> How about this point in TLSv1.3?
> With my testing, the case "ECDSA certificate with curve secp256r1 + named
> group secp521r1" work fine with OpenSSL s_server and s_client.

In TLS 1.3, the "supported groups" extension restricts the curves
used in the key exchange:

The curves used for signing are covered by "signature algorithms":

Which should, if I am not mistaken, allow an ECDSA certificate to
be used with a "supported groups" list that does not list the curve
associated with the certificate.


More information about the openssl-users mailing list