Questions about secure curves
Mark Hack
markhack at markhack.com
Tue Oct 15 17:02:59 UTC 2019
I believe that Firefox does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl-users wrote:
> On 15/10/2019 15:43, Stephan Seitz wrote:
> > Hi!
> >
> > I was looking at the output of „openssl ecparam -list_curves” and
> > trying to choose a curve for the web server together with
> > letsencrypt.
> >
> > It seems, letsencrypt supports prime256v1, secp256r1, and
> > secp384r1.
> >
> > Then I found the site https://safecurves.cr.yp.to/.
> > I have problems mapping the openssl curves with the curve names
> > from
> > the web site, but I have the feeling that none of the choices
> > above
> > are safe.
> >
>
> safecurves.cr.yp.to lists some curves that Daniel J. Bernstein
> (who runs the cr.yp.to domain) wants to promote, and emphasizes
> problems with many other popular curves.
>
> prime256v1 = secp256r1 = P-256 and secp384r1 = P-384 are two curves
> that the US government (NIST in cooperation with NSA) wants to
> promote.
>
> It so happens that the CA/Browser forum has mysteriously decided
> that the big (US made) web browsers should only trust CAs that
> only accept curves that the US government promotes. So if you
> want your SSL/TLS implementation to work with widely distributed
> US Browsers (Chrome, Safari, Firefox, IE, Edge etc.) you have to
> use the US government curves P-256 and P-384 . The third US
> governmentcurve P-521 is banned by Firefox, so no trusted CA can
> support it.
>
>
> Enjoy
>
> Jakob
More information about the openssl-users
mailing list