Re: Questions about secure curves

2019-10-16 Thread Jakob Bohm via openssl-users
To clarify, Firefox/Mozilla the organization enforces an unexplained policy of prohibiting all included CAs from issuing any P-521 certificate, thus effectively banning their use on public servers regardless of technical abilities. On 15/10/2019 19:02, Mark Hack wrote: I believe that Firefox doe

Re: Questions about secure curves

2019-10-15 Thread Viktor Dukhovni
On Oct 15, 2019, at 1:02 PM, Mark Hack wrote:I believe that Firefox does still support P-521 but Chrome does not. Also be aware that if you set server side cipher selection and usedefault curves, that OpenSSL orders the curves weakest to strongest (even with @STRENGTH) so you will end up forcing

Re: Questions about secure curves

2019-10-15 Thread Mark Hack
I believe that Firefox does still support P-521 but Chrome does not. Also be aware that if you set server side cipher selection and use default curves, that OpenSSL orders the curves weakest to strongest ( even with @STRENGTH) so you will end up forcing P-256. On Tue, 2019-10-15 at 17:24 +0200,

Re: Questions about secure curves

2019-10-15 Thread Jakob Bohm via openssl-users
On 15/10/2019 15:43, Stephan Seitz wrote: Hi! I was looking at the output of „openssl ecparam -list_curves” and trying to choose a curve for the web server together with letsencrypt. It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1. Then I found the site https://safecurves

Re: Questions about secure curves

2019-10-15 Thread Tomas Mraz
On Tue, 2019-10-15 at 15:43 +0200, Stephan Seitz wrote: > Hi! > > I was looking at the output of „openssl ecparam -list_curves” and > trying > to choose a curve for the web server together with letsencrypt. > > It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1. > > Then I foun

Re: Questions about secure curves

2019-10-15 Thread Salz, Rich via openssl-users
There is nothing known to be wrong with NIST P256. If you don't have a known reason to use 384, then don't use it.

Questions about secure curves

2019-10-15 Thread Stephan Seitz
Hi! I was looking at the output of „openssl ecparam -list_curves” and trying to choose a curve for the web server together with letsencrypt. It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1. Then I found the site https://safecurves.cr.yp.to/. I have problems mapping the ope