On 15/07/15 23:27, Rob Stradling wrote:
AIUI, OpenSSL's default highest preference curve is sect571r1 (aka
B-571). See [1] and [2].
The result of calling OpenSSL's recommended SSL_CTX_set_ecdh_auto(ctx,
1) function is that "the highest preference curve is automatically used
for ECDH temporary keys used during key exchange." [3]
And sure enough, when my SSL scanner (an OpenSSL-based client) scans
itself (an httpd/mod_ssl/OpenSSL-based server) [4], it reports that
sect571r1 is used. I haven't explicitly configured it to use this
curve. In fact, I would reconfigure it to use secp256r1 if I could find
a mod_ssl directive that would let me do that.
So I'm wondering if most people using sect571r1 are using it simply
because it's a default setting that they can't change, not because they
have a particularly strong desire to use it.
s/that they can't change//
In httpd 2.4, the supported curve(s) can be configured using the
SSLOpenSSLConfCmd directive. (Thanks to Steve Henson for pointing me in
the right direction just now).
+1 to dropping sect571r1 and to Tony's suggestion of further trimming
the curve list.
[1]
https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.0.1l
[2]
https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.0.2
[3] http://openssl.org/docs/ssl/SSL_CTX_set_ecdh_auto.html
[4] https://sslanalyzer.comodoca.com/?url=sslanalyzer.comodoca.com
On 15/07/15 22:42, Dave Garrett wrote:
On Wednesday, July 15, 2015 05:39:26 pm Dave Garrett wrote:
It's the most used of the rarely used curves.
This statement is potentially confusing, actually, because in
comparison to P256 _everything_ is rarely used when it comes to ECDHE.
Dave
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
