> The majority of servers (71%) support *only* prime256v1 curve and of the > ones that default to ECDHE key exchange nearly 83% will also default to this > curve.
That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not joking, I think that's a major reason. > OpenSSL 1.0.2h also defaults to this curve if there are no curves advertised > by client. When I made X25519 the default, I didn't think about it. That was probably a mistake. Good catch! > So it is very likely that any client that doesn't advertise curves will > expect the > server to select prime256v1. At the same time it is very unlikely that it will > support x25519 (given how new it is). Well the major browsers support it now, so once servers start upgrading to 1.1.0 it will be less of an issue. But maybe the community thinks the current behavior is a bug? -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev