On Friday, 16 September 2016 15:52:30 CEST Salz, Rich wrote: > > The majority of servers (71%) support *only* prime256v1 curve and of the > > ones that default to ECDHE key exchange nearly 83% will also default to > > this curve. > > That's because most people have not moved to OpenSSL 1.1.0 yet. I'm not > joking, I think that's a major reason. > > OpenSSL 1.0.2h also defaults to this curve if there are no curves > > advertised by client. > > When I made X25519 the default, I didn't think about it. That was probably > a mistake. Good catch! > > So it is very likely that any client that doesn't advertise curves will > > expect the server to select prime256v1. At the same time it is very > > unlikely that it will support x25519 (given how new it is). > > Well the major browsers support it now, so once servers start upgrading to > 1.1.0 it will be less of an issue. But maybe the community thinks the > current behavior is a bug?
if client advertised curves, and the curves include stuff besides prime256v1 I *expect* the other stuff to be negotiated, unless it's smaller than 256 bits, but it's not what I was talking about I'm talking only about the case of "no curves advertised at all" i.e. supported_groups extension missing completely from client hello -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev