On Sunday 14 May 2017 14:30:55 Bryan wrote: > OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC > Named Curves x25519, secp256r1, secp384r1 (server preferred order)" > when `tls ecdhe "auto"` is used in the server configuration. > > Is it possible to configure httpd to use only x25519?
Not currently. > Trying various ways of specifying this curve, "x25519", "X25519", > "curve25519", and "Curve25519" have been unsuccessful. This curve is > also not returned with `$ openssl ecparam -list_curves`. I believe I > read somewhere that Curve25519 is implemented differently than the > other elliptic curves and this is why it does not display with the > above command. However, somehow it is being utilized by httpd, and so I > wonder if there is a way to enforce the use of only this curve. It is on the TODO list - there is a change needed to libtls, which will then allow httpd to specify which EC curves are to be enabled for TLS key exchange (including X25519).
