> > OpenBSD 6.1 httpd is (according to Qualys SSL Labs) using "Supported EC > > Named Curves x25519, secp256r1, secp384r1 (server preferred order)" > > when `tls ecdhe "auto"` is used in the server configuration. > > > > Is it possible to configure httpd to use only x25519?
> Not currently. > > Trying various ways of specifying this curve, "x25519", "X25519", > > "curve25519", and "Curve25519" have been unsuccessful. This curve is > > also not returned with `$ openssl ecparam -list_curves`. I believe I > > read somewhere that Curve25519 is implemented differently than the > > other elliptic curves and this is why it does not display with the > > above command. However, somehow it is being utilized by httpd, and so I > > wonder if there is a way to enforce the use of only this curve. > It is on the TODO list - there is a change needed to libtls, which will then > allow httpd to specify which EC curves are to be enabled for TLS key exchange > (including X25519). Thanks for the information. The "auto" setting is using a nice selection of curves and prioritizing X25519, but it will be nice to have the ability to specify only X25519 (or another).
