disable elliptic curves P-384 and P-521 for TLS. (#5845)

This change disables the non-constant-time implementations of P-384 and P-521. As a consequence a client using just these curves cannot connect to the server. This should be no real issues because (all) clients at least support P-256. Further this change also rejects ECDSA private keys of P-384 and P-521. While non-constant-time implementations for the ECDHE exchange don't expose an obvious vulnerability, using P-384 or P-521 keys for the ECDSA signature may allow pratical timing attacks. Fixes #5844
2025-11-07 12:52:58 -05:00 · 2018-04-25 00:47:30 +02:00
parent c733fe87ce
commit 21a3c0f482
3 changed files with 19 additions and 0 deletions
--- a/docs/tls/README.md
+++ b/docs/tls/README.md
@@ -43,6 +43,9 @@ or protect the private key additionally with a password:
 ```sh
 openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
 ```
+
+Notice that the NIST curves P-384 and P-521 are not supported yet.
+
 2. **RSA:**
 ```sh
 openssl genrsa -out private.key 2048