On Thu, Mar 13, 2014 at 03:04:11PM -0400, nginxu14 wrote:
Sorry for wasting your time you are correct secp512r1 isnt there when I run
Im guessing that secp256r1 isnt in the list because its just the default
one. Just using the default settings and not setting a curve uses secp256r1
and secp384r1 works by setting it in ssl_ecdh_curve.
Secp256r1 and prime256v1 are just different names of the same
curve. (And yes, it’s used by default.)
I like CentOS its the only OS I use for servers but this kind of thing
annoys me about CentOS because its waiting for Red Hat to enable secp521r1.
I dont have the need for it but it would be nice to have the option.
256 bit ECC is believed to be equivalent to 3096 bit RSA, and 521
bit ECC - to 16384 bit RSA. So in case of https, unless you are
using 16384 bit RSA certificates, use of secp521r1 is mostly
pointless and just wastes CPU cycles.
Looking at this: https://bugzilla.redhat.com/show_bug.cgi?id=1021897#c7 it
is coming but not sure when.
Note well that this link correctly points out that secp521r1 isn’t
supported by IE (yet?), so it’s use isn’t a good idea from
compatibility point of view, too.