Single ECDH Curve for forward secrecy

Jan-Frederik Rieckers rieckers+freeradius-devel at
Mon Feb 3 17:00:03 CET 2020

Hello again,

I've tried one ugly patch now to try to mitigate the "problem":

diff --git a/src/main/tls.c b/src/main/tls.c
index 78c7370a63..8d9e94ff3e 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3310,9 +3310,9 @@ post_ca:
 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-       if (set_ecdh_curve(ctx, conf->ecdh_curve,
conf->disable_single_dh_use) < 0) {
-               return NULL;
-       }
+       //if (set_ecdh_curve(ctx, conf->ecdh_curve,
conf->disable_single_dh_use) < 0) {
+       //      return NULL;
+       //}

With this small hot-fix I was able to use different named curves (in my
case x25519 with a current Ubuntu and secp521r1 with an Android which
didn't propagated support for x25519).
I haven't tested for side effects on this, but at least I was able to
log in to my testing WPA2-Enterprise APs.

For clarification: This is the curve used for EC-Diffie-Hellman in the
Server Key Exchange TLS-Record.

Since the ecdh_curve parameter is set with a default value of
prime256v1, leaving out the configuration parameter results in the
choice of prime256v1.

I have tested it on a Debian Buster with libssl-dev 1.1.1d-0+deb10u2
It seems this OpenSSL version enables all curves if no specific curve is
My suggested fix would be to at least introduce a configuration item to
disable the choice of one specific named curve.

Jan-Frederik Rieckers

On 31.01.20 15:59, Alan DeKok wrote:
> On Jan 31, 2020, at 9:49 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel at> wrote:
>> I'll probably write my bachelor thesis about some aspects. I'll
>> definitely share results, if they concern the server side.
>   Thanks.
>> I don't know if that's true. As far as I know OpenSSL itself is
>> perfectly capable of supporting multiple curves.
>> I've tested that with my private HTTPS servers and openssl s_client:
>> `openssl s_client -groups "X25519" -connect <host>`
>> `openssl s_client -groups "prime256v1" -connect <host>`
>   That's the client side... the question is what happens on the server side?  i.e. what API calls are necessary?
>   I think that the curves supplied to OpenSSL are defaults, and it can negotiate more.  See the "cipher_list" configuration, which allows you to specify multiple ciphers.
>> I've also observed at least one server in the eduroam federation which
>> support multiple named curves. (Based on my data from analyzing TLS
>> Handshakes in EAP-TLS)
>> I haven't had the the time to try to modify freeradius locally to ignore
>> the ecdh_curve completely. Unfortunately I'm just beginning to get into
>> the openssl API.
>   Good luck.  It's enormously more complex than it needs to be. :(
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Devel mailing list