Single ECDH Curve for forward secrecy

Jan-Frederik Rieckers rieckers+freeradius-devel at
Mon Feb 3 17:39:33 CET 2020

On 03.02.20 17:21, Alan DeKok wrote:
>> Since the ecdh_curve parameter is set with a default value of
>> prime256v1, leaving out the configuration parameter results in the
>> choice of prime256v1.
>   You can set the curve to nothing:
> 	ecdh_curve = ""
>   See the set_ecdh_curve()  function.

I'm sorry, I didn't notice this.

In my opinion, it seems a little bit odd, that leaving out the option
defaults to "prime256v1", but setting it to empty string enables all curves.
There's also no documentation for this behavior in the configuration
file. Maybe this could be added?

Jan-Frederik Rieckers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Devel mailing list