Single ECDH Curve for forward secrecy

Alan DeKok aland at
Fri Jan 31 15:28:25 CET 2020

On Jan 31, 2020, at 4:39 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel at> wrote
> I'm currently doing some research with the TLS client and server
> implementations in EAP-TLS.

  Good to hear.  Not many people have done this kind of research.

> I have noticed, that Freeradius forces usage of one specific curve for
> ECDH Key Exchange. Is there a specific reason for that?
> ( set_ecdh_curve in src/main/tls.c )

  No, the server *defaults* to one curve.  The default can be changed by editing the configuration files.

  Our general policy is to ship the server with sane defaults.  However, we also let the admin change those defaults via the configuration files.

> The standard is "prime256v1", which seems to be a good default, since
> this curve is always in the SupportedGroups extension of the Client TLS
> Hello. (For all clients I've seen so far)
> But I'd like to change the default to something like X25519 and fall
> back on others when this is not possible.

  You can change the configuration in raddb/mods-available/eap:

		ecdh_curve = "prime256v1"

  It only supports one curve, largely because of limitations in the OpenSSL API.  If OpenSSL supports fallback curves, we can definitely add support for that.

  Alan DeKok.

More information about the Freeradius-Devel mailing list