EAP-TLS and elliptic curves (OPEN)

Alan DeKok aland at deployingradius.com
Tue Apr 13 12:20:37 CEST 2021


On Apr 13, 2021, at 4:39 AM, Weisteen Per <per.weisteen at telenor.no> wrote:
> I've got some supplicants that only supports secp256r1/prime256v1 as elliptic curve while others support additional curves like x25519, secp384r1 etc.
> Currently I've set ecdh_curve To prime256v1 which then applies to all supplicants.
> 
> If I set ecdh_curve parameter empty will the server key exchange adjust curve info dynamically according to what the supplicant has announced in TLS client hello using the "best" curve available ?

  It's probably faster to try it and see, instead of waiting for an answer on the list.

  The real answer is: it's all magic in OpenSSL, we really can't tell you.

  Alan DeKok.




More information about the Freeradius-Users mailing list