I believe that Firefox does still support P-521 but Chrome does not. Also be aware that if you set server side cipher selection and use default curves, that OpenSSL orders the curves weakest to strongest ( even with @STRENGTH) so you will end up forcing P-256. On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl-users wrote: > On 15/10/2019 15:43, Stephan Seitz wrote: > > Hi! > > > > I was looking at the output of „openssl ecparam -list_curves” and > > trying to choose a curve for the web server together with > > letsencrypt. > > > > It seems, letsencrypt supports prime256v1, secp256r1, and > > secp384r1. > > > > Then I found the site https://safecurves.cr.yp.to/. > > I have problems mapping the openssl curves with the curve names > > from > > the web site, but I have the feeling that none of the choices > > above > > are safe. > > > > safecurves.cr.yp.to lists some curves that Daniel J. Bernstein > (who runs the cr.yp.to domain) wants to promote, and emphasizes > problems with many other popular curves. > > prime256v1 = secp256r1 = P-256 and secp384r1 = P-384 are two curves > that the US government (NIST in cooperation with NSA) wants to > promote. > > It so happens that the CA/Browser forum has mysteriously decided > that the big (US made) web browsers should only trust CAs that > only accept curves that the US government promotes. So if you > want your SSL/TLS implementation to work with widely distributed > US Browsers (Chrome, Safari, Firefox, IE, Edge etc.) you have to > use the US government curves P-256 and P-384 . The third US > governmentcurve P-521 is banned by Firefox, so no trusted CA can > support it. > > > Enjoy > > Jakob
