On Mon, Jun 28, 2021 at 11:43:51PM -0400, Johnny Cast wrote: > Hi OpenBSD, > A few days ago I learned that LibreSSL's libtls does not include P-521 > in its list of default ECDHE curves. Is there any reason for this, and > would you be willing to consider adding it? It was speculated that > leaving P-521 out may have been a mistake. Here is a link to what > appears to be the commit that this was introduced in: > https://github.com/openbsd/src/commit/4896de1e4badc3cc28e3046a4145c94570c197d2
This is deliberate. The main reason is that P-521 is very expensive. This means that an attacker needs to feed you fewer key shares to keep a single server core busy than with the other curves, so it increases the risk of a DoS. The default curves are plenty secure and match BoringSSL: https://boringssl.googlesource.com/boringssl/+/e9fc3e547e557492316932b62881c3386973ceb2 That said, we had to include P-521 by default client side in libssl for interop with a popular VPN service that only supports this curve: https://cvsweb.openbsd.org/src/lib/libssl/t1_lib.c#rev1.169 What is your use case?
