Maxim Dounin Wrote: ------------------------------------------------------- > Hello! > > On Thu, Mar 13, 2014 at 03:04:11PM -0400, nginxu14 wrote: > > > Sorry for wasting your time you are correct secp512r1 isnt there > when I run > > the command. > > > > Im guessing that secp256r1 isnt in the list because its just the > default > > one. Just using the default settings and not setting a curve uses > secp256r1 > > and secp384r1 works by setting it in ssl_ecdh_curve. > > Secp256r1 and prime256v1 are just different names of the same > curve. (And yes, it's used by default.) > > > I like CentOS its the only OS I use for servers but this kind of > thing > > annoys me about CentOS because its waiting for Red Hat to enable > secp521r1. > > I dont have the need for it but it would be nice to have the option. > > 256 bit ECC is believed to be equivalent to 3096 bit RSA, and 521 > bit ECC - to 16384 bit RSA. So in case of https, unless you are > using 16384 bit RSA certificates, use of secp521r1 is mostly > pointless and just wastes CPU cycles. > > > Looking at this: > https://bugzilla.redhat.com/show_bug.cgi?id=1021897#c7 it > > is coming but not sure when. > > Note well that this link correctly points out that secp521r1 isn't > supported by IE (yet?), so it's use isn't a good idea from > compatibility point of view, too. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx
For me its just about having the option. I know secp521r1 is coming from Red Hat. In the same link a member of staff says they got the go ahead from Legal. I read somewhere the problem is because its patented and Red Hat dont want to risk it. Hopefully in the next few months its enabled/added. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,248325,248402#msg-248402 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
