- Specifies the name of the curve to use in ECDH key exchanges. The
- default is prime256p1.
+ Specifies the name of the curve to use in ECDH key exchange.
+ It needs to be supported by all clients that connect.
+ It does not need to be same curve as used by server's
+ Elliptic Curve key. The default is prime256v1.
- The list of available curves can be shown with the command
- openssl ecparam -list_curves.
+ OpenSSL names for most common curves:
+ prime256v1 (NIST P-256),
+ secp384r1 (NIST P-384),
+ secp521r1 (NIST P-521).
+
+
+ The full list of available curves can be shown with the command
+ openssl ecparam -list_curves. Not all of them
+ are usable in TLS though.
- Such keys are faster and have improved security over previous
- options. The new configuration
- parameter ssl_ecdh_curve
- controls which curve is used.
+ This allows use of Elliptic Curve keys for server authentication.
+ Such keys are faster and have improved security over
RSA keys.+ The new configuration parameter
+ ssl_ecdh_curve
+ controls which curve is used for
ECDH.
Improve the default
- linkend="guc-ssl-ciphers">ssl_ciphers ciphers
+ linkend="guc-ssl-ciphers">ssl_ciphers value
(Marko Kreen)
projects / postgresql.git / commitdiff