</term>
<listitem>
<para>
- Specifies the name of the curve to use in ECDH key exchanges. The
- default is <literal>prime256p1</>.
+ Specifies the name of the curve to use in ECDH key exchange.
+ It needs to be supported by all clients that connect.
+ It does not need to be same curve as used by server's
+ Elliptic Curve key. The default is <literal>prime256v1</>.
</para>
<para>
- The list of available curves can be shown with the command
- <literal>openssl ecparam -list_curves</literal>.
+ OpenSSL names for most common curves:
+ <literal>prime256v1</> (NIST P-256),
+ <literal>secp384r1</> (NIST P-384),
+ <literal>secp521r1</> (NIST P-521).
+ </para>
+
+ <para>
+ The full list of available curves can be shown with the command
+ <literal>openssl ecparam -list_curves</literal>. Not all of them
+ are usable in TLS though.
</para>
</listitem>
</varlistentry>
</para>
<para>
- Such keys are faster and have improved security over previous
- options. The new configuration
- parameter <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link>
- controls which curve is used.
+ This allows use of Elliptic Curve keys for server authentication.
+ Such keys are faster and have improved security over <acronym>RSA</> keys.
+ The new configuration parameter
+ <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link>
+ controls which curve is used for <acronym>ECDH</>.
</para>
</listitem>
<listitem>
<para>
Improve the default <link
- linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> ciphers
+ linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> value
(Marko Kreen)
</para>
</listitem>
projects / postgresql / commitdiff