Use rigid safe elliptic curves

[atombrella]

The NIST are compromised. Perhaps the generator should take this into consideration? It doesn't seem like ECC is adopted widely yet, and perhaps this is irrelevant with TLS 1.3. https://safecurves.cr.yp.to/rigid.html

For Apache, it can controlled with:

SSLOpenSSLConfCmd ECDHParameters prime256v1
SSLOpenSSLConfCmd Curves brainpoolP512r1:secp521r1:brainpoolP384r1:secp384r1:brainpoolP256r1:prime256v1

For nginx, there's a similar configuration option.

# Safe curves
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;

Which I took from https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc

I didn't investigate configuration for the other tools that the configuration tool supports.

[tomato42]

The NIST are compromised.

no, they are not, Dual_EC_DRGB is compromised

It doesn't seem like ECC is adopted widely yet,

cloudflare free tier provides ECDSA certs only: https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support

Mozilla decided to trust NIST curves, if you don't trust them, don't use Mozilla configuration generator.

[atombrella]

The NIST are compromised.

no, they are not, Dual_EC_DRGB is compromised

I seem to have been poorly informed about this!

It doesn't seem like ECC is adopted widely yet,

cloudflare free tier provides ECDSA certs only: https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support

That's good to know.

Mozilla decided to trust NIST curves, if you don't trust them, don't use Mozilla configuration generator.

Good. I have indeed used the tool with great succcess, and also pitched it used.

Probably you could close this issue. Sorry for the confusion.