The current code in setup_ecdh() does the following: ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
In other words, it only ever uses the prime256v1 curve for ECDH. This causes compatibility issues because some other implementations hardcode only one curve too but a different one.
For interoperability purposes, all implementations should probably handle the curves chosen in the upcoming TLS 1.3 specification: P-256 (a.k.a. prime256v1), P-284 and P-521. There are also X25519 and X448 but I am less clear about them and they're new to TLS 1.3 which is still a draft anyway. The P-* ones are however currently in use. Some others are currently specified too but have never seen widespread use and are not worth supporting at this point.
https://koldfront.dk/archive/2017/06/20-210822.html has a patch for this but only adds P-384. It should be trivial to extend it to P-521: the name for this curve in the format used in the current code is SN_secp521r1 if I'm not mistaken.
This patch doesn't add a new API nor change any existing one: it always allows these three P-* curves and P-256 is the preferred one since it is listed first.
This is a followup from processone/ejabberd#1714.
The current code in setup_ecdh() does the following:
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
In other words, it only ever uses the prime256v1 curve for ECDH. This causes compatibility issues because some other implementations hardcode only one curve too but a different one.
For interoperability purposes, all implementations should probably handle the curves chosen in the upcoming TLS 1.3 specification: P-256 (a.k.a. prime256v1), P-284 and P-521. There are also X25519 and X448 but I am less clear about them and they're new to TLS 1.3 which is still a draft anyway. The P-* ones are however currently in use. Some others are currently specified too but have never seen widespread use and are not worth supporting at this point.
https://koldfront.dk/archive/2017/06/20-210822.html has a patch for this but only adds P-384. It should be trivial to extend it to P-521: the name for this curve in the format used in the current code is
SN_secp521r1
if I'm not mistaken. This patch doesn't add a new API nor change any existing one: it always allows these three P-* curves and P-256 is the preferred one since it is listed first.