OpenSSL Communities

Compile-time disable weak curves in TLS by default in 4.0

Dmitry BelyavskyDmitry Belyavsky Mon 19 Jan 2026 11:59AMPublicSeen by 24

RFC 8422 has deprecated some weak elliptic curves in TLS. We have a compiling option to disable them in openssl. I propose to make these curves disabled in compile time by default in 4.0.

See for more details https://github.com/openssl/openssl/pull/29658

Dmitry Belyavsky

Compile-time disable weak curves in TLS by default in 4.0

poll by Dmitry Belyavsky Closed Sun 25 Jan 2026 12:00PM

Choose the option(s) you favor.

Results

ResultsOption% of pointsVoters
Yes9212Richard Levitte (individual)Tomas MrazTom CosgroveDmitry BelyavskyPaul DaleShane LontisViktor DukhovniAlicja KarioEugene SyromiatnikovNikola PajkovskýTodd ShortSimo Sorce
No81Neil Horman
Undecided15Paul YangTim HudsonFrederik Wedel-HeinenJon EricsonAnton ArapovRichard Levitte (OpenSSL)Bernd EdlingerSasha NedvedickyKurt RoeckxNorbert PócsTomas VavraDavid von OheimbTim HudsonKaterina MicovaMatt Caswell

13 of 28 votes cast (46% participation)

Neil Horman

Neil HormanMon 19 Jan 2026 12:01PM

No

I've no problem disabling weak curves in general, but it seems to me, changing defaults seems like something that should be done at the start of a development cycle, rather than so close to the end. By doing it now we risk upsetting any behavioral testing that the community has been undertaking immediately prior to release

Shane Lontis

Shane LontisMon 19 Jan 2026 12:01PM

Yes

I think this should be done in a major release.

Tomas Mraz

Tomas MrazMon 19 Jan 2026 1:58PM

I think those are in reality practically unused, so I do not see a problem with these being disabled by default in 4.0.