OpenSSL Communities

Compile-time disable weak curves in TLS by default in 4.0

DB Dmitry Belyavsky Mon 19 Jan 2026 11:59AM Public Seen by 20

RFC 8422 has deprecated some weak elliptic curves in TLS. We have a compiling option to disable them in openssl. I propose to make these curves disabled in compile time by default in 4.0.

See for more details https://github.com/openssl/openssl/pull/29658

DB

Compile-time disable weak curves in TLS by default in 4.0

poll by Dmitry Belyavsky Closing Sun 25 Jan 2026 12:00PM

Choose the option(s) you favor.

Current results

Current results Option % of points Voters
Yes 92 11 ES VD NP RL DB PD SL AK TM TS SS
No 8 1 NH
Undecided 16 BE KR NP TC PY TV DVO TH JE RL TH SN FW KM AA MC

12 of 28 votes cast (42% participation)

NH

Neil Horman Mon 19 Jan 2026 12:01PM

No

I've no problem disabling weak curves in general, but it seems to me, changing defaults seems like something that should be done at the start of a development cycle, rather than so close to the end. By doing it now we risk upsetting any behavioral testing that the community has been undertaking immediately prior to release

SL

Shane Lontis Mon 19 Jan 2026 12:01PM

Yes

I think this should be done in a major release.

TM

Tomas Mraz Mon 19 Jan 2026 1:58PM

I think those are in reality practically unused, so I do not see a problem with these being disabled by default in 4.0.