OpenSSL Communities

Compile-time disable weak curves in TLS by default in 4.0

Dmitry BelyavskyDmitry Belyavsky Mon 19 Jan 2026 11:59AMPublicSeen by 23

RFC 8422 has deprecated some weak elliptic curves in TLS. We have a compiling option to disable them in openssl. I propose to make these curves disabled in compile time by default in 4.0.

See for more details https://github.com/openssl/openssl/pull/29658

Dmitry Belyavsky

Compile-time disable weak curves in TLS by default in 4.0

poll by Dmitry Belyavsky Closed Sun 25 Jan 2026 12:00PM

Choose the option(s) you favor.

Results

ResultsOption% of pointsVoters
Yes9212Richard Levitte (individual)Tomas MrazPaul DaleShane LontisViktor DukhovniAlicja KarioTom CosgroveEugene SyromiatnikovNikola PajkovskýDmitry BelyavskyTodd ShortSimo Sorce
No81Neil Horman
Undecided15Paul YangAnton ArapovJon EricsonRichard Levitte (OpenSSL)Bernd EdlingerSasha NedvedickyKurt RoeckxTim HudsonNorbert PócsTomas VavraDavid von OheimbTim HudsonFrederik Wedel-HeinenKaterina MicovaMatt Caswell

13 of 28 votes cast (46% participation)

Neil Horman

Neil HormanMon 19 Jan 2026 12:01PM

No

I've no problem disabling weak curves in general, but it seems to me, changing defaults seems like something that should be done at the start of a development cycle, rather than so close to the end. By doing it now we risk upsetting any behavioral testing that the community has been undertaking immediately prior to release

Shane Lontis

Shane LontisMon 19 Jan 2026 12:01PM

Yes

I think this should be done in a major release.

Tomas Mraz

Tomas MrazMon 19 Jan 2026 1:58PM

I think those are in reality practically unused, so I do not see a problem with these being disabled by default in 4.0.