ssl_ecdh_curve
Sets the curve for ECDH (Elliptic Curve Diffie-Hellman) key exchange in SSL/TLS sessions.
Description
The ssl_ecdh_curve directive in NGINX is used to specify the elliptic curves that are preferred for ECDH key exchange in SSL/TLS connections. ECDH is a key exchange mechanism that allows two parties to establish a shared secret over an insecure communication channel, which can then be used for symmetric encryption. This directive is particularly relevant when configuring secure connections, as the choice of elliptic curves can impact both security and performance.
The value defined with ssl_ecdh_curve can be a specific curve name or a list of curves. NGINX supports various standard curves, and the server will use the first curve from the list that both the server and client support. It’s important to select strong, widely supported curves to maximize compatibility and security. This directive can be set in the http or server context, affecting all SSL-enabled locations within it. Misconfigurations, like specifying weak curves, can lead to vulnerabilities in the TLS connections established by the server.
Config Example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_ecdh_curve secp384r1;
}Make sure to enable SSL before using this directive; otherwise, it will have no effect.
Using unsupported curves may lead to connection failures or fallback to weaker methods.
Be mindful of compatibility with older clients that may not support modern curves.