Order default TLS ECC curve preferences by performance

Moves x25519 to the front for best by-default side channel resistance, and orders remaining NIST/BP curves by performance rather than size. That means putting P-521 before P-384, since P-521 is much faster at least in Botan (due to much simpler modular reduction for P-521 prime), and Brainpools to the end due to being quite slow (no fast reductions). All of the supported curves seem strong enough, and if someone can break P-256 they can probably break P-384 as well so there doesn't seem much advantage in preferring slower curves by default.
author: Jack Lloyd <[email protected]> 2016-11-19 05:36:11 -0500
committer: Jack Lloyd <[email protected]> 2016-11-19 05:36:11 -0500
commit: 137a08ff71778ebb6e6eeb1b4aaeea9ab659f5f6 (patch)
tree: d7cebe175383e06d1f1b875d2ce4c4071b012f90 /src
parent: 9a4a639fa3586a5ec10444d0fc26049bd9c3b707 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 1bb0951bb..49a8ad1fc 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -95,14 +95,16 @@ bool Policy::allowed_signature_method(const std::string& sig_method) const
 
 std::vector<std::string> Policy::allowed_ecc_curves() const
    {
+   // Default list is ordered by performance
+
    return {
-      "brainpool512r1",
+      "x25519",
+      "secp256r1",
       "secp521r1",
-      "brainpool384r1",
       "secp384r1",
       "brainpool256r1",
-      "secp256r1",
-      "x25519",
+      "brainpool384r1",
+      "brainpool512r1",
       };
    }
author	Jack Lloyd <[email protected]>	2016-11-19 05:36:11 -0500
committer	Jack Lloyd <[email protected]>	2016-11-19 05:36:11 -0500
commit	137a08ff71778ebb6e6eeb1b4aaeea9ab659f5f6 (patch)
tree	d7cebe175383e06d1f1b875d2ce4c4071b012f90 /src
parent	9a4a639fa3586a5ec10444d0fc26049bd9c3b707 (diff)