By the way, the root of the TLS 1.2 issue is that Erlang/OTP...

By the way, the root of the TLS 1.2 issue is that Erlang/OTP does not support X448 and X25519 curves for TLS 1.2. If you host an instance, please make sure you don’t restrict allowed ECDHE curves to only X448 and/or X25519, or Pleroma won’t be able to connect to you (unless they have the TLS 1.3 patch)! This will cause big federation issues for you!

If you run nginx, check for ssl_ecdh_curve in your configuration (https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve ), and make sure it allows/supports one of the following elliptic curves:

sect571r1, sect571k1,
secp521r1, brainpoolP512r1,
sect409k1, sect409r1,
brainpoolP384r1, secp384r1,
sect283k1, sect283r1,
brainpoolP256r1, secp256k1, secp256r1,
sect239k1,
sect233k1, sect233r1,
secp224k1, secp224r1,
sect193r1, sect193r2,
secp192k1, secp192r1,
sect163k1, sect163r1, sect163r2,
secp160k1, secp160r1, secp160r2

If you don’t have a ssl_ecdh_curve directive, that means OpenSSL defaults are used (so, it shouldn’t be a problem on most distributions). If you do, I’d recommend making sure you at least have one of those from the list enabled, like this:

ssl_ecdh_curve X25519:X448:sect571r1

If you’re picky on your curves, make sure to refer to https://safecurves.cr.yp.to/ as usual (but be picky only if you really know what you’re doing; seriously!!)

This elliptic curve setting might also be referred to as “supported groups” in your software, please check for that setting!

Like 1 18 Jun 2022 at 9:30 | Open on p.helene.moe