Disable All Elliptic Curves Except Secp256 For Tls?

Android 5.0 uses OpenSSL and it provides TLS 1.2 support (from the AOSP patches and diffs, it looks like OpenSSL 1.0.0). The Android client offers the elliptic curve zoo (all of th

Solution 1:

in openssl library, the curves are defined at a static array :

https://android.googlesource.com/platform/external/openssl/+/master/crypto/ec/ec_curve.c line 1832

in static array curve_list ;

openssl library does not provide any api to manipulate this array, so if you use android system provided libcrypt.so , there is no normal way to manipulate this array.

if use jni , you can recompile a custom openssl，delete other curves in curve_list

if use java, since EC is mostly used in ECDH and ECDSA ,

1.in ECDSA the curve used is decided by the certificate , you just need to use secp256 to generate a EC certificate.

2.in ECDH openssl has a api SSL_CTX_set_tmp_ecdh () to set ECDH curve. see : https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L976 i am sorry, i am not familiar with java, i hava no idea how to access this in java on android.