ssl-extension-supported-groups
Specifies supported groups for TLS key agreements. This entry is used only when ssl-key-agreement is set to custom.
Syntax
ssl-extension-supported-groups = supported_group_name[,supported_group_name]*Description
Comma-separated list of supported groups to allow in TLS 1.2 and TLS 1.3 key agreement.
This entry only applies when the ssl-key-agreement entry is set to custom and when the reverse proxy listen sockets are using version 9 of the cryptography provider. For more information about cryptography provider versions, see Cryptography Provider Overview.
Options
- supported_group_name
-
Specifies the name of a supported group to enable. Available group names include:
- ECDHE_X25519MLKEM768
- ECDHE_X25519
- ECDHE_SecP256r1MLKEM768
- ECDHE_SECP256R1
- ECDHE_SecP384r1MLKEM1024
- ECDHE_SECP384R1
- ECDHE_SECP521R1
- ECDHE_X448
- MLKEM768
- MLKEM1024
The following table describes the properties of the supported groups.Table 1. Supported Group Properties Name TLS 1.2 Support? TLS 1.3 Support? Uses Post-Quantum Cryptography (PQC)? ECDHE_X25119MLKEM768 No Yes Yes, Hybrid PQC ECDHE_X25519 Yes Yes No ECDHE_SecP256r1MLKEM768 No Yes Yes, Hybrid PQC ECDHE_SECP256R1 Yes Yes No ECDHE_SecP384r1MLKEM1024 No Yes Yes, Hybrid PQC ECDHE_SECP384R1 Yes Yes No ECDHE_SECP521R1 Yes Yes No ECDHE_X448 Yes Yes No MLKEM768 No Yes Yes, Non-Hybrid PQC MLKEM1024 No Yes Yes, Non-Hybrid PQC For more information about configuring Post-Quantum Cryptography, see Post-Quantum Cryptography (PQC).
Usage
This stanza entry is required when ssl-key-agreement is set to custom. Otherwise, it is optional.
Default value
ssl-extension-supported-groups =Example
ssl-key-agreement = custom
ssl-extension-supported-groups = ECDHE_X25519MLKEM768,ECDHE_X25519