> i think theres a problem with the curve negotiation.
>
> the new tlsServerExtensions() function can leave c->sec->nc unset.
>
> and later, tlsServer2() has this change:
>
> -		Namedcurve *nc = &namedcurves[0];	/* secp256r1 */
> -
>  		m.tag = HServerKeyExchange;
> -		m.u.serverKeyExchange.curve = nc->tlsid;
> -		m.u.serverKeyExchange.dh_parameters = tlsSecECDHEs1(c->sec, nc);
> +		m.u.serverKeyExchange.curve = c->sec->nc->tlsid;
> +		m.u.serverKeyExchange.dh_parameters = tlsSecECDHEs1(c->sec);
>
> maybe we can make the code more explicit about this? it is hard to
> see that it is supposed to modify.

ok, tlsServer2 now will fallback to secp256r1 if for some reason
tlsServerExtensions left it unset. in addition now comments mention
that curve is chosen by tlsServerExtensions.