There are many elliptic-curves to choose from, some are safer than others see SafeCurves: choosing safe curves for elliptic-curve cryptography. But the CA/Browser Forum also limits the elliptic-curve choices.
NIST P-256 (secp256r1) and NIST P-384 (secp384r1) are not the safest NIST P-521 (secp521r1) isn't shown in the list, but there are worse ones. I personally choose x448, x25519, secp521r1, secp384r1 (server preferred order).
Now Certificates For ECDSA key pairs, the CA SHALL:
• Ensure that the key represents a valid point on the NIST P‐256, NIST P‐384 or NIST
P‐521 elliptic curve.
Reference Baseline Requirements Documents (SSL/TLS Server Certificates)
For ECDSA key pairs, the CA SHALL:
- Ensure that the key represents a valid point on the NIST P‐256, NIST P‐384 or NIST P‐521 elliptic curve.
7.1.3.1.2 ECDSA
The CA SHALL indicate an ECDSA key using the id‐ecPublicKey (OID: 1.2.840.10045.2.1)
algorithm identifier. The parameters MUST use the namedCurve encoding.
- For P‐256 keys, the namedCurve MUST be secp256r1 (OID: 1.2.840.10045.3.1.7).
- For P‐384 keys, the namedCurve MUST be secp384r1 (OID: 1.3.132.0.34).
- For P‐521 keys, the namedCurve MUST be secp521r1 (OID: 1.3.132.0.35).
When encoded, the AlgorithmIdentifier for ECDSA keys MUST be byte‐for‐byte
identical with the following hex‐encoded bytes: - For P‐256 keys, 301306072a8648ce3d020106082a8648ce3d030107.
- For P‐384 keys, 301006072a8648ce3d020106052b81040022.
- For P‐521 keys, 301006072a8648ce3d020106052b81040023.
Now the Cipher Suites seem to have greater flexibility as shown by SSL Report: hp-67.com in the Handshake Simulation section. You will note that ECDH x25519 is being used with some of the simulated clients.
So there is more than meets the eye on selecting elliptic-curves and more than one choice to be made for TLS(SSL). Certificates are only one of the pieces that has a choice and it is presently limited to 3, other area (Cipher Suites) have more choices and at least 1 Safe Curve is available from a practical point.
.