7

I'm looking into using ECDHE-ECDSA and there are a lot of great articles on why (https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/) and (http://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet), for example.

Obviously the browser support isn't great, but Chrome 30, Internet Explorer 11 on Windows 8, Safari 7 on OS X 10.9, and Firefox 26 all support TLS 1.2.

I have looked into a few CAs and only a few sign certificates for ECDSA (Verisign/Symantec does). My question is: if I get a certificate signed for ECDSA and in my cipher chain I fall back properly, will older browsers be able to use RSA?

I have the feeling that the answer is no, because if you sign an RSA certificate, you can't use ECDSA, but I wanted to make sure before I ruled out ECDHE-ECDSA.

Paul

paintedbicycle
  • 199
  • 1
  • 3
  • 15

1 Answers1

5

Have a look at this Q/A over on Information Security SE:

Is possible that a TLS server send more than one certificate to the client for the same site?

Strictly speaking, the server can send an arbitrary number of certificates to the client, as part of its Certificate message. However, as the standard says:

The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

Therefore, a really compliant server cannot send a choice of certificates to the client, and cannot expect clients to use any other certificate than the first one they send.

For signature algorithm support, there is a standard TLS extension specified in section 7.4.1.4.1, by which the client can tell to the server, early in the handshake (in the ClientHello, which is the very first message of the procedure), which hash functions and signature algorithms it supports. This allows a server who owns, for instance, both a RSA-signed certificate and an ECDSA-signed certificate, to send one or the other, depending on what the client supports. This is typical of how things go in TLS: the client suggests, the server chooses.

(In practice, support for this extension is not yet widespread. But, also in practice, everybody uses RSA and supports RSA.)

Community
  • 1
MichelZ
  • 11,068
  • 4
  • 32
  • 59
  • 2
    See new comment on the security.SE question: if your server can configure both an RSA key&cert AND an ECDSA one (which depends on the server, Apache uses openssl and apparently can) then it can and must use the correct key&cert (sent as the first cert) for the ciphersuite negotiated. – dave_thompson_085 Nov 27 '14 at 05:16