[Ach] Minuscule addition to our epic Cipher String usage

Pepi Zawodsky pepi.zawodsky at maclemon.at
Sun Nov 17 17:05:48 CET 2013

I found one more way to “improve” the _usage_ of our distilled Cipher String.
To support Internet Explorer we need ECC.
Wth nginx 1.4 you can specify which curve to use and all IE releases do support
ECC curves secp256r1 and secp384r1. Interestingly IE7 on Vista also supports secp521r1 but IE8-11 on Windows 7 do not.

So I specified to use secp384r1 in nginx so we always use the a-little-less-crappy curve which is supported.
ssl_ecdh_curve          secp384r1;
Annoyingly enough one cannot specify an order of curves but only a single one.

This still gives us a score of
Certificate	       100
Protocol Support	95
Key Exchange	       100
Cipher Strength	       100

Android does support that from 3.0 upwards.
Interesting observation is that starting with Andoird 4.4 KitKat support for curves has dropped to the three lowly NIST curves. (secp256r1, secp384r1, secp521r1)

This leaves secp384r1 as the least common denominator.
Best regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/94ffb889/attachment.sig>

More information about the Ach mailing list