Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: generate_cert.go should document that some ECDSA curves don't have browser support #19901

Closed
kevinburke opened this issue Apr 9, 2017 · 1 comment

Comments

@kevinburke
Copy link
Contributor

@kevinburke kevinburke commented Apr 9, 2017

I ran generate_cert.go and figured the highest numbered ECDSA curve (P521) was the best one. It turns out that curve isn't supported in the latest versions of Chrome, Chromium and Firefox, which (as best as I can tell) only support P256 and P384.

If you try to connect using those certificates, you get a confusing remote error: tls: illegal parameter error message.

See also #19900.

@aead

This comment has been minimized.

Copy link
Contributor

@aead aead commented Apr 10, 2017

I would recommend to not use P512 and instead use X25519, P256 or P224 because the Go TLS package does not provide/use a constant time implementation of P384 or P512 yet. Using P384 or P512 can enable side-channel attacks.

@gopherbot gopherbot closed this in 26c2926 Apr 10, 2017
lparth added a commit to lparth/go that referenced this issue Apr 13, 2017
Users (like myself) may be tempted to think the higher-numbered curve
is somehow better or more secure, but P256 is currently the best
ECDSA implementation, due to its better support in TLS clients, and a
constant time implementation.

For example, sites that present a certificate signed with P521
currently fail to load in Chrome stable, and the error on the Go side
says simply "remote error: tls: illegal parameter".

Fixes golang#19901.

Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82
Reviewed-on: https://go-review.googlesource.com/40211
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@golang golang locked and limited conversation to collaborators Apr 10, 2018
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
Users (like myself) may be tempted to think the higher-numbered curve
is somehow better or more secure, but P256 is currently the best
ECDSA implementation, due to its better support in TLS clients, and a
constant time implementation.

For example, sites that present a certificate signed with P521
currently fail to load in Chrome stable, and the error on the Go side
says simply "remote error: tls: illegal parameter".

Fixes golang#19901.

Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82
Reviewed-on: https://go-review.googlesource.com/40211
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
Users (like myself) may be tempted to think the higher-numbered curve
is somehow better or more secure, but P256 is currently the best
ECDSA implementation, due to its better support in TLS clients, and a
constant time implementation.

For example, sites that present a certificate signed with P521
currently fail to load in Chrome stable, and the error on the Go side
says simply "remote error: tls: illegal parameter".

Fixes golang#19901.

Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82
Reviewed-on: https://go-review.googlesource.com/40211
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.