New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: generate_cert.go should document that some ECDSA curves don't have browser support #19901
Labels
Comments
I would recommend to not use P512 and instead use X25519, P256 or P224 because the Go TLS package does not provide/use a constant time implementation of P384 or P512 yet. Using P384 or P512 can enable side-channel attacks. |
lparth
pushed a commit
to lparth/go
that referenced
this issue
Apr 13, 2017
Users (like myself) may be tempted to think the higher-numbered curve is somehow better or more secure, but P256 is currently the best ECDSA implementation, due to its better support in TLS clients, and a constant time implementation. For example, sites that present a certificate signed with P521 currently fail to load in Chrome stable, and the error on the Go side says simply "remote error: tls: illegal parameter". Fixes golang#19901. Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82 Reviewed-on: https://go-review.googlesource.com/40211 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
Users (like myself) may be tempted to think the higher-numbered curve is somehow better or more secure, but P256 is currently the best ECDSA implementation, due to its better support in TLS clients, and a constant time implementation. For example, sites that present a certificate signed with P521 currently fail to load in Chrome stable, and the error on the Go side says simply "remote error: tls: illegal parameter". Fixes golang#19901. Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82 Reviewed-on: https://go-review.googlesource.com/40211 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
Users (like myself) may be tempted to think the higher-numbered curve is somehow better or more secure, but P256 is currently the best ECDSA implementation, due to its better support in TLS clients, and a constant time implementation. For example, sites that present a certificate signed with P521 currently fail to load in Chrome stable, and the error on the Go side says simply "remote error: tls: illegal parameter". Fixes golang#19901. Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82 Reviewed-on: https://go-review.googlesource.com/40211 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I ran
generate_cert.go
and figured the highest numbered ECDSA curve (P521) was the best one. It turns out that curve isn't supported in the latest versions of Chrome, Chromium and Firefox, which (as best as I can tell) only support P256 and P384.If you try to connect using those certificates, you get a confusing
remote error: tls: illegal parameter
error message.See also #19900.
The text was updated successfully, but these errors were encountered: