Disable elliptical curves #48
Comments
|
Do you mean an ECC certificate ? Unfortunately, no. What you're asking is to identify the server-side certificate, even before an SSL handshake and block it? We probably need a new protocol standard for that. 😉 And/or some support from browser to let an add-on do that. This is unlike disabling cipher-suites - where the server side (and clients) support many cipher-suites and if you disable a few cipher-suites you could still connect to a server with another common suite. Cipher suites used are profile preferences that can be toggled. Whereas, the curve details are only available from the certificate offered from the server. As an add-on what could be done is to expose the curve details (which is otherwise tracked as a separate issue). Closing this issue. |
|
No I did not meant an ECC certificate (ECDSA) - obviously you cannot block this. Still I'm not sure whether this is possible, because the curves may be hard-compiled into Firefox/NSS, but well... it is an idea. |
|
Okay. Again, Firefox doesn't expose those details. The curve used is buried in the SSL handshake ServerKeyExchange. |
|
This issue is about changing the curves... |
|
The curve details from an ECC certificate (Public key algorithm parameters) is available. You can find it in Certificate -> Subject Public Key Algorithm -> Public key parameters. This can be displayed. However, for a key exchange the curve used is always negotiated during the SSL handshake. (Client Hello -> ServerKeyExchange). So, no, the key exchange curve cannot be displayed. |
Based on #45 it would of course also be very nice to be able to disable specific elliptical curves like you can currently do with ciphers.
The text was updated successfully, but these errors were encountered: