Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

Peter Gutmann <> Tue, 26 July 2016 11:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3944512B00B for <>; Tue, 26 Jul 2016 04:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aEhKkRYQFvkz for <>; Tue, 26 Jul 2016 04:15:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 28FB812D0F5 for <>; Tue, 26 Jul 2016 04:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1469531711; x=1501067711; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ehTH4ODiRTXvCmdVt1Z29EJQIRuc6gEtGYQNJM3wqY8=; b=khcE7mArdL8mH19uyhZtmot78ugWEsERrP1sj3XuZulYRTB1qEfpnM7/ 4ao0JexcZMZYbkZ+oceIcxXo0+XA9XCNOkjjqp0bjumwVku2t6E4ulZz2 MzbjCXVDyGxA64mVYfXHWxSDHp7viCUsXycGwG4d/Ee7HUF167JCYC5X9 8Vg5oJjOaiz7IfuCmn6yQyI9Z6FcoLluscrNWpmJE08guhpQ2tm/D5Jt8 KbkxPp5uoS1WPlw0QUpkNzv8BnmUcx/66GyK1h2geeBJMB0un4R+XZP0O n70oIoit8S3gSO7KyZid5Tla5H8c1EJKINl4x7MPe61nrcN55n2GfQmAZ w==;
X-IronPort-AV: E=Sophos;i="5.28,424,1464609600"; d="scan'208";a="98956934"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 26 Jul 2016 23:15:09 +1200
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Tue, 26 Jul 2016 23:15:09 +1200
From: Peter Gutmann <>
To: Ilari Liusvaara <>, "" <>
Thread-Topic: [TLS] weird ECDSA interop problem with cloudflare/nginx
Thread-Index: AQHR5qgCNz+FR8k/8Uif+jsgAebuiKAowWEAgAGVRQ7//2UFgIAA1L6+
Date: Tue, 26 Jul 2016 11:15:09 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] weird ECDSA interop problem with cloudflare/nginx
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Jul 2016 11:15:13 -0000

Ilari Liusvaara <> writes:

>The basic problem (let's ignore non-cert modes for a bit):
>When choosing the certificate, you need to consider if you have a ciphersuite
>that can use some supported group and protection/prf-hash available.
>Similarly, when choosing a group, you need to consider that you have a
>ciphersuite that is consistent in other (possible) choices.
>And protection/prf-hash also has to be consistent with other choices.
>The reason these choices couple is because the client can send pretty much
>arbitrary combination of oters that depends on each considered factor.

OK, so that's pretty much the same stuff I ran into.  What makes it really
ugly is that you can no longer decide, based on a cipher suite offered,
whether you can actually continue with that, but then have to tunnel down into
the extensions that follow the suites to see what's there.  If there's nothing
appropriate you go back to the cipher suites and find the next-best match, try
that against the extensions, and so on.  Mostly things appear to work now
because virtually everything supports the de facto standard of P256 + SHA-256
with ECDSA and ECDH (which is why TLS-LTS specifies it as one of its two suite
choices), but once you start veering away from that de facto universal
standard you run into problems.  Rather than spend forever trying various
poke-and-hope strategies, my code looks for the default form (P/SHA-256) and
if that's not found falls back to DHE + RSA.  That seems to work well enough,
and I don't have to debug weird failures with oddball combinations.