Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider making ecdsa (p-256) the default certificate type #417

Open
april opened this issue Jun 20, 2019 · 3 comments
Open

Consider making ecdsa (p-256) the default certificate type #417

april opened this issue Jun 20, 2019 · 3 comments
Assignees
Labels
Milestone

Comments

@april
Copy link

april commented Jun 20, 2019

I'm not sure if this is the ideal place to post this, but I just wanted to give people a heads-up that Mozilla's future "Server Side TLS" guidelines will recommend ECDSA certificates for the Intermediate configuration level. This is one of the most commonly used TLS configurations for servers across the internet.

mozilla/server-side-tls#178
mozilla/server-side-tls#254
https://ssl-config.mozilla.org/

In our research, we found that ECDSA and RSA certificates were equally compatible with the vast majority of clients across the internet, comprising this set of clients:

  • Android 4.4.2+, released October 2013
  • Chrome 31+, released August 2016
  • Firefox 27+, released February 2014
  • IE 11 (Win 7 and Win 10), released October 2013
  • Edge (all versions)
  • Java 8u31+, released January 2015
  • OpenSSL 1.0.1+, released March 2012
  • Safari 9+, released September 2015

The reason why we are recommending ECDSA certificates over RSA certificates is that they give IE11 clients on Windows 7 access to ECDHE for key exchange; with RSA they are limited to classic DHE. My apologies if this project already uses ECDSA by default.

Please let me know if you have any questions! Thanks!

@april april changed the title Consider making ecdsa (p-256) they default certificate type Consider making ecdsa (p-256) the default certificate type Jun 20, 2019
@QuingKhaos QuingKhaos added the rfc label Oct 6, 2019
@QuingKhaos
Copy link
Collaborator

When creating a 3.x release with ACMEv2 included I can definitely imagine to do this. Not sure if we should change the default behaviour for the current stable releases

@QuingKhaos QuingKhaos added this to the ACME v2 milestone Oct 9, 2019
@timkimber timkimber self-assigned this Feb 6, 2020
@tsufz
Copy link

tsufz commented Oct 13, 2022

Hi,
Letsencrypt is definitely changing to ECDSA as the default certificate in near future.

Yours,
Tobias

@githubRover
Copy link

@tsufz Technically, Certbot is changing its default. Certbot is just one of many ACME clients (including getssl)

Let's Encrypt Certificate Authority does not create ACME clients - only the ACME Server. Certbot is created by the EFF.

That said, I agree getssl should consider that. Perhaps after Certbot makes that change to highlight any problems that might arise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants