You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure if this is the ideal place to post this, but I just wanted to give people a heads-up that Mozilla's future "Server Side TLS" guidelines will recommend ECDSA certificates for the Intermediate configuration level. This is one of the most commonly used TLS configurations for servers across the internet.
In our research, we found that ECDSA and RSA certificates were equally compatible with the vast majority of clients across the internet, comprising this set of clients:
Android 4.4.2+, released October 2013
Chrome 31+, released August 2016
Firefox 27+, released February 2014
IE 11 (Win 7 and Win 10), released October 2013
Edge (all versions)
Java 8u31+, released January 2015
OpenSSL 1.0.1+, released March 2012
Safari 9+, released September 2015
The reason why we are recommending ECDSA certificates over RSA certificates is that they give IE11 clients on Windows 7 access to ECDHE for key exchange; with RSA they are limited to classic DHE. My apologies if this project already uses ECDSA by default.
Please let me know if you have any questions! Thanks!
The text was updated successfully, but these errors were encountered:
april
changed the title
Consider making ecdsa (p-256) they default certificate type
Consider making ecdsa (p-256) the default certificate type
Jun 20, 2019
When creating a 3.x release with ACMEv2 included I can definitely imagine to do this. Not sure if we should change the default behaviour for the current stable releases
I'm not sure if this is the ideal place to post this, but I just wanted to give people a heads-up that Mozilla's future "Server Side TLS" guidelines will recommend ECDSA certificates for the Intermediate configuration level. This is one of the most commonly used TLS configurations for servers across the internet.
mozilla/server-side-tls#178
mozilla/server-side-tls#254
https://ssl-config.mozilla.org/
In our research, we found that ECDSA and RSA certificates were equally compatible with the vast majority of clients across the internet, comprising this set of clients:
The reason why we are recommending ECDSA certificates over RSA certificates is that they give IE11 clients on Windows 7 access to ECDHE for key exchange; with RSA they are limited to classic DHE. My apologies if this project already uses ECDSA by default.
Please let me know if you have any questions! Thanks!
The text was updated successfully, but these errors were encountered: