On Wed, Jun 24, 2015 at 04:26:58PM +0200, Lukas Tribus wrote: > Currently we mostly use RSA certificates. ECC (ECDSA) are different > certificates and > until RSA certificates are fully removed from the industry, we will have to > support both. > > The change, if I understand correctly, allows serving the ECC/ECDSA > certificate > when the client supports it (via ciphers list), and RSA otherwise.
Ah OK, I didn't know the certificates were different, now I understand and of course it makes a lot of sense! > Do we need this? Absolutely yes. Yes indeed, at least to benefit form the extra performance brought by ECDSA. > But we will have to verify exactly whats the > best way to do this, and how openssl can help with this. I believe openssl > 1.0.2 > introduces a new API which makes things simpler. > > Apache 2.4 can already do this, nginx not yet. OK. > Some discussions and further informations: > > https://github.com/igrigorik/istlsfastyet.com/issues/38 > http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html > https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ > https://blog.joelj.org/2015/06/19/dual-rsaecdsa-certificates-in-apache-2-4/ > https://securitypitfalls.wordpress.com/2014/10/06/rsa-and-ecdsa-performance/ Wow, efficient as usual :-) Thanks very much for the explanation Lukas. willy
