Re: [TLS] Empty extensions don't go last

Yes, we found this a while ago as well, and had to move extensions around. Cheers, Andrei -Original Message- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Wan-Teh Chang Sent: Thursday, March 24, 2016 12:04 AM To: Martin Thomson Cc: tls@ietf.org Subject:

Re: [TLS] Ensuring consistent strength across certificate, ECDHE, cipher, and MAC

Hubert Kario writes: >In my experience, many (12%) servers simply ignore the list of curves >advertised by client and use the P-256 curve always. > >Some (58%) check if it was advertised and fallback to non-ECDHE if P-256 is >not advertised. When I checked, which is a year or

Re: [TLS] Ensuring consistent strength across certificate, ECDHE, cipher, and MAC

Timothy Jackson: > I’ve noted that many (most?) TLS implementations choose their ECDHE curves > seemingly without regard to the cipher suite strength. Thus, they'll select > an AES256 cipher suite (e.g. TLS_ECDHE_ECDSA_WITH_AES256_SHA384), but then > generate an ECDHE key on the P256 curve.