Martin Thomson <martin.thom...@gmail.com> writes: >The opposite in fact. NSS checks extensions first. That is how we filter out >ECC cipher suites if the named_groups extension doesn't list anything we >support.
I have to do the same thing, bouncing back and forth between cipher suites and extensions in order to find something that fits. That was the motivation for the creation of the "Standardised ECC Cipher Suites for TLS" draft: TLS-ECC [3] provides an extremely flexible, and by extension extremely complex means of specifying a large number of options involving the use of ECC algorithms for TLS [2]. As such the "cipher suites" in TLS-ECC [3] and by extension TLS-ECC-Brainpool [4] aren't suites in the conventional TLS sense but more an indication of intent to negotiate a Chinese menu, with details to be decided on later via various TLS extensions and parameter settings. This makes deciding on a particular suite nondeterministic, since later parameter choices and settings can negate the initial "cipher suite" choice, requiring returning to the suite list to try with another Chinese-menu suite in the hope that later parameter choices allow it to be used. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
