Peter Gutmann [pgut...@cs.auckland.ac.nz] writes
Andrei Popov <andrei.po...@microsoft.com> writes:
>Unfortunately, in practice there are TLS 1.2 clients that support
>SHA256, but don't advertise it via the signature algorithms extension.
It's actually pretty safe to just automatically assume SHA256 (for TLS 1.2),
regardless of what the other side advertises. There was a survey paper
published a while back, I can't remember exactly which one, one of the many
TLS-in-the-wild ones, which showed that of the servers that supported ECC,
close to 100% did P256 + SHA256, some low single-digit figure were P521+512,
and 384 was lost in the margin of error, some fraction of a percent. Of the
anecdotal evidence from SCADA etc which isn't publicly visible, it's about the
same, you can pretty much assume P256 + SHA256 by default.
[[stf]] well, assumed the other side sends any cipher suite containing
SHA-256, the server can assume that technically the client is able to utilize
it in signature operations.
Which is precisely why LTS specifies P256 + SHA256 as its MTI if you're doing
ECC. To paraphrase Calvin's quote about success, "the secret to success is
changing your expectations so that they're already met". Assume P256+SHA256
(when ECC is indicated), or just SHA256 in general for 1.2, and you won't be
disappointed.
Peter.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
