> > OK, that's more than I expected, although I kind of wonder what > combinations are doing this. >
It varies a bit over time, but today most were caused by a certain client sending a P-384 keyshare while also announcing support for P-256. On the other hand, most clients today send x25519 key share > by default, which seems to be the weakest supported group in TLS 1.3. I'd say that title goes to ffdhe2048. Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
