Hi @agl why does BoringSSL nuke P521 since Jan 15 2015? Now @BRIAN_____ wants to kill it in NSS too. What's going on? 
@_miw Also, I don't know why BoringSSL removed it; the above are why I'm suggesting NSS stop supporting it in the TLS handshake by default.
-
-
@BRIAN_____ thanks for your feedback. I'll look into the MS impl. a little more. I'm surprised that it's been deprecated in w10 SChannel. -
@_miw SChannel has never offered P-521 in its default configuration in the TLS signature_algorithms extension in the ClientHello, AFAIK. -
@BRIAN_____ I don't think this is correct. OpenSSL wouldn't send the cert if if not in supported_curve in CH. I tested w7/ie11 last night. -
@BRIAN_____ OK, looks like W7 SChannel sends P521 in ec ext, but not W8/2012/10 ; when did this happen, lol -
@_miw Off by 1. Vista sends P-521, but Win 7 does not. See https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx … and https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207 … and https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=7&platform=Vista …. -
@BRIAN_____ I don't think qualsys is correct. I tested this on several w7 boxes yesterday and they all had 3 curves in the CH from IE. Hmmmm -
@_miw@BRIAN_____ Looks like it was added in the recent SChannel security update -
@yuhong2@BRIAN_____@marshray really?? RCE patch shibboleths = bad. Need confirm CVE-2014-6321 patch adds P521 to ECext in CH on 7 and !8+
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.