Conversation

Feb 13, 2021

What browsers/percent of users/legacy clients can't do ECDSA certs these days? A few years back AWS Cloudfront couldn't, but I assume that's been upgraded? Anything else?

Daniel Micay

@DanielMicay

Replying to

@bradfitz

For an idea of how widely it's supported by clients, Cloudflare only supports ECDSA for the Free plan used by the vast majority of sites making use of it. They have a compatibility list at developers.cloudflare.com/ssl/ssl-tls/br for browsers with SNI + ECDSA.

developers.cloudflare.com

Browser compatibility · Cloudflare SSL/TLS docs

Cloudflare wants to encrypt as much web traffic as possible to prevent data theft and other tampering. We are the first Internet performance and security company to offer free SSL/TLS protection.

10:46 PM · Feb 13, 2021Twitter Web App

Replying to

and

ECDSA is better if you care about compatibility with the oldest still supported clients. Internet Explorer 11 only supports ECDHE with an ECDSA certificate. If you use an RSA certificate and care about compatibility, you have to enable the DHE ciphers and configure it properly.

Replying to

and

DHE ciphers aren't supported with ECDSA. If you use the Mozilla Intermediate cipher configuration with ECDSA, you end up using 3 ciphers for TLS < 1.3: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 Matches the 3 usual TLS 1.3 ciphers.