I've just been experimenting with ECDSA cipher suites on a Windows Server 2012 R2 platform and came across something unexpected (at least to me). It seems that when you use an ECDSA cert SChannel will always use the same EC curve for the ECDHE key exchange that the cert's private key itself uses, eg if your key is EC 256 (secp256r1) then your ECDHE key exchange will be P256, if your key is EC 384 then your ECDHE key exchange will be P384.
My preferred cipher suite order is this:
Testing in IIS - when I bind an ECDSA 256 cert to a website I get only these ciphers suites advertised:
If I then switch the cert for an ECDSA 384 cert I get only these:
When using RSA certs on the other hand the ECDHE curve is independent of the cert (obviously). I was expecting that you could do the same for ECDSA certs - eg deploy an ECDSA 384 cert and still support a P256 key exchange for ciphersuites that need it. It seems not - doing the above it's an either/or choice between AES128-P256 and AES256-P384 (for GCM ciphersuites anyway) for a single website and ECDSA cert.
Can anyone enlighten me - is this just a weird implementation choice on Microsoft's part, or am I missing something fundamental in my understanding of the ECDSA ciphersuites? Do other platforms (eg OpenSSL-based, etc.) support using different curves for key exchange vs the cert's private key for ECDSA?