AnsweredAssumed Answered

SChannel - key exchange EC curve forced to same as ECDSA cert private key?

Question asked by Jacob Luebbers on Jan 24, 2016
Latest reply on Feb 3, 2016 by Jacob Luebbers

Hello,

     I've just been experimenting with ECDSA cipher suites on a Windows Server 2012 R2 platform and came across something unexpected (at least to me). It seems that when you use an ECDSA cert SChannel will always use the same EC curve for the ECDHE key exchange that the cert's private key itself uses, eg if your key is EC 256 (secp256r1) then your ECDHE key exchange will be P256, if your key is EC 384 then your ECDHE key exchange will be P384.

 

My preferred cipher suite order is this:

 

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

 

Testing in IIS - when I bind an ECDSA 256 cert to a website I get only these ciphers suites advertised:

 

ciphers_suites_P256.PNG

If I then switch the cert for an ECDSA 384 cert I get only these:

 

ciphers_suites_P384.PNG

When using RSA certs on the other hand the ECDHE curve is independent of the cert (obviously). I was expecting that you could do the same for ECDSA certs - eg deploy an ECDSA 384 cert and still support a P256 key exchange for ciphersuites that need it. It seems not - doing the above it's an either/or choice between AES128-P256 and AES256-P384 (for GCM ciphersuites anyway) for a single website and ECDSA cert.

 

Can anyone enlighten me - is this just a weird implementation choice on Microsoft's part, or am I missing something fundamental in my understanding of the ECDSA ciphersuites? Do other platforms (eg OpenSSL-based, etc.) support using different curves for key exchange vs the cert's private key for ECDSA?

 

Regards,

 

Jacob

Outcomes