Re: Issue 478225 in chromium: Chrome TLS no longer supports secp521r1 in elliptic curve certificates
118 views
Skip to first unread message
chro...@googlecode.com
Apr 17, 2015, 4:39:31 PM4/17/15
to chromi...@chromium.org
Comment #1 on issue 478225 by hdf...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
Same here on Windows. Also, the current Chromium (44.0.2374.0) has the same
problem. (That's why I started to think, that this was intentional.) Can
test here: https://www.ssllabs.com/ssltest/viewMyClient.html
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
chro...@googlecode.com
Apr 19, 2015, 6:42:35 AM4/19/15
to chromi...@chromium.org
Comment #2 on issue 478225 by lindqv...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
Just to confirm, I see the same behavior (dropped support for secp521r1) in
https://code.google.com/p/chromium/issues/detail?id=478225
both OS X (42.0.2311.90 64-bit) and Windows (42.0.2311.90 m) versions of
Chrome.
chro...@googlecode.com
Apr 19, 2015, 9:52:12 AM4/19/15
to chromi...@chromium.org
Comment #3 on issue 478225 by hdf...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
Same on 64 bit version, and still present in Chromium 44.0.2375.0. Could we
https://code.google.com/p/chromium/issues/detail?id=478225
change the OS of this report to All?
After a bit of looking around, I'm starting to think, the problem might be
coming from the BoringSSL library.
(
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boringssl/src/ssl/t1_lib.c&q=secp521r1&sq=package:chromium&dr=C&l=351
)
Here maybe? It says:
static const uint16_t eccurves_default[] = {
23, /* X9_64_prime256v1 */
24, /* secp384r1 */
};
chro...@googlecode.com
Apr 19, 2015, 11:18:37 AM4/19/15
to chromi...@chromium.org
Comment #4 on issue 478225 by hdf...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
I'm starting to be more and more certain, that I may have bullseyed the
https://code.google.com/p/chromium/issues/detail?id=478225
problematic line right of the bat.
https://boringssl.googlesource.com/boringssl/+/e9fc3e547e557492316932b62881c3386973ceb2%5E!
I don't really understand the reasoning behind it.
chro...@googlecode.com
Apr 19, 2015, 12:43:36 PM4/19/15
to chromi...@chromium.org
Comment #5 on issue 478225 by rse...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
I'm thinking this function looks awfully suspicious. It explicitly checks
https://code.google.com/p/chromium/issues/detail?id=478225
for two curves (not including secp521r1), and rejects all others.
https://code.google.com/p/chromium/issues/detail?id=478225
chro...@googlecode.com
Apr 19, 2015, 12:51:16 PM4/19/15
to chromi...@chromium.org
Comment #6 on issue 478225 by rse...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
I'm thinking this function looks awfully suspicious. It explicitly checks
for two curves (not including secp521r1), and rejects all others.
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boringssl/src/crypto/x509/x509_cmp.c&cl=GROK&l=368
https://code.google.com/p/chromium/issues/detail?id=478225
I'm thinking this function looks awfully suspicious. It explicitly checks
for two curves (not including secp521r1), and rejects all others.
chro...@googlecode.com
Apr 19, 2015, 1:03:20 PM4/19/15
to chromi...@chromium.org
Comment #7 on issue 478225 by hdf...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
Yes, I have noticed that code segment as well, but that code section has
https://code.google.com/p/chromium/issues/detail?id=478225
not changed for a long time, and I think, it was never any different, and
in Chrome 41 all was still working fine.
chro...@googlecode.com
Apr 20, 2015, 3:34:54 PM4/20/15
to chromi...@chromium.org
Comment #8 on issue 478225 by hdf...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
Interesting, secp521r1 is supported on the Linux version of Chrome
https://code.google.com/p/chromium/issues/detail?id=478225
42.0.2311.90 (64-bit). So it's only a Windows/OSX problem.
chro...@googlecode.com
Apr 28, 2015, 11:55:25 AM4/28/15
to chromi...@chromium.org
Updates:
Status: Duplicate
Mergedinto: 477623
Comment #12 on issue 478225 by davi...@chromium.org: Chrome TLS no longer
Status: Duplicate
Mergedinto: 477623
Comment #12 on issue 478225 by davi...@chromium.org: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
(No comment was entered for this change.)
https://code.google.com/p/chromium/issues/detail?id=478225
chro...@googlecode.com
Oct 21, 2015, 9:30:40 AM10/21/15
to chromi...@chromium.org
Comment #13 on issue 478225 by yhaupent...@gmail.com: Chrome TLS no longer
supports secp521r1 in elliptic curve certificates
https://code.google.com/p/chromium/issues/detail?id=478225
After upgrading to 46.0.2490.71 (64-bit) on Linux it seems that it was
https://code.google.com/p/chromium/issues/detail?id=478225
removed here also. I can't connect to websites using secp521r1 anymore.
Reply all
Reply to author
Forward
0 new messages