Chrome 56 accepting Elliptic Curve certificates signed with Sha256RSA?

[Warren V]

My place of work has experienced a problem where Chrome 56 responds to our servers' TLS "server hello done" packet with a fatal "illegal parameter" message. Chrome 54 has been working fine. Our servers are using Symantec-issued ECC certs using the NIST 256 curve and signed with SHA-2 256. Interestingly, if we disable ECDSA our our list of available ciphers, Chrome 56 negotiates successfully using a standard RSA-2048 certificate.

In troubleshooting this issue, I visited facebook.com, which appears to have functional ECDSA negotiation with Chrome 56. In reviewing their wildcard *.facebook.com certificate, I noted that it is reporting its signature algorithm as being "sha256RSA", not "sha256ECDSA".

Did I miss an announcement somewhere that Chrome is no longer allowing EC certificates to identify themselves with "sha256ECDSA", as part of the SHA-1 deprecation?

[PhistucK]

security-dev is probably a better place for this.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Primiano Tucci]

I think this thread might be what you are looking for:

[net-dev] Intent to Deprecate and Remove: TLS 1.2 ECDSA with SHA-1 and SHA-512 signature algorithms

For further questions  net...@chromium.org is the right group.

--

[Warren V]

Thanks, but that thread only discusses deprecation of SHA-1 with regard to certificate signing, not key exchange.