On Fri, Jun 14, 2019 at 09:05:32AM +0800, John Jiang wrote: > > See https://github.com/openssl/openssl/issues/4175#issuecomment-322915924 > > > > When using ECDSA with TLSv1.2, the group list MUST include the group > > used in the certificate. Otherwise, you get no shared cipher as > > you reported. > > How about this point in TLSv1.3? > With my testing, the case "ECDSA certificate with curve secp256r1 + named > group secp521r1" work fine with OpenSSL s_server and s_client. In TLS 1.3, the "supported groups" extension restricts the curves used in the key exchange: https://tools.ietf.org/html/rfc8446#section-4.2.7 The curves used for signing are covered by "signature algorithms": https://tools.ietf.org/html/rfc8446#section-4.2.3 Which should, if I am not mistaken, allow an ECDSA certificate to be used with a "supported groups" list that does not list the curve associated with the certificate. -- Viktor.
