Welcome! Log In Create A New Profile

Advanced

TLS 1.3 with ECC/RSA dual certificate

Posted by meteor8488 
TLS 1.3 with ECC/RSA dual certificate
May 03, 2019 10:12AM
Hi All,

In the past, with TLS .1.1/1.2, It's suggested to add both ECC/RSA certificate to web server to make sure if browser support, use ECC certificate to speed up the web site and if browser not support the fail back to RSA certificate.

Now I'm trying to enable TLS 1.3 for my website. But it seems TLS 1.3 doesn't support ECC certificate. All the ssl_cipher for TLS 1.3 are as following:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

So to get a better performance and speed, what's the suggested order?

TLS 1.3 with RSA certificate
TLS 1.2/1.1 with ECC certificate
TLS 1.2/1.1 with RSA certificate

or

TLS 1.2/1.1 with ECC certificate
TLS 1.3 with RSA certificate
TLS 1.2/1.1 with RSA certificate

Then what's the suggested ssl_ciphers order?
Re: TLS 1.3 with ECC/RSA dual certificate
May 04, 2019 08:10PM
Fond the answer:

The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.

So only need to put TLS 1.3 ciphers into the list.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready