30

I Wireshark'ed a Firefox 3 request, because I couldn't find the curve names documented:

Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: secp521r1 (0x0019)

What are the supported curves for other browsers? Does someone want to extend this list?

You can view your supported curves here (search for "Elliptic curves" "Named Groups").

Smit Johnth
  • 1,741
  • 4
  • 17
  • 23
  • I recommend using an RSA certificate together with ECDH on P256 for key exchange. That way a single certificate works in all browsers, but you get most of the benefit of ECC. The security level required for authentication is lower than what's required for confidentiality, since you only need to protect against current but not future attacks. – CodesInChaos Mar 01 '13 at 16:14
  • 1
    RSA is not an option for slow devices like soho routers and smaller. For this case it also doesn't matter that there is no ECC CA. And your answer is a little bit offtopic here. – Smit Johnth Mar 01 '13 at 19:58
  • Chromium 45 announces the same 3 curves. – lapo Oct 08 '15 at 09:15
  • Does not www.howsmyssl.com tell you when you browse to it? – Stone True Nov 21 '15 at 16:14
  • @StoneTrue no, but still thanks for the link. – Smit Johnth Nov 22 '15 at 04:51

4 Answers4

19

When software (browsers, Web servers...) supports elliptic curves at all, you can more or less expect support for the two curves given in NSA suite B, i.e. the P-256 and P-384 curves which are specified in FIPS 186-3. These are the same curves as the "secp256r1" and "secp384r1" which you list. The 15 standard NIST curves (from FIPS 186-3) are actually a subset of the curves specified by Certicom in SEC 2.

Some software implementations go further and support other curves. For instance, OpenSSL supports all 15 NIST curves (code was contributed by Sun and is believed not to infringe on any patent -- which explains why OpenSSL does not implement acceleration of Koblitz curves through the Frobenius endomorphism). But if you want to maximize interoperability with existing browsers and servers, stick to P-256 and P-384 (I think these are the only two which will work with Internet Explorer, for instance).

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 1
    IE8 doesn't support ECC at all. Should we make a list of browsers which support ECC? – Smit Johnth Mar 01 '13 at 15:35
  • Such a list would be useful, but would have to be maintained. The situation is made more complex because the OS version may matter; I suspect IE 8.0 could support ECC if used on a recent enough OS, e.g. Windows 7. Also, processing of X.509 certificates and usage of elliptic curves as part of an ECHDE cipher suite are usually distinct software elements, which need not support the exact same set of curves. – Tom Leek Mar 01 '13 at 15:47
  • It should only matter on IE, which uses OS built-in crypto, the rest should use built-in. The reason for this list is which curves may be used for certificate generation. So if someone can extend these data - please do it! – Smit Johnth Mar 01 '13 at 16:04
7

Like it was said by @Tom Leek secp256r1 is P-256, secp384r1 is P-384 and secp521r1 is P-521. They are all part of the NSA suite B.

A Wikipedia article has a list of all implementation of curves. So the most common clients are:

OpenSSL/LibreSSL

  • offers support for 28 curves
  • including P-256, P-384 and P-521
  • they do not support Curve25519 and (Ed448-)Goldilocks which are the new standardized ones by the IETF.

As Chrome/Chromium uses BoringSSL - a fork of OpenSSL - it should support the same.

Firefox (NSS)

Firefox uses NSS (Network Security Services) for HTTPS connections. NSS supports:

  • 25 curves (compared to OpenSSL 3 brainpool curves are missing)
  • including P-256, P-384 and P-521
  • they do not support Curve25519 and (Ed448-)Goldilocks too

However...

...this is only the theoretical part and many implementation may only take effect on the server side. Practically you can analyse the traffic with Wireshark - like you did - and look at the curves it offers.

  • You're correct: Firefox supports P-256, P-384 and P-521.
  • And I tested it with Chromium and got: P-256, P-384.

Update: 2016-07-03

Note that you can also see on SSLLabs which browsers support which elliptical curves. And there you can e.g. also see that Chrome 50 supports X25519.

rugk
  • 1,257
  • 1
  • 13
  • 26
  • Related: https://security.stackexchange.com/questions/104993/does-elliptical-curves-in-ecdhe-and-ecdsa-are-the-same – rugk Nov 08 '15 at 21:37
  • 3
    Firefox also seems to have added support for Curve25519: https://bugzilla.mozilla.org/show_bug.cgi?id=957105 – Jordan Miner Dec 23 '16 at 22:36
  • "*Note that you can also see on SSLLabs which browsers support which elliptical curves.*" information not found in source, did the page change? It doesn't mention elliptic curves, let alone which curves are supported. – Luc May 25 '22 at 15:38
  • 1
    @Luc Not on the overview, but you can click on/choose the individual client. – rugk May 26 '22 at 17:48
1

Firefox (and also palemoon and waterfox) claim to support secp256r1, secp384r1 and secp521r1, but when connecting to a webserver with a secp384r1 certificate signed by a secp521r1 CA, I get an error: (Error code: sec_error_bad_signature).

IE and Chrome connect successfully to this server o they seem to have implemented EC correctly.

ah12
  • 21
  • 2
  • 1
    this looks like a new question - is it? – schroeder Feb 13 '16 at 18:35
  • 2
    It is partly an answer. The original question was: "What elliptic curves are supported by browsers?". My answer above was that theoretically all modern browsers support the 3 curves mentioned above, but practically Mozilla-like browsers end with an error. – ah12 Feb 13 '16 at 19:14
  • @ah12: do you have a link to the mozilla bugzilla with this issue? – Hubert Kario Oct 11 '16 at 13:36
-2

Elliptic Cryptographic curves for IE (and Edge) - ECDH Key exchange

There are actually some more ECC curves which can be called up ("named") for being used in IE or Edge, which means system-side for browsers that hook to it.

I have imported the following into my Windows 10 System (may also work for Windows 8.1 meanwhile since these also support elliptic curve parametering on secret key exchange, Windows 7 seems to only have two default curves and does simply ignore the pasting into that registry branch):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
    @="NCRYPT_SCHANNEL_INTERFACE"
    "Functions"=hex(7):54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,\
      45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,\
      00,53,00,5f,00,32,00,35,00,36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,\
      41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,\
      00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,\
      5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,00,5f,\
      00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,45,00,\
      43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,\
      00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,47,00,43,00,4d,00,\
      5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,\
      00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,\
      48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,\
      00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,\
      44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,\
      00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,47,00,43,00,4d,00,5f,00,\
      53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,44,00,48,\
      00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,\
      45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,\
      00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,\
      48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,\
      00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,42,00,43,00,\
      5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,\
      00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,\
      49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,\
      00,42,00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,\
      53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,\
      00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,\
      43,00,42,00,43,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,\
      00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,\
      57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,\
      00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,\
      4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,\
      00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,\
      35,00,36,00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,\
      00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,\
      41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,\
      00,38,00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,\
      53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,\
      00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,\
      43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,5f,00,45,\
      00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,\
      48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,00,42,00,43,\
      00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,5f,00,44,00,48,00,45,00,\
      5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,\
      00,5f,00,32,00,35,00,36,00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,\
      00,00,54,00,4c,00,53,00,5f,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,\
      00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,\
      5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,5f,\
      00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,\
      5f,00,32,00,35,00,36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,33,\
      00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,52,00,53,00,41,00,5f,00,57,00,\
      49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,47,\
      00,43,00,4d,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,\
      53,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,\
      00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,\
      41,00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,52,00,53,00,41,00,5f,\
      00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,\
      5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,\
      00,4c,00,53,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,\
      41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,42,00,43,00,5f,00,53,\
      00,48,00,41,00,00,00,54,00,4c,00,53,00,5f,00,52,00,53,00,41,00,5f,00,57,00,\
      49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,\
      00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,00,00
    "EccCurves"=hex(7):63,00,75,00,72,00,76,00,65,00,32,00,35,00,35,00,31,00,39,00,\
      00,00,73,00,65,00,63,00,74,00,35,00,37,00,31,00,72,00,31,00,00,00,73,00,65,\
      00,63,00,74,00,35,00,37,00,31,00,6b,00,31,00,00,00,73,00,65,00,63,00,70,00,\
      35,00,32,00,31,00,72,00,31,00,00,00,73,00,65,00,63,00,74,00,34,00,30,00,39,\
      00,6b,00,31,00,00,00,73,00,65,00,63,00,74,00,34,00,30,00,39,00,72,00,31,00,\
      00,00,73,00,65,00,63,00,70,00,33,00,38,00,34,00,72,00,31,00,00,00,73,00,65,\
      00,63,00,74,00,32,00,38,00,33,00,6b,00,31,00,00,00,73,00,65,00,63,00,74,00,\
      32,00,38,00,33,00,72,00,31,00,00,00,73,00,65,00,63,00,70,00,32,00,35,00,36,\
      00,6b,00,31,00,00,00,73,00,65,00,63,00,70,00,32,00,35,00,36,00,72,00,31,00,\
      00,00,73,00,65,00,63,00,74,00,32,00,33,00,39,00,6b,00,31,00,00,00,73,00,65,\
      00,63,00,74,00,32,00,33,00,33,00,6b,00,31,00,00,00,73,00,65,00,63,00,74,00,\
      32,00,33,00,33,00,72,00,31,00,00,00,73,00,65,00,63,00,70,00,32,00,32,00,34,\
      00,6b,00,31,00,00,00,73,00,65,00,63,00,70,00,32,00,32,00,34,00,72,00,31,00,\
      00,00,73,00,65,00,63,00,74,00,31,00,39,00,33,00,72,00,31,00,00,00,73,00,65,\
      00,63,00,74,00,31,00,39,00,33,00,72,00,32,00,00,00,73,00,65,00,63,00,70,00,\
      31,00,39,00,32,00,6b,00,31,00,00,00,73,00,65,00,63,00,70,00,31,00,39,00,32,\
      00,72,00,31,00,00,00,73,00,65,00,63,00,74,00,31,00,36,00,33,00,6b,00,31,00,\
      00,00,73,00,65,00,63,00,74,00,31,00,36,00,33,00,72,00,31,00,00,00,73,00,65,\
      00,63,00,74,00,31,00,36,00,33,00,72,00,32,00,00,00,73,00,65,00,63,00,70,00,\
      31,00,36,00,30,00,6b,00,31,00,00,00,73,00,65,00,63,00,70,00,31,00,36,00,30,\
      00,72,00,31,00,00,00,73,00,65,00,63,00,70,00,31,00,36,00,30,00,72,00,32,00,\
      00,00,00,00
schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 1
    Do you have any explanation for what any of this is? I'm not sure anyone will blindly copy/paste this into their registry. – schroeder Dec 01 '17 at 10:21