Going ECC
For a while now I’ve wanted Nginx to support dual certificates. I don’t mean SNI, I mean the server choosing a different certificate depending on how the negotiation goes for the protocol. The reason I wanted this was to use an ECC certificate for my domain.
After thinking about it though, do I really need dual certificates, or will just going full-ECC be enough? Using the ever resourceful SSLLabs, I looked at the clients I support today. I had already eliminated Windows XP browsers and Java 6 from accessing the site due to a lack of SSLv3 and using 2048-bit DH parameters. So by switching to ECC, what more would I eliminate that I haven’t already? Turns out the list is a bit short:
- Android 2.x
- OpenSSL 0.9.8y
I’m not feeling all that big of a loss by not supporting those clients. Doing so would also allow me to eliminate all DHE ciphers from my cipher suite as well. I have added a new public key to my HPKP header for an ECDSA certificate. Before I can deploy the ECC certificate, I need to wait for my HPKP header to expire, which is at 60 days. In advance though, I’ve eliminated support for DHE in the cipher suite.
Another unrelated change is support for IPv6. The site now has IPv6 addresses. The DNS resolvers are not IPv6, that might be something I tackle later.