Minimum EC size (with extension) not correct when server using certificate signed with EC #1
Description
Hi Thomas,
Thank you for developing this great tool, it's really helpful to check the security of a SSL server.
But I found an odd thing recently that the info returned in ServerHello might not be correct when server side is using a certificate signed with EC.
At first, I wanted to use this tool to check the security of my Tomcat which was using a certificate signed with RSA:2048, but I got WARN[SK004].
To get rid of that warning, I switched to use a certificate signed with EC:secp256r1, but I still got that warning.
That made me start to look into the codes to identify the issue is in server side or in the tools.
Finally I found if we send ClientHello with the extension including all curves from 1 to 30, the server will tell us it supports 1 ~ 23. But if we send ClientHello with the extension including one curve each time, from 1 to 30, the server will tell us it only supports 23, which's the curve used to sign the certificate. And then I tried a little further, if we send ClientHello with the extension including any other curves its ID less than 23 together with 23, the server will always tell us it supports all of them.
I am not sure if this is a defect of the tool or a defect of the server I am using.
Can you please take a look?
FYI. The info of my server, certificate, and cipher suites:
Web Server: Tomcat 8.0.33
TLSv1.2:
server selection: uses client preferences
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
key type: EC
key size: 256
key curve: ansix9p256r1 (P-256)
sign hash: SHA-256
Minimum EC size (no extension): 256
Minimum EC size (with extension): 162
Supported curves (size and name) ('*' = selected by server):
162 sect163k1 (K-163)
- 256 secp256r1 (P-256)
Thanks,
Alan