<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<meta name="Generator" content="Microsoft Exchange Server">

<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>

</head>

<body>

<div dir="auto">

<div dir="auto">This isnt an nginx question.  Ask chromium developers why they chose that approach.</div>

<div dir="auto"><br>

</div>

<div dir="auto"><br>

</div>

<div dir="auto"><br>

</div>

<div id="x_composer_signature" dir="auto">

<div dir="auto" style="font-size:12px; color:#575757">Sent from my Galaxy</div>

</div>

<div dir="auto"><br>

</div>

<div><br>

</div>

<div><br>

</div>

<div>-------- Original message --------</div>

<div>From: wordlesswind via nginx <nginx@nginx.org> </div>

<div>Date: 5/21/22 14:56 (GMT-05:00) </div>

<div>To: nginx@nginx.org </div>

<div>Cc: wordlesswind <i@qingly.me> </div>

<div>Subject: Why do newer versions of Chromium favor RSA certificates over ECC certificates?

</div>

<div><br>

</div>

</div>

<font size="2"><span style="font-size:11pt;">

<div class="PlainText">Hello,<br>

<br>

<br>

I noticed that after Chromium 594356 build (71.0.3563.0) it favors RSA <br>

certificates over ECC certificates.<br>

<br>

<br>

Windows x86-64:<br>

<br>

<a href="https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/594356/">https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/594356/</a><br>

<br>

<a href="https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/594369/">https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/594369/</a><br>

<br>

<br>

I don't get the idea from the changes in the source code. I'm curious to <br>

know why, since obviously ECC certificates are smaller than RSA <br>

certificates.<br>

<br>

<br>

Let’s Encrypt<br>

<br>

ECC 384 (E1)<br>

<br>

RSA 4096 (R3)<br>

<br>

nginx.conf:<br>

         ssl_stapling         on;<br>

         resolver             8.8.8.8 1.1.1.1 valid=300s;<br>

         ssl_stapling_verify  on;<br>

<br>

         ssl_session_cache    shared:SSL:10m;<br>

         ssl_session_timeout  1d;<br>

<br>

         ssl_protocols        TLSv1.2 TLSv1.3;<br>

         ssl_ciphers <br>

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;<br>

         ssl_ecdh_curve       secp384r1;<br>

<br>

         ssl_early_data       on;<br>

<br>

_______________________________________________<br>

nginx mailing list -- nginx@nginx.org<br>

To unsubscribe send an email to nginx-leave@nginx.org<br>

</div>

</span></font>

</body>

</html>