New issue
Advanced search Search tips
Starred by 14 users

Issue metadata

Status: Duplicate
Merged: issue 477623
Owner: ----
Closed: Apr 2015
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Sign in to add a comment

Issue 478225: Chrome TLS no longer supports secp521r1 in elliptic curve certificates

Reported by, Apr 17 2015

Issue description

I have Version 42.0.2311.90 (64-bit).  In an update that took effect for me yesterday, the TLS handshake from Chrome changed.  The previous version supported three elliptic curve types, including secp521r1.  After the update secp521r1 is no longer supported.  As far as I know, there is no security related reason to drop support for secp521r1.

I can supply relevant packet captures if it would help.

Comment 1 by, Apr 17 2015

Same here on Windows. Also, the current Chromium (44.0.2374.0) has the same problem. (That's why I started to think, that this was intentional.) Can test here:

Comment 2 by, Apr 19 2015

Just to confirm, I see the same behavior (dropped support for secp521r1) in both OS X (42.0.2311.90 64-bit) and Windows (42.0.2311.90 m) versions of Chrome.

Comment 3 by, Apr 19 2015

Same on 64 bit version, and still present in Chromium 44.0.2375.0. Could we change the OS of this report to All?

After a bit of looking around, I'm starting to think, the problem might be coming from the BoringSSL library.
( )
Here maybe? It says:
static const uint16_t eccurves_default[] = {
    23, /* X9_64_prime256v1 */
    24, /* secp384r1 */

Comment 4 by, Apr 19 2015

I'm starting to be more and more certain, that I may have bullseyed the problematic line right of the bat.!
I don't really understand the reasoning behind it.

Comment 5 Deleted

Comment 6 by, Apr 19 2015

I'm thinking this function looks awfully suspicious.  It explicitly checks for two curves (not including secp521r1), and rejects all others.

Comment 7 by, Apr 19 2015

Yes, I have noticed that code segment as well, but that code section has not changed for a long time, and I think, it was never any different, and in Chrome 41 all was still working fine.

Comment 8 by, Apr 20 2015

Interesting, secp521r1 is supported on the Linux version of Chrome 42.0.2311.90 (64-bit). So it's only a Windows/OSX problem.

Comment 9 by, Apr 22 2015

Labels: TE-NeedsFurtherTriage

Comment 10 by, Apr 28 2015

 Issue 481114  has been merged into this issue.

Comment 11 by, Apr 28 2015

Labels: -TE-NeedsFurtherTriage Cr-Internals-Network-SSL

Comment 12 by, Apr 28 2015

Mergedinto: 477623
Status: Duplicate

Comment 13 by, Oct 21 2015

After upgrading to 46.0.2490.71 (64-bit) on Linux it seems that it was removed here also. I can't connect to websites using secp521r1 anymore.

Comment 14 by, Apr 1 2017

I am curious to know if there are any updates on this issue

Comment 15 by, Apr 2 2017

There are no changes in plans. Chrome does not support P-521.

Sign in to add a comment