Hacker News new | past | comments | ask | show | jobs | submit login

Most excellent question, kss238. The next part in the series, which breaks apart the different parts of a TLS ciphersuite, was just published: http://fly.io/articles/how-ciphersuites-work/

It should answer your question, in similar spirits to that of this article. Thank you for reading and I wish you well.




What is the rest of the context of the Golang code snippet in that that link?


It's most likely to be Fly-specific, but you could replicate this behavior with passing appropriate to tls.Config#GetCertificate (https://golang.org/pkg/crypto/tls/#Config). You could then have something like that :

  GetCertificate: func(helloInfo *tls.ClientHelloInfo) (*tls.Certificate, error) {
  	return myGetCertificateImplementation(checkClientSupportForECDSA(helloInfo))
  }
You would see what curves/ciphersuites are supported by the client and check that against what you'd be supporting (if you use LE than that's more than likely going to be ECDSA with P-256). You would then return ECDSA cert (if one exist) for supporting clients and fallback to RSA certs. :boom: :D


Thanks, cheers.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: