crypto/tls: pick ECDHE curves based on server preference.

Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
2025-12-08 06:10:04 +00:00 · 2014-02-24 17:57:51 -05:00 · 2014-02-24 17:57:51 -05:00 · db99a8faa8
commit db99a8faa8
parent e6e8945001
30 changed files with 793 additions and 801 deletions
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@ -43,7 +43,7 @@ func (c *Conn) clientHandshake() error {
 		random:              make([]byte, 32),
 		ocspStapling:        true,
 		serverName:          c.config.ServerName,
-		supportedCurves:     []uint16{curveP256, curveP384, curveP521},
+		supportedCurves:     c.config.curvePreferences(),
 		supportedPoints:     []uint8{pointFormatUncompressed},
 		nextProtoNeg:        len(c.config.NextProtos) > 0,
 		secureRenegotiation: true,