I have deployed ECC certificate on my domain hosted on Netlify but after I test my site using Qualys SSL Lab, I can see my site only available via TLS 1.3 only.
Hi, @chinkung. This is a custom certificate you uploaded and we cannot make changes to it.
If you want to change the SSL certificate you will need to do so by uploading a different certificate. If there are other questions about this, please let us know.
Great suggestion! We’ll work on that with our docs team. I’m not sure if it is truly “RSA only” or if it’s instead “symmetrical cryptography only” so we’ll work with our team to understand and update the docs appropriately.
From what I observe, I found main Non-SNI certificate is RSA (.netlify.com) and webserver obey the main certificate and use SSL ciphers suite signed with RSA (ECDHE-RSA-) for TLS version lower then 1.3 which cause ECC certificate which requires ECC cipher suite signed with ECDSA (ECDHE-ECDSA-*) not working with TLS version lower then 1.3
Thanks for that follow-up! Our developers will look at your reports and work with us to improve the docs or advise in case they think that an ECC cert should work better
We only recently started supporting ECDSA ciphers in our CDN infrastructure. In the past we only supported RSA (but didn’t document that anywhere, sorry!).
The rollout of the new ciphers finished around end of the year, so can you maybe try the custom cert again and let us know how it goes?
I recently tested a LetsEncrypt-issued ECDSA cert with SSL Labs and it showed the expected support.