RFC8446/TLSv1.3 Section 9.1 says that “implementations SHOULD support X25519”.
An online list
of software supporting Curve25519 list both Firefox and /Chrome
as supporting it for TLS.
I did an experiment and created a self-signed TLS cert with Ed25519. Both Chromium 84 and Firefox 79 complain
about not being able to negotiate the cipher list/version. I’ve also noticed that they initiate TLSv1.2 handshakes when
connecting to localhost, but use TLSv1.3 handshakes when connecting to google for example.
wget on the other hand,
has no problem connecting (I used
but afaik that shouldn’t matter here)
I then looked at the TLSv1.3 handshakes. neither browser offers Ed25519 as a signature in their
ClientHello (even when connecting to google via TLSv1.3). Again, wget does offer it
as part of the ClientHello.
So I figured this might be a platform issue with my distro (Fedora), but this Blog Post also claims that the major browsers don’t supports X25519. While ChromeStatus says it’s been supported since Chrome 50 (I’m assuming chrome and upstream chromium do not differ in this).
I’m totally confused. What’s the current state of X25519 support on major browsers? is it a google chrome vs. upstream chromium issue?