0

Microsoft has reported that it will only support TLS 1.2 with at least one of the following ciphers:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

https://docs.microsoft.com/en-us/power-platform/admin/server-cipher-tls-requirements

However, when I test my website's TLS ciphers I see the closest equivalent reported as "ECDSA" and not "RSA". For example:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

The endpoint I am testing is Cloudflare. Their list of ciphers indicate RSA is supported, but I don't see RSA in the list when I test it on ssllabs.com.

https://developers.cloudflare.com/ssl/ssl-tls/cipher-suites

Are ECDSA and RSA equivalent? Would this difference cause an issue with Microsoft?

Jonathan Montgomery
  • 1
  • 2

2 Answers2

2

RSA and ECDSA are not equivalent terms, rather the two main alternatives for certificate signing today.

RSA is significantly more popular for TLS use (based on tradition mostly), but ECDSA is a perfectly valid option and probably more forward-looking.

The Microsoft Power Platform documentation lists cipher suite requirements for the RSA "track" only (probably because of its popularity), and their overall sentiment is quite clear, they refuse outdated TLS parameters. However, not allowing ECDSA does not really fit that sentiment and it would overall be a bit strange if they refused ECDSA.

Maybe this is just a documentation oversight, but you should probably try to ask them to clarify the situation; it's very possible that ECDSA works, but it's not nice to assume that their documentation is wrong and then possibly get the rug pulled from under your feet.

Otherwise, see if Cloudflare can provide you with RSA-based certificates or, alternatively, supply such certificates yourself.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
1

Are ECDSA and RSA equivalent?

No. RSA ciphers can only be used if the certificate has an RSA public key. ECDSA ciphers can only be used of the certificate has an ECC public key. If you want to use the ciphers required then you have to change the certificate to one with an RSA public key.

Would this difference cause an issue with Microsoft?

Since nothing in the part you cite indicate that they will also accept ECDSA ciphers it is not unlikely that this can cause an issue.

Steffen Ullrich
  • 12,227
  • 24
  • 37