crypto/tls: recommend P256 elliptic curve

Users (like myself) may be tempted to think the higher-numbered curve
is somehow better or more secure, but P256 is currently the best
ECDSA implementation, due to its better support in TLS clients, and a
constant time implementation.

For example, sites that present a certificate signed with P521
currently fail to load in Chrome stable, and the error on the Go side
says simply "remote error: tls: illegal parameter".

Fixes #19901.

Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82
Reviewed-on: https://go-review.googlesource.com/40211
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/crypto/tls/generate_cert.go b/src/crypto/tls/generate_cert.go
index 83f9916ff9d937e1eefcd30e0de6d95a3d5a8c42..8ee2b5922b3778296d7f2868d48fc6047981b7e5 100644 (file)
--- a/src/crypto/tls/generate_cert.go
+++ b/src/crypto/tls/generate_cert.go
@@ -33,7 +33,7 @@ var (
        validFor   = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for")
        isCA       = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority")
        rsaBits    = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set")
-       ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521")
+       ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256 (recommended), P384, P521")
 )
 
 func publicKey(priv interface{}) interface{} {