ECC Compatibility
Mar 6, 2024
ECC Compatibility
ECC stands for Elliptic Curve Cryptography and is an alternative approach to public key cryptography over other standards such as RSA. Read our ECC article for more information. The tables below cover ECC compatibility across different browsers, operating systems, and platforms. Note that there are different curves within ECC and the compatibility tables below only apply to the NIST approved prime-curves P-256 and P-384 which are also supported by GlobalSign.
While P-256 and P-384 are part of NIST's Suite B algorithms, P-521 is not. Google Chrome has dropped support for the P-521 curve; discussion to do the same in NSS (used in Firefox) is underway.
Also note that for some servers & libraries, the minimum version may not be the same across all platforms. For example, while OpenSSL added support for ECC in 0.9.8, not all servers and operating systems leveraging OpenSSL were compiled with this support enabled. CentOS enabled ECC in OpenSSL starting with version 6.5. Another example is Ubuntu 12.04 LTS enabled ECC support in Apache 2.2.22-1ubuntu1.9.
Operating System Support:
| Operating System | Minimum Version Required |
|---|---|
| Apple OS X [1] | OS X 10.6 |
| Google Android | 4.0 |
| Microsoft Windows [2] | Windows Vista |
| Red Hat Enterprise Linux [10] | 6.5 |
Browser Support:
| Browser | Minimum Version Required |
|---|---|
| Apple Safari | 4 (On ECC Compatible OS) |
| Google Chrome* [14] | 1.0 (On ECC Compatible OS) |
| Microsoft Internet Explorer* [14] | 7 (On ECC Compatible OS) |
| Mozilla Firefox* [14] | 2.0 |
Chrome utilizes the cryptographic libraries of the operating system on which it is installed. As a result, Chrome 1.0 can process ECC certificates on Windows Vista+ but not on Windows XP.
Internet Explorer utilizes Windows system libraries for cryptographic functions. As a result Internet Explorer 7 on Windows XP will not support ECC, but will on Windows Vista+ / Server 2008+.
Mozilla Firefox utilizes the NSS (Network Security Services) libraries to handle cryptographic functions like SSL, TLS, and certificate validation independent of the operating system's cryptographic libraries. This means Firefox 2.0+ will handle ECC certificates even on operating systems that do not natively support ECC such as Windows XP.
Server Support:
| Server | Minimum Version Required |
|---|---|
| Apache HTTP Server [7] | 2.2.26 |
| Apache Tomcat [11] | 1.1.30 |
| Dovecot [12] | 2.2.5 |
| IBM HTTP Server [13] | 8.0 w/ PM80235 |
| NGINX [8] | 1.1.0 |
| Sun Java System Web Server [16] | 7.0 |
| Windows Server [2] | 2008 |
Library Support:
| Library | Minimum Version Required |
|---|---|
| Bouncy Castle [3] | 1.04 |
| GnuTLS [9] | 2.99.2 |
| Java* [4] [17] | JDK 5 / JDK 7 |
| NSS [5] | 3.8 |
| OpenSSL [6] | 0.9.8 |
| OpenSSL FIPS Object Module [15] | FIPS Object Module 2.0 (OpenSSL 1.0.1) |
Java 5 & 6 support ECC on platforms with native ECC PKCS#11 implementations. Java 7 contains its own native ECC provider.
Sources:
Cryptography Next Generation
Bouncy Castle - ECC Key Pair Generation
JDK 5 - ECC Support
Bug 195135 - Add support for Elliptic Curve Cryptography to NSS & SSL
NGINX Changelog
RHEL 6.5 Release Notes
Tomcat Release Notes
Dovecot News 2.2.5 Released
IBM PM80235
Tested In-house
ECC & OpenSSL Version
Sun Java System Web Server 7.0 Release Notes
JDK 7 Adoption Guide
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.