ECC Compatibility

ECC Compatibility

ECC stands for Elliptic Curve Cryptography and is an alternative approach to public key cryptography over other standards such as RSA. Read our ECC article for more information. The tables below cover ECC compatibility across different browsers, operating systems, and platforms. Note that there are different curves within ECC and the compatibility tables below only apply to the NIST approved prime-curves P-256 and P-384 which are also supported by GlobalSign.

While P-256 and P-384 are part of NIST's Suite B algorithms, P-521 is not. Google Chrome has dropped support for the P-521 curve; discussion to do the same in NSS (used in Firefox) is underway.

Also note that for some servers & libraries, the minimum version may not be the same across all platforms. For example, while OpenSSL added support for ECC in 0.9.8, not all servers and operating systems leveraging OpenSSL were compiled with this support enabled. CentOS enabled ECC in OpenSSL starting with version 6.5. Another example is Ubuntu 12.04 LTS enabled ECC support in Apache 2.2.22-1ubuntu1.9.

Operating System Support:

Operating System Minimum Version Required
Apple OS X [1] OS X 10.6
Google Android 4.0
Microsoft Windows [2] Windows Vista
Red Hat Enterprise Linux [10] 6.5

Browser Support:

Browser Minimum Version Required
Apple Safari 4
(On ECC Compatible OS)
Google Chrome* [14] 1.0
(On ECC Compatible OS)
Microsoft Internet Explorer* [14] 7
(On ECC Compatible OS)
Mozilla Firefox* [14] 2.0

Chrome utilizes the cryptographic libraries of the operating system on which it is installed. As a result, Chrome 1.0 can process ECC certificates on Windows Vista+ but not on Windows XP.

Internet Explorer utilizes Windows system libraries for cryptographic functions. As a result Internet Explorer 7 on Windows XP will not support ECC, but will on Windows Vista+ / Server 2008+.

Mozilla Firefox utilizes the NSS (Network Security Services) libraries to handle cryptographic functions like SSL, TLS, and certificate validation independent of the operating system's cryptographic libraries. This means Firefox 2.0+ will handle ECC certificates even on operating systems that do not natively support ECC such as Windows XP.

Server Support:

Server Minimum Version Required
Apache HTTP Server [7] 2.2.26
Apache Tomcat [11] 1.1.30
Dovecot [12] 2.2.5
IBM HTTP Server [13] 8.0 w/ PM80235
NGINX [8] 1.1.0
Sun Java System Web Server [16] 7.0
Windows Server [2] 2008

Library Support:

Library Minimum Version Required
Bouncy Castle [3] 1.04
GnuTLS [9] 2.99.2
Java* [4] [17] JDK 5 / JDK 7
NSS [5] 3.8
OpenSSL [6] 0.9.8
OpenSSL FIPS Object Module [15] FIPS Object Module 2.0
(OpenSSL 1.0.1)

Java 5 & 6 support ECC on platforms with native ECC PKCS#11 implementations. Java 7 contains its own native ECC provider.

Sources:

Cryptography Next Generation
Bouncy Castle - ECC Key Pair Generation
JDK 5 - ECC Support
Bug 195135 - Add support for Elliptic Curve Cryptography to NSS & SSL​
NGINX Changelog
RHEL 6.5 Release Notes
Tomcat Release Notes
Dovecot News 2.2.5 Released
IBM PM80235
Tested In-house
ECC & OpenSSL Version
Sun Java System Web Server 7.0 Release Notes
JDK 7 Adoption Guide

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.