Re: Problems with FF and internal certificates

Mon, 04 May 2015 12:02:31 -0700 

On 05/04/2015 10:09 AM, Brian Smith wrote:

On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas <tv...@mozilla.com> wrote:


On Apr 27, 2015, at 2:03 PM, Michael Peterson <

michaelpeterson...@gmail.com> wrote:

Now, in the album I posted above (https://imgur.com/a/dmMdG), the last

two screenshots show a packet capture from Wireshark. It appears that
Firefox does not support SHA512, which is kind of supported by this article
(
http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx).
I'm not exactly sure this is true, and it seems like a silly thing for
Firefox to drop support though (this previously worked), especially if
every other browser in the world supports this.
I think this was an NSS bug where we didn't include the SHA512 hash in the advertized list of supported hashes. It wasn't dropped support. In previous versions of TLS you didn't advertise which hashes you supported, so things signed with SHA512 just worked. Now you need to advertise it, and NSS was just missing the hash (it's fixed in the latest version of NSS). 


So there's everything we've found, and some of my assumptions. Does

anyone know what is actually going on with Firefox. Is this a bug? Are we
doing something wrong? How do we fix this?


SHA-384 is SHA-512 truncated to 384 bits.
Not exactly. SHA-384 is mechanically the same algorithm as SHA-512, with a truncation, but it's not the same bits. SHA-384 has a unique set of initializers so if you do a SHA-512 and truncate it to 384 bits and the do a SHA-384 on the same data, you have the same security and performance characteristics, but not the same bits.
(I think Brian knows this, and that his point is from a security point of view, they are exactly identical, both in performance and in the actual security of the hash. For the uninitiated, though, the actual bits on the wire are different). 



I guess your ECDSA certificate is using the P-384 curve. If so, your
SHA-512 digest is truncated to ~384 bits in order to work with the P-384
curve. (If you are using the P-256 curve, then it is truncated to ~256
bits.)

Consequently, there's no advantage to using SHA-512 instead of SHA-384.


Other than compatibility with someone that chose to sign using SHA-512.

bob


Cheers,
Brian

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to