Re: Chrome: From NSS to OpenSSL
Le lundi 27 janvier 2014 19:28:51 UTC+1, Kathleen Wilson a écrit : Draft Design Doc posted by Ryan Sleevi regarding Chrome migrating from NSS to OpenSSL: https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s/edit?pli=1 Switching to OpenSSL, however, has the opportunity to bring significant performance and stability advantages to iOS, Mac, Windows, and ChromeOS immediately out of the gate. Switching Linux to use OpenSSL will take longer, due to the desire to continue to support PKCS#11-based smart card authentication, which will require more work. The biggest risk/cost to such a switch is no longer being able to help Firefox benefit from these efforts, nor benefiting from Firefox's efforts in these areas. Kathleen Nice work, I am not clear on the cons for OpenSSL: Limited-to-no extension points for dealing with networking fetching (AIA, CRL, OCSP) OCSP and CRL are available ? What do you mean with this sentence. Which may be a good point for security coverage. Thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
On Monday, January 27, 2014 4:35:34 PM UTC-7, Brian Smith wrote: On Mon, Jan 27, 2014 at 10:49 AM, ripber...@aol.com wrote: On Monday, January 27, 2014 10:52:44 AM UTC-7, Brian Smith wrote: On Mon, Jan 27, 2014 at 9:26 AM, ripber...@aol.com wrote: Thanks much Brian and Alan for the links - and the 800-52 reference which I haven't read yet. FIPS 140-2 certification is not fun. It probably takes a consultant and about a year to get a binary approved and if you change it, it has to be re-certified. Most folks seem to be content that your crypto-library is at least derived (i.e. patched) from a version that was certified. Good luck on your efforts there. I'll try to get back to this soon. Cheers, Rick -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
On 2014-01-27 17:22, cl...@jhcloos.com wrote: In case anyone is keeping a list, while helping a relative I determined that timewarnercable.com's login server (wayfarer.timewarnercable.com) will not work with tls 1.1 or 1.2. The connection fails after the client right after the client hello. A small number of sites have bad security settings. Here's some stats. Supported Protocols Count Percent -+-+--- SSL2 85447 18.9264 SSL2 Only 380.0084 SSL3 44986499.6443 SSL3 Only 4443 0.9841 TLS1 44657598.9158 TLS1 Only 736 0.163 TLS1.114526632.1762 TLS1.1 Only 1 0.0002 TLS1.214992133.2073 TLS1.2 Only 5 0.0011 TLS1.2 but not 1.111888 2.6332 I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. Are you saying that the default settings were failing entirely, and you had to force tls1 for this site? [Side note: +\inf on the concecpt of profiles; one of Gecko's most important features!] -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 - Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
Julien Vehent jul...@linuxwall.info writes: I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. Are you saying that the default settings were failing entirely, and you had to force tls1 for this site? I thought that profile had the default settings for security, since it is used only for interacting with that one vendor. But it seems not, since 1 is the default value for tls.version.max. I must have enabled 1.1 for all of her profiles by adding the line to the prefs.js files. Chromium must have re-tried with 1.0, since it defaults to 1.2 when connecting to my servers. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
On Mon, Jan 27, 2014 at 2:22 PM, cl...@jhcloos.com wrote: In case anyone is keeping a list, while helping a relative I determined that timewarnercable.com's login server (wayfarer.timewarnercable.com) will not work with tls 1.1 or 1.2. The connection fails after the client right after the client hello. I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. Hi, What is the value of security.tls.version.min? It should have the default value of 0. If not, could you please try again with security.tls.version.min=0 and security.tls.version.max=3? Also, could you try with Firefox 27 beta? Firefox 27 is supposed to be released next week. The link to the beta version is here: http://www.mozilla.org/en-US/firefox/beta/ When I try with Firefox Nightly, I find that we do fail to negotiate TLS 1.2 and then we try TLS 1.1 and fail at that. But then we retry with TLS 1.0 and that succeeds. I am curious why that is not happening for you with Firefox 26, since Firefox 26 should have the retry logic in it already. Thank you very much for your help with this! Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto