Re: SHA1 root CA
On 03/03/17 10:16, benjaminp...@gmail.com wrote: > Could RSASSA-PSS as the used signature algorithm be the Problem? Yes, we don't support that. Although we may at some point: https://bugzilla.mozilla.org/show_bug.cgi?id=1088140 Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
Am Mittwoch, 1. März 2017 18:18:55 UTC+1 schrieb Gervase Markham: > On 01/03/17 10:36, benjaminp...@gmail.com wrote: > > screenshot of the error message: http://imgur.com/a/BIQUm > > That error message will not occur if only the root CA is SHA-1 signed, > because Firefox does not check the signatures on root CAs. There must be > some other certificate in the chain that Firefox has built which is > SHA-1 signed. > > You will need to provide the full certificate chain as constructed by > Firefox. If you get the error by visiting the site, then click > "Advanced" then "Add Exception" then "View" then the "Details" tab, then > select all the certificates in the chain in turn and click Export, > making sure you save them as PEM files, you can paste them into a > message to this group. > > Gerv Could RSASSA-PSS as the used signature algorithm be the Problem? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
On 01/03/17 10:36, benjaminp...@gmail.com wrote: > screenshot of the error message: http://imgur.com/a/BIQUm That error message will not occur if only the root CA is SHA-1 signed, because Firefox does not check the signatures on root CAs. There must be some other certificate in the chain that Firefox has built which is SHA-1 signed. You will need to provide the full certificate chain as constructed by Firefox. If you get the error by visiting the site, then click "Advanced" then "Add Exception" then "View" then the "Details" tab, then select all the certificates in the chain in turn and click Export, making sure you save them as PEM files, you can paste them into a message to this group. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
On Wed, 1 Mar 2017 02:36:22 -0800 (PST) benjaminpill--- via dev-security-policywrote: > when connecting to a webserver > > screenshot of the error message: http://imgur.com/a/BIQUm It would be helpful if you told us which webserver. The error message looks to me that it's web webpages certificate, not the root, that's signed with sha1. But I may be wrong, would have to check. Sometimes error messages are misleading and sometimes strange things happen when websites send all kinds of wrong certs within a chain. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
[2017-03-01 11:21] benjaminpill--- via dev-security-policy: > so why is Firefox complaining with this error message: > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Check the about:config setting "security.pki.sha1_enforcement_level". Valid values currently range from 0 to 4, with the following meanings: > enum class SHA1Mode { > Allowed = 0, > Forbidden = 1, > // There used to be a policy that only allowed SHA1 for certificates > issued > // before 2016. This is no longer available. If a user has selected this > // policy in about:config, it now maps to Forbidden. > UsedToBeBefore2016ButNowIsForbidden = 2, > ImportedRoot = 3, > ImportedRootOrBefore2016 = 4, > }; Source: https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CertVerifier.h#164 You'll probably want either value 3 or value 4. regards Pascal ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
Am Mittwoch, 1. März 2017 11:31:20 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 02:21:21 -0800 (PST) > benjaminpill--- via dev-security-policy >wrote: > > > so why is Firefox complaining with this error message: > > > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED > > Can you be more specific? Where are you seeing that error message? > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 when connecting to a webserver screenshot of the error message: http://imgur.com/a/BIQUm ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
On Wed, 1 Mar 2017 02:21:21 -0800 (PST) benjaminpill--- via dev-security-policywrote: > so why is Firefox complaining with this error message: > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Can you be more specific? Where are you seeing that error message? -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
Am Mittwoch, 1. März 2017 11:18:48 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 00:44:54 -0800 (PST) > benjaminpill--- via dev-security-policy >wrote: > > > are root (Enterprise) CA certificates wich are based on SHA1 handled > > as untrusted by Firefox 51? The end certificate is sign using sha256 > > and trusted by a intermidiate ca wich uses also sha256. Only the root > > ca is based on sha1. Chrome and IE are not complaining about the root > > cert. > > The signatures on root certificates are mostly irrelevant, as they're > pure self-signatures that have no real meaning. I think they're > only there because the certificate format X.509 requires certificates to > have a signature on themselve. > > Therefore afaik it's generally considered okay if root certificates have > SHA1 signatures. You probably wouldn't create new ones with such > signatures, but there is no risk for the ecosystem in keeping existing > ones. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 so why is Firefox complaining with this error message: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
On Wed, 1 Mar 2017 00:44:54 -0800 (PST) benjaminpill--- via dev-security-policywrote: > are root (Enterprise) CA certificates wich are based on SHA1 handled > as untrusted by Firefox 51? The end certificate is sign using sha256 > and trusted by a intermidiate ca wich uses also sha256. Only the root > ca is based on sha1. Chrome and IE are not complaining about the root > cert. The signatures on root certificates are mostly irrelevant, as they're pure self-signatures that have no real meaning. I think they're only there because the certificate format X.509 requires certificates to have a signature on themselve. Therefore afaik it's generally considered okay if root certificates have SHA1 signatures. You probably wouldn't create new ones with such signatures, but there is no risk for the ecosystem in keeping existing ones. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy