Re: SHA1 root CA

2017-03-03 Thread Gervase Markham via dev-security-policy 
On 03/03/17 10:16, benjaminp...@gmail.com wrote:
> Could RSASSA-PSS as the used signature algorithm be the Problem?

Yes, we don't support that. Although we may at some point:
https://bugzilla.mozilla.org/show_bug.cgi?id=1088140

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-03 Thread benjaminpill--- via dev-security-policy 
Am Mittwoch, 1. März 2017 18:18:55 UTC+1 schrieb Gervase Markham:
> On 01/03/17 10:36, benjaminp...@gmail.com wrote:
> > screenshot of the error message: http://imgur.com/a/BIQUm
> 
> That error message will not occur if only the root CA is SHA-1 signed,
> because Firefox does not check the signatures on root CAs. There must be
> some other certificate in the chain that Firefox has built which is
> SHA-1 signed.
> 
> You will need to provide the full certificate chain as constructed by
> Firefox. If you get the error by visiting the site, then click
> "Advanced" then "Add Exception" then "View" then the "Details" tab, then
> select all the certificates in the chain in turn and click Export,
> making sure you save them as PEM files, you can paste them into a
> message to this group.
> 
> Gerv


Could RSASSA-PSS as the used signature algorithm be the Problem?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread Gervase Markham via dev-security-policy 
On 01/03/17 10:36, benjaminp...@gmail.com wrote:
> screenshot of the error message: http://imgur.com/a/BIQUm

That error message will not occur if only the root CA is SHA-1 signed,
because Firefox does not check the signatures on root CAs. There must be
some other certificate in the chain that Firefox has built which is
SHA-1 signed.

You will need to provide the full certificate chain as constructed by
Firefox. If you get the error by visiting the site, then click
"Advanced" then "Add Exception" then "View" then the "Details" tab, then
select all the certificates in the chain in turn and click Export,
making sure you save them as PEM files, you can paste them into a
message to this group.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy 
On Wed, 1 Mar 2017 02:36:22 -0800 (PST)
benjaminpill--- via dev-security-policy
 wrote:

> when connecting to a webserver
> 
> screenshot of the error message: http://imgur.com/a/BIQUm

It would be helpful if you told us which webserver. The error message
looks to me that it's web webpages certificate, not the root, that's
signed with sha1. But I may be wrong, would have to check.
Sometimes error messages are misleading and sometimes strange things
happen when websites send all kinds of wrong certs within a chain.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread Pascal Ernster via dev-security-policy 
[2017-03-01 11:21] benjaminpill--- via dev-security-policy:
> so why is Firefox complaining with this error message:
> 
> SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED


Check the about:config setting "security.pki.sha1_enforcement_level".
Valid values currently range from 0 to 4, with the following meanings:

>   enum class SHA1Mode {
> Allowed = 0,
> Forbidden = 1,
> // There used to be a policy that only allowed SHA1 for certificates 
> issued
> // before 2016. This is no longer available. If a user has selected this
> // policy in about:config, it now maps to Forbidden.
> UsedToBeBefore2016ButNowIsForbidden = 2,
> ImportedRoot = 3,
> ImportedRootOrBefore2016 = 4,
>   };

Source:
https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CertVerifier.h#164

You'll probably want either value 3 or value 4.


regards
Pascal
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy 
Am Mittwoch, 1. März 2017 11:31:20 UTC+1 schrieb Hanno Böck:
> On Wed, 1 Mar 2017 02:21:21 -0800 (PST)
> benjaminpill--- via dev-security-policy
>  wrote:
> 
> > so why is Firefox complaining with this error message:
> > 
> > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
> 
> Can you be more specific? Where are you seeing that error message?
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

when connecting to a webserver

screenshot of the error message: http://imgur.com/a/BIQUm
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy 
On Wed, 1 Mar 2017 02:21:21 -0800 (PST)
benjaminpill--- via dev-security-policy
 wrote:

> so why is Firefox complaining with this error message:
> 
> SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

Can you be more specific? Where are you seeing that error message?

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy 
Am Mittwoch, 1. März 2017 11:18:48 UTC+1 schrieb Hanno Böck:
> On Wed, 1 Mar 2017 00:44:54 -0800 (PST)
> benjaminpill--- via dev-security-policy
>  wrote:
> 
> > are root (Enterprise) CA certificates wich are based on SHA1 handled
> > as untrusted by Firefox 51? The  end certificate is sign using sha256
> > and trusted by a intermidiate ca wich uses also sha256. Only the root
> > ca is based on sha1. Chrome and IE are not complaining about the root
> > cert.
> 
> The signatures on root certificates are mostly irrelevant, as they're
> pure self-signatures that have no real meaning. I think they're
> only there because the certificate format X.509 requires certificates to
> have a signature on themselve.
> 
> Therefore afaik it's generally considered okay if root certificates have
> SHA1 signatures. You probably wouldn't create new ones with such
> signatures, but there is no risk for the ecosystem in keeping existing
> ones.
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

so why is Firefox complaining with this error message:

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy 
On Wed, 1 Mar 2017 00:44:54 -0800 (PST)
benjaminpill--- via dev-security-policy
 wrote:

> are root (Enterprise) CA certificates wich are based on SHA1 handled
> as untrusted by Firefox 51? The  end certificate is sign using sha256
> and trusted by a intermidiate ca wich uses also sha256. Only the root
> ca is based on sha1. Chrome and IE are not complaining about the root
> cert.

The signatures on root certificates are mostly irrelevant, as they're
pure self-signatures that have no real meaning. I think they're
only there because the certificate format X.509 requires certificates to
have a signature on themselve.

Therefore afaik it's generally considered okay if root certificates have
SHA1 signatures. You probably wouldn't create new ones with such
signatures, but there is no risk for the ecosystem in keeping existing
ones.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy