Re: TLS ESNI and HelloRetryRequest in Firefox 64, Firefox Nightly

2019-01-04 Thread sjw 
Is this already implemented?
[1] is not yet fixed and [2] does not work for me with current Nightly.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1494901
[2] https://www.cloudflare.com/ssl/encrypted-sni/


Am 04.01.19 um 17:13 schrieb Hubert Kario:
> On Thursday, 3 January 2019 11:45:25 CET Alexander Venedioukhin (lists) wrote:
>> Hello,
>>
>> I'm implementing ESNI (encrypted SNI, current draft 02) server-side.
>> It works with Firefox 64.0 and Nightly 66.0a1 as expected, until the
>> server sends HelloRetryRequest during handshake. In latter case
>> Firefox responds with plain text SNI extension (same hostname) in
>> second ClientHello, instead of ESNI. Still, handshake successfully
>> finishes. Is it intended behavior?
> 
> that sounds to me like a question to the IETF TLS mailing list
> 
> 



signature.asc
Description: OpenPGP digital signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

SHA-1 with 'notAfter >= 2017-1-1'

2016-01-19 Thread sjw 
Hi

We're already having some discussions about SHA-1, but I'll split this
up into a new thread.

The initial goal of bug 942515 was to mark certs as insecure, that are
valid 'notBefore >= 2016-01-01' (means issued to use in 2016+) AND also
for certs that are valid 'notAfter >= 2017-1-1' (means still valid in
2017+).

The first condition has been implemented, but there are some
'compatibility' issues with MITM software. [1]
The second condition has not been implemented, but it was already
announced [2] and also considered to set the cut-off a half year earlier
to the  July 1, 2016. If this should really happen, we need to hurry up
on this discussion. Of course the problem mentioned in [1] should be
solved first.

Regards,
Jonas


[1]
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/
[2]
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
[3]
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/



signature.asc
Description: OpenPGP digital signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto