Re: SHA1 root CA
Am Mittwoch, 1. März 2017 18:18:55 UTC+1 schrieb Gervase Markham: > On 01/03/17 10:36, benjaminp...@gmail.com wrote: > > screenshot of the error message: http://imgur.com/a/BIQUm > > That error message will not occur if only the root CA is SHA-1 signed, > because Firefox does not check the signatures on root CAs. There must be > some other certificate in the chain that Firefox has built which is > SHA-1 signed. > > You will need to provide the full certificate chain as constructed by > Firefox. If you get the error by visiting the site, then click > "Advanced" then "Add Exception" then "View" then the "Details" tab, then > select all the certificates in the chain in turn and click Export, > making sure you save them as PEM files, you can paste them into a > message to this group. > > Gerv Could RSASSA-PSS as the used signature algorithm be the Problem? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
Am Mittwoch, 1. März 2017 11:31:20 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 02:21:21 -0800 (PST) > benjaminpill--- via dev-security-policy > wrote: > > > so why is Firefox complaining with this error message: > > > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED > > Can you be more specific? Where are you seeing that error message? > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 when connecting to a webserver screenshot of the error message: http://imgur.com/a/BIQUm ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 root CA
Am Mittwoch, 1. März 2017 11:18:48 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 00:44:54 -0800 (PST) > benjaminpill--- via dev-security-policy > wrote: > > > are root (Enterprise) CA certificates wich are based on SHA1 handled > > as untrusted by Firefox 51? The end certificate is sign using sha256 > > and trusted by a intermidiate ca wich uses also sha256. Only the root > > ca is based on sha1. Chrome and IE are not complaining about the root > > cert. > > The signatures on root certificates are mostly irrelevant, as they're > pure self-signatures that have no real meaning. I think they're > only there because the certificate format X.509 requires certificates to > have a signature on themselve. > > Therefore afaik it's generally considered okay if root certificates have > SHA1 signatures. You probably wouldn't create new ones with such > signatures, but there is no risk for the ecosystem in keeping existing > ones. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 so why is Firefox complaining with this error message: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
SHA1 root CA
Hello, are root (Enterprise) CA certificates wich are based on SHA1 handled as untrusted by Firefox 51? The end certificate is sign using sha256 and trusted by a intermidiate ca wich uses also sha256. Only the root ca is based on sha1. Chrome and IE are not complaining about the root cert. Thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy