On Tue, Aug 29, 2017 at 9:36 PM, Patrick Dohman <[email protected]> wrote:
> I’ve read that SHA1 can be brute forced however why Mozilla Firefox forces a > ECDH is misunderstood if attempting to negotiate for example RSA In my > experience sea monkey can authenticate correctly against an apple key-chain > however Firefox returns cipher suite errors Regards Patrick > On Aug 29, > 2017, at 2:25 PM, Rupert Gallagher wrote: > > > https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=53&platform=Win%207&key=142 > > > Sent from ProtonMail Mobile > > On Tue, Aug 29, 2017 at 5:08 PM, Patrick > Dohman wrote: > >> My current understanding is that Mozilla Firefox also has > issues with ECDHE. For example applications implementing a web server and > library specific cipher suites may be incompatible with Firefox if ECDHE is > enabled . However the same self signed certificate installed in different web > server for example apache are compatible with Firefox with ECDHE enabled. My > current hypothesis is that not all open source projects ‘"purchased" a class > three public certificate authority from the likes of Symantec with prevents > the certificate store from falling back to a SSL 3.0 That essentially to all > certificate stores are equal & that hashing an appropriate algorithm is > becoming non standardized in the event that the certificate is not a trusted > root. Regards Patrick > On Aug 29, 2017, at 8:23 AM, Rupert Gallagher wrote: > > >> Clean up the EC key/curve configuration handling. We no longer support > ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher > list. As such, permanently enable automatic EC curve selection and > generation, effectively disabling all of the configuration knobs. > > > https://www.tedunangst.com/flak/post/openbsd-changes-of-note-627 > > The > description @protonmail.com>@centurylink.net> @protonmail.com>
