Re: Firefox cannot act as DHE server

2016-03-19 Thread ors . szabo . hu 
Hi Martin,

Let me clarify: remote node is acting as DTLS client and sends DTLS client 
hello with DHE_RSA. Firefox replies with handshake failure.

What shall be done to solve this? I didn't get how the '2048-bit share' relates 
to this. You also mentioned the RTCCertificate API, for which there is no basic 
support in FF.

Thanks a lot!
Ors
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-18 Thread Martin Thomson 
RTCCertificate is supported. You simply generate an RSA certificate and
plug it into RTCPeerConnection. See
https://dxr.mozilla.org/mozilla-central/rev/3e04659fdf6aef792f7cf9840189c6c38d08d1e8/dom/media/tests/mochitest/test_peerConnection_certificates.html#140
for an example (albeit a complicated one).

The 2048-bit share refers to the Diffie-Hellman part. It shouldn't be a
problem unless you are using a very old version of Java, or something
similarly bad.
On 19 Mar 2016 5:16 AM,  wrote:

> Hi Martin,
>
> Let me clarify: remote node is acting as DTLS client and sends DTLS client
> hello with DHE_RSA. Firefox replies with handshake failure.
>
> What shall be done to solve this? I didn't get how the '2048-bit share'
> relates to this. You also mentioned the RTCCertificate API, for which there
> is no basic support in FF.
>
> Thanks a lot!
> Ors
> ___
> dev-media mailing list
> dev-media@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-media
>
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-11 Thread Martin Thomson 
On Fri, Mar 11, 2016 at 7:28 PM,   wrote:
> Martin, just to double-check: by 'client' you mean WebRTC client, and not the 
> remote node which is sending the DTLS client hello towards FF, right?

Since we were talking DTLS, I mean the DTLS client.  That is usually
the WebRTC peer that generates the answer, if that helps at all (or
the one that explicitly sets a=setup:active in its offer).
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-11 Thread ors . szabo . hu 
Martin, just to double-check: by 'client' you mean WebRTC client, and not the 
remote node which is sending the DTLS client hello towards FF, right?

Thanks,
Ors
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-10 Thread ors . szabo . hu 
Thanks a lot Martin, will look into that!

Regards,
Ors
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-10 Thread Martin Thomson 
Just to be clear, Firefox is now able to act as a server for DHE.
Your client needs to be prepared to accept a 2048-bit share (most
will, though some older Java versions might choke).

On Fri, Mar 11, 2016 at 3:10 PM, Martin Thomson  wrote:
> On Fri, Mar 11, 2016 at 10:18 AM, Nils Ohlmeier  wrote:
>> Have you read this hack post already?
>> https://hacks.mozilla.org/2015/02/webrtc-requires-perfect-forward-secrecy-pfs-starting-in-firefox-38/
>
> That posting isn't quite relevant, this is:
>
>> TLS_DHE_***RSA***_...
>
> Firefox won't act as server for RSA-based cipher suites without the
> certificate management API.
>
> That's here:
>
> https://developer.mozilla.org/fi/docs/Web/API/RTCCertificate
>
> It's perfectly happy to be a client, because the cipher suite doesn't
> constrain the certificate that a client can use.
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-10 Thread Martin Thomson 
On Fri, Mar 11, 2016 at 10:18 AM, Nils Ohlmeier  wrote:
> Have you read this hack post already?
> https://hacks.mozilla.org/2015/02/webrtc-requires-perfect-forward-secrecy-pfs-starting-in-firefox-38/

That posting isn't quite relevant, this is:

> TLS_DHE_***RSA***_...

Firefox won't act as server for RSA-based cipher suites without the
certificate management API.

That's here:

https://developer.mozilla.org/fi/docs/Web/API/RTCCertificate

It's perfectly happy to be a client, because the cipher suite doesn't
constrain the certificate that a client can use.
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: Firefox cannot act as DHE server

2016-03-10 Thread Nils Ohlmeier 
Hi Ors,

> On Mar 10, 2016, at 09:12, ors.szabo...@gmail.com wrote:
> I'm getting DTLS handshake failure basically with all FF versions (even with 
> latest nightly build) for a DTLS client hello with the following cipher 
> suites:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> 
> Is this a known fault in FF?

Have you read this hack post already?
https://hacks.mozilla.org/2015/02/webrtc-requires-perfect-forward-secrecy-pfs-starting-in-firefox-38/

Best regards
  Nils Ohlmeier


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Firefox cannot act as DHE server

2016-03-10 Thread ors . szabo . hu 
Hello,

I'm getting DTLS handshake failure basically with all FF versions (even with 
latest nightly build) for a DTLS client hello with the following cipher suites:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

Is this a known fault in FF?

Regards,
Ors
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media