Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?
Well, now you've made me go and try it. I couldn't get OpenSSL to use RSAwithMD2, but it works fine with MD5: openssl req -x509 -out client-cert.pem -new -newkey rsa:512 -md5 -nodes -keyout client-priv.pem openssl pkcs12 -export -in client-cert.pem -inkey client-priv.pem -out client.p12 # Preferences > Advanced > Certificates > View Certificates > Your Certificates # Import the p12 # Configure /etc/hosts to point example.com to 127.0.0.1 openssl req -x509 -out server-cert.pem -new -newkey rsa:2048 -sha256 -nodes -keyout server-priv.pem openssl s_server -cert server-cert.pem -key server-priv.pem -accept 8080 -www -Verify 0 # Navigate to https://example.com:8080/ # Add an exception for the server cert # Note that the client cert you just imported is offered in the prompt # Select the client cert you just imported # Note that the server accepts the client cert On Wed, Apr 27, 2016 at 2:25 PM, Peter Bowen wrote: > It does to a certain extent. If I have a certificate that uses a > 512-bit RSA key and is signed using RSAwithMD2, will Mozilla even > attempt to use that certificate for client authentication? > > On Wed, Apr 27, 2016 at 10:54 AM, Richard Barnes > wrote: > > For client certificates, it doesn't really matter what Mozilla thinks -- > it > > matters what the website thinks when you present the client cert. > > > > On Wed, Apr 27, 2016 at 7:48 AM, wrote: > > > >> Hi ! I read " > >> > https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/ > " > >> article but my question is what about Client authentication certificates > >> that are issued using SHA-1 like Qualified Certificates issued to > clients > >> in order to make client authenticated SSL connection and > >> sign/encrypt/decrypt documents? Are they going to be valid and until > when ? > >> ___ > >> dev-security-policy mailing list > >> dev-security-policy@lists.mozilla.org > >> https://lists.mozilla.org/listinfo/dev-security-policy > >> > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?
It does to a certain extent. If I have a certificate that uses a 512-bit RSA key and is signed using RSAwithMD2, will Mozilla even attempt to use that certificate for client authentication? On Wed, Apr 27, 2016 at 10:54 AM, Richard Barnes wrote: > For client certificates, it doesn't really matter what Mozilla thinks -- it > matters what the website thinks when you present the client cert. > > On Wed, Apr 27, 2016 at 7:48 AM, wrote: > >> Hi ! I read " >> https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/"; >> article but my question is what about Client authentication certificates >> that are issued using SHA-1 like Qualified Certificates issued to clients >> in order to make client authenticated SSL connection and >> sign/encrypt/decrypt documents? Are they going to be valid and until when ? >> ___ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?
For client certificates, it doesn't really matter what Mozilla thinks -- it matters what the website thinks when you present the client cert. On Wed, Apr 27, 2016 at 7:48 AM, wrote: > Hi ! I read " > https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/"; > article but my question is what about Client authentication certificates > that are issued using SHA-1 like Qualified Certificates issued to clients > in order to make client authenticated SSL connection and > sign/encrypt/decrypt documents? Are they going to be valid and until when ? > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?
Hi ! I read "https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/"; article but my question is what about Client authentication certificates that are issued using SHA-1 like Qualified Certificates issued to clients in order to make client authenticated SSL connection and sign/encrypt/decrypt documents? Are they going to be valid and until when ? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy