Re: SHA1 root CA

2017-03-03 Thread Gervase Markham via dev-security-policy
On 03/03/17 10:16, benjaminp...@gmail.com wrote: > Could RSASSA-PSS as the used signature algorithm be the Problem? Yes, we don't support that. Although we may at some point: https://bugzilla.mozilla.org/show_bug.cgi?id=1088140 Gerv ___

Re: SHA1 root CA

2017-03-03 Thread benjaminpill--- via dev-security-policy
Am Mittwoch, 1. März 2017 18:18:55 UTC+1 schrieb Gervase Markham: > On 01/03/17 10:36, benjaminp...@gmail.com wrote: > > screenshot of the error message: http://imgur.com/a/BIQUm > > That error message will not occur if only the root CA is SHA-1 signed, > because Firefox does not check the

Re: SHA1 root CA

2017-03-01 Thread Gervase Markham via dev-security-policy
On 01/03/17 10:36, benjaminp...@gmail.com wrote: > screenshot of the error message: http://imgur.com/a/BIQUm That error message will not occur if only the root CA is SHA-1 signed, because Firefox does not check the signatures on root CAs. There must be some other certificate in the chain that

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy
On Wed, 1 Mar 2017 02:36:22 -0800 (PST) benjaminpill--- via dev-security-policy wrote: > when connecting to a webserver > > screenshot of the error message: http://imgur.com/a/BIQUm It would be helpful if you told us which webserver. The error message

Re: SHA1 root CA

2017-03-01 Thread Pascal Ernster via dev-security-policy
[2017-03-01 11:21] benjaminpill--- via dev-security-policy: > so why is Firefox complaining with this error message: > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Check the about:config setting "security.pki.sha1_enforcement_level". Valid values currently range from 0 to 4, with the following

Re: SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy
Am Mittwoch, 1. März 2017 11:31:20 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 02:21:21 -0800 (PST) > benjaminpill--- via dev-security-policy > wrote: > > > so why is Firefox complaining with this error message: > > > >

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy
On Wed, 1 Mar 2017 02:21:21 -0800 (PST) benjaminpill--- via dev-security-policy wrote: > so why is Firefox complaining with this error message: > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Can you be more specific? Where are you seeing that error

Re: SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy
Am Mittwoch, 1. März 2017 11:18:48 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 00:44:54 -0800 (PST) > benjaminpill--- via dev-security-policy > wrote: > > > are root (Enterprise) CA certificates wich are based on SHA1 handled > > as untrusted by Firefox

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy
On Wed, 1 Mar 2017 00:44:54 -0800 (PST) benjaminpill--- via dev-security-policy wrote: > are root (Enterprise) CA certificates wich are based on SHA1 handled > as untrusted by Firefox 51? The end certificate is sign using sha256 > and trusted by a

SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy
Hello, are root (Enterprise) CA certificates wich are based on SHA1 handled as untrusted by Firefox 51? The end certificate is sign using sha256 and trusted by a intermidiate ca wich uses also sha256. Only the root ca is based on sha1. Chrome and IE are not complaining about the root cert.