On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas <tv...@mozilla.com> wrote:
> > On Apr 27, 2015, at 2:03 PM, Michael Peterson < > michaelpeterson...@gmail.com> wrote: > > Now, in the album I posted above (https://imgur.com/a/dmMdG), the last > two screenshots show a packet capture from Wireshark. It appears that > Firefox does not support SHA512, which is kind of supported by this article > ( > http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx). > I'm not exactly sure this is true, and it seems like a silly thing for > Firefox to drop support though (this previously worked), especially if > every other browser in the world supports this. > > > > So there's everything we've found, and some of my assumptions. Does > anyone know what is actually going on with Firefox. Is this a bug? Are we > doing something wrong? How do we fix this? > SHA-384 is SHA-512 truncated to 384 bits. I guess your ECDSA certificate is using the P-384 curve. If so, your SHA-512 digest is truncated to ~384 bits in order to work with the P-384 curve. (If you are using the P-256 curve, then it is truncated to ~256 bits.) Consequently, there's no advantage to using SHA-512 instead of SHA-384. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
