Re: Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
Brian Smith writes: > Cipher Suite Count % > -- > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 332,786 8.30% > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4,601 0.11% Who issues ECDSA certs? Is that intra-government usage? -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: [Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
Julien Vehent writes: > I would argue that our documents target server configurations, where > AES-NI is now a standard. It is not. Many sites run on virtuals, often using kvm. And most kvm sites provide a QEMU Virtual CPU which only supports sse2. And even without kvm, there is still a /lot/ of pre-aes-ni hardware in use. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Sites which fail with tls > 1.0
In case anyone is keeping a list, while helping a relative I determined that timewarnercable.com's login server (wayfarer.timewarnercable.com) will not work with tls 1.1 or 1.2. The connection fails after the client right after the client hello. I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. [Side note: +\inf on the concecpt of profiles; one of Gecko's most important features!] -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls > 1.0
Julien Vehent writes: >> I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) >> to get her (relevant) profile to log in to their site. > > Are you saying that the default settings were failing entirely, and > you had to force tls1 for this site? I thought that profile had the default settings for security, since it is used only for interacting with that one vendor. But it seems not, since 1 is the default value for tls.version.max. I must have enabled 1.1 for all of her profiles by adding the line to the prefs.js files. Chromium must have re-tried with 1.0, since it defaults to 1.2 when connecting to my servers. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls > 1.0
Brian Smith writes: > What is the value of security.tls.version.min? It should have the > default value of "0". If not, could you please try again with > security.tls.version.min=0 and security.tls.version.max=3? It is (and was) at the default value 0 for the sm profile in question. I retried with a new ff profile and now it works, but only if I go directly to https://wayfarer.timewarnercable.com/; I cannot convince the new profile to let me in to the authenticated site for some reason I haven't diagnosed. That is probably why I though it didn't re-try. Something else must have prevented the login. Clearly, though, sm isn't retrying. > Also, could you try with Firefox 27 beta? Firefox 27 is supposed to be > released next week. The link to the beta version is here: > http://www.mozilla.org/en-US/firefox/beta/ That would be more of a pain. Since the retry problem seems limited to sm, It seems my post was a false alarm. :( Sorry for that. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls > 1.0
Brian Smith writes: > Thanks for replying. I am not sure about how SM works but I would > expect it to work like Firefox in this aspect. So did I; but even with 2.24pre1 (same gecko as ff27) it does not. I'll grep thru the src for differences, and open a bugz. > Understood. Next week Firefox 27 will be released and I think SM will > be released around the same time. I would appreciate hearing whether > or not you are having the same issues in Firefox 27 or SM 27. sm 2.24pre1 is the same. Except of course that the default max vers is now 3, so that site now requires an explicit prefs setting. Is the retry logic in nss or in mozilla-central? And if the latter, can anyone help narrow the search? I didn't find anything relevant in comm-central. Thanks, -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls > 1.0
Matthias Hunstock writes: > Firefox 27, default settings, connection to a SSL site fails with > "sec_error_input_len". Downgrading to TLS 1.1 via setting > security.tls.version.max to "2" --> works. What site? -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Rus GOST 89
Frank Hecker writes: > Nelson B Bolyard wrote: >> Today, I see the FSF web site talks about "copyright assignment". I don't >> know all the implications of that, but I presume that it is essentially >> a relinquishment, except that you keep your own name on the copyrighted >> work. > > One last comment on this: Typical copyright assignment agreements > transfer all rights in the code to someone else. Note, though, that the FSF's assignment contract licenses the rights back to the contributor. You only give up ownership of the code; you can still use/modify/distribute/etc the contributed code after contributing it to the FSF. But only because they explicitly license it back. (How that interacts with the extent to which the contributed code is a derivative of GPL or LGPL code sounds like an interesting question.) -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
