Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Ce sujet de discussion a été archivé. Veuillez poser une nouvelle question si vous avez besoin d’aide.

How to enable SHA3 Certificate Signature Algorithm in Thunderbird and FF ?

  • 4 réponses
  • 1 a ce problème
  • 1 vue
  • Dernière réponse par Matt

kokoro1
kokoro1
more options

How to enable SHA3 Certificate Signature Algorithm in Thunderbird and Firefox, please ?

In this sample, i imported a RSA certificate generated by openssl with default_md=sha3-512.

But Thunderbird and FF do not accept them with these errors : - "Could not verify this certificate because it was signed using a signature algorithm that was disabled because that algorithm is not secure" - the missing algorithm name substituted by the related OID.

Best Regards, kokoro

Reminder: SHA3 is the new hash adopted by NIST on 2015/08/05, being a more secure alternative to SHA2. It should be supported by FF/Thunderbird to take the immediate backup of SHA2.

How to enable SHA3 Certificate Signature Algorithm in Thunderbird and Firefox, please ? In this sample, i imported a RSA certificate generated by openssl with default_md=sha3-512. But Thunderbird and FF do not accept them with these errors : - "Could not verify this certificate because it was signed using a signature algorithm that was disabled because that algorithm is not secure" - the missing algorithm name substituted by the related OID. Best Regards, kokoro Reminder: SHA3 is the new hash adopted by NIST on 2015/08/05, being a more secure alternative to SHA2. It should be supported by FF/Thunderbird to take the immediate backup of SHA2.
Captures d’écran jointes

Modifié le par kokoro1

Toutes les réponses (4)

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

any certificate less that 2400 bit has been deprecated and as you see generates an error because they are no more secure than having no certificate.

openSSL will not generate a certificate you can install in any case as there is no certifying authority recognized for self signed certificates.

christ1
christ1
  • Top 25 Contributor
more options

Firefox 67 currently supports these signature algorithms: SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA, RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512, SHA256/RSA, SHA384/RSA, SHA512/RSA, SHA1/ECDSA, SHA1/RSA

I don't see SHA-3 there, so I don't expect Thunderbird to support it either.

kokoro1
kokoro1 Auteur de la question
more options

FF/Thunderbird (NCC) "policy" should support SHA3, as openssl is supporting it since the latest release about one year ago.

Thank you for your 2 gentle inputs. One may not compare PK size and signature strength, moreover each algorithm has its own size references about strength. If you want to compare strength for signature, checkout for instance https://en.wikipedia.org/wiki/Template:Comparison_of_SHA_functions. Self-sign is an unrelated topic, my certificates being CA signed indeed :)

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

The bug indicates it is not yet supported. All we can do here is advise you of the status of the bug and remind you this is a support forum, not a point of advocacy as to what features the product should implement

See bug https://bugzilla.mozilla.org/show_bug.cgi?id=1342546