info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to remove DHE ciphers from WebRTC DTLS handshake
82 views
Skip to first unread message
Nils Ohlmeier
Aug 29, 2018, 6:56:20 PM8/29/18
to dev-platform
Summary:
We are looking at removing the DHE cipher suites from the DTLS handshake in Firefox soon.
Ciphers:
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
are the two suites which we want to remove, because they are considered too weak.
A Telemetry probe landed in Firefox 63 Nightly to monitor the usage of the different cipher suites:
https://telemetry.mozilla.org/new-pipeline/dist.html#measure=WEBRTC_DTLS_CIPHER <https://telemetry.mozilla.org/new-pipeline/dist.html#measure=WEBRTC_DTLS_CIPHER>
Bug tracking the deactivation:
https://bugzilla.mozilla.org/show_bug.cgi?id=1227519 <https://bugzilla.mozilla.org/show_bug.cgi?id=1227519>
Targeted release: Firefox 66
Best
Nils Ohlmeier
We are looking at removing the DHE cipher suites from the DTLS handshake in Firefox soon.
Ciphers:
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
are the two suites which we want to remove, because they are considered too weak.
A Telemetry probe landed in Firefox 63 Nightly to monitor the usage of the different cipher suites:
https://telemetry.mozilla.org/new-pipeline/dist.html#measure=WEBRTC_DTLS_CIPHER <https://telemetry.mozilla.org/new-pipeline/dist.html#measure=WEBRTC_DTLS_CIPHER>
Bug tracking the deactivation:
https://bugzilla.mozilla.org/show_bug.cgi?id=1227519 <https://bugzilla.mozilla.org/show_bug.cgi?id=1227519>
Targeted release: Firefox 66
Best
Nils Ohlmeier
Nicholas Alexander
Aug 30, 2018, 5:15:11 PM8/30/18
to Nils Ohlmeier, dev-platform
On Wed, Aug 29, 2018 at 3:56 PM, Nils Ohlmeier <nohl...@mozilla.com>
wrote:
> Summary:
>
> We are looking at removing the DHE cipher suites from the DTLS handshake
> in Firefox soon.
>
> Ciphers:
> - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> are the two suites which we want to remove, because they are considered
> too weak.
>
Are these suites considered "too weak" across the board? For historical
reasons Firefox for Android will handshake to Firefox Sync servers using
these suites:
https://searchfox.org/mozilla-central/rev/05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java#73.
Sounds like we should drop those suites there too -- can you confirm?
Nick
wrote:
> Summary:
>
> We are looking at removing the DHE cipher suites from the DTLS handshake
> in Firefox soon.
>
> Ciphers:
> - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> are the two suites which we want to remove, because they are considered
> too weak.
>
reasons Firefox for Android will handshake to Firefox Sync servers using
these suites:
https://searchfox.org/mozilla-central/rev/05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java#73.
Sounds like we should drop those suites there too -- can you confirm?
Nick
Nicholas Alexander
Aug 31, 2018, 2:05:04 PM8/31/18
to Nils Ohlmeier, dev-platform
On Thu, Aug 30, 2018 at 2:15 PM, Nicholas Alexander <nalex...@mozilla.com>
wrote:
After a little (off-list) discussion, I've filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1487842 tracking dropping
these.
Thanks, Nils (and others)!
Nick
wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=1487842 tracking dropping
these.
Thanks, Nils (and others)!
Nick
0 new messages