Ask HN: Why do Chrome and Firefox only support SHA1 for cipher suites?

6 points

12 years ago

I want to shut off all crypto methods that are a security issue on my company's web server. We use nginx.

We have a 4096 bit RSA key, signed with SHA256, use a 4096 bit dhparam, have only TLS 1.0[1] and up enabled, and use !3DES:!AES128:!aNULL:!eNULL:FIPS@STRENGTH for our ssl ciphers.

See the ssltest output for my site to see what various browsers do (scroll down to Handshake Simulation): https://www.ssllabs.com/ssltest/analyze.html?d=exelion.net

Why does current Chrome and current Firefox only support SHA? If I do !SHA in ssl ciphers, no browser can connect due to lack of compatible cipher.

Now, scroll back up to Cipher Suites. I support cipher suites with SHA256 and SHA384, clearly. So what gives? Why doesn't Chrome and Firefox allow those? And if you look closely, they still don't do GCM either.

[1]: It took Android browser until 4.4 to support TLS 1.2, Firefox 24 ESR doesn't do 1.2, all the web spider bots don't do TLS 1.2, MSIE 10 and lower don't do 1.2, Safari 6 on OSX and Safari 5 on iOS don't do 1.2.

Android browser in 4.0-4.3 being unable to do 1.2 is the only reason I still leave 1.0 enabled.

2 comments