In the upcoming NSS 3.14 release, the default behavior for certificate signatures using the MD5 hash algorithm will change to "reject by default" (see Mozilla bug 590364).
Starting with NSS 3.14, when attempting to validate certificates containing such signatures, a new error code can be returned: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED This means the behavior of applications that upgrade to NSS 3.14 and process such certificates will change. Applications that wish to accept such certificates (despite the weakness of MD5) can use the following code to override the default: NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_CERT_SIGNATURE, 0); NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NSS_USE_ALG_IN_CERT_SIGNATURE, 0); NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC, NSS_USE_ALG_IN_CERT_SIGNATURE, 0); While unrelated to the change in NSS, it's noteworthy that Firefox 16 is also expected to change its default behaviour to rejection (see Mozilla bug 650355). Regards Kai on behalf of the NSS development team
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto