In the upcoming NSS 3.14 release, the default behavior for certificate signatures using the MD5 hash algorithm will change to "reject by default" (see Mozilla bug 590364).
Starting with NSS 3.14, when attempting to validate certificates
containing such signatures, a new error code can be returned:
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
This means the behavior of applications that upgrade to NSS 3.14 and
process such certificates will change.
Applications that wish to accept such certificates (despite the weakness
of MD5) can use the following code to override the default:
NSS_SetAlgorithmPolicy(SEC_OID_MD5,
NSS_USE_ALG_IN_CERT_SIGNATURE, 0);
NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
NSS_USE_ALG_IN_CERT_SIGNATURE, 0);
NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
NSS_USE_ALG_IN_CERT_SIGNATURE, 0);
While unrelated to the change in NSS, it's noteworthy that Firefox 16 is
also expected to change its default behaviour to rejection (see Mozilla
bug 650355).
Regards
Kai on behalf of the NSS development team
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
