This is a follow up fix of bug 1493936. In the fix, we added a policy check on every signature algorithm: https://hg.mozilla.org/projects/nss/rev/4bc22e14a592#l5.23 This shouldn't be a problem, as the majority of the algorithms are enabled by default. However, for the weak algorithms disabled by default, there's now way to re-enable them other than with the envvar: https://searchfox.org/mozilla-central/source/security/nss/lib/util/secoid.c#2054 I'm attaching a patch that limits the check to DSA, as originally intended.
Bug 1542207 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This is a follow up fix of bug 1493936. In the fix, we added a policy check on every signature algorithm: https://hg.mozilla.org/projects/nss/rev/4bc22e14a592#l5.23 In general, that shouldn't be a problem, as the majority of the algorithms are enabled by default. However, for the weak algorithms we disable by default, there's no way to re-enable them other than with the envvar: https://searchfox.org/mozilla-central/source/security/nss/lib/util/secoid.c#2054 I'm attaching a patch that limits the check to DSA, as originally intended.