Closed Bug 1493936 Opened 6 years ago Closed 6 years ago

Add way to disable DSA signatures through policy

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ueno, Assigned: ueno)

References

Details

Attachments

(1 file)

While the use of DSA signatures are prohibited in TLS 1.3, there is no way to turn it off through the current policy mechanism.  It would be nice if there is a new policy keyword for that.
Couldn't you just remove support for "DSA"?
This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier. 

We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc.   However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default.   I think it's okay for DSA, though.
Comment on attachment 9011797 [details]
Bug 1493936, add a new "DSA" policy keyword

Kai Engert (:kaie:) has approved the revision.
Attachment #9011797 - Flags: review+
Depends on: 1497537
QA Contact: franziskuskiefer

Daiki, FYI, there was r+ but no further update.

Assignee: nobody → dueno

Kai, sorry for not responding earlier; as noted on phabricator, I put this on hold because the patch didn't have sufficient test coverage. In fact, it was revised after we realized that client still sends DSA algorithms in the "signature_algorithms" extension.

Now it has a test for both client and server; could you take a look at it again?

Flags: needinfo?(kaie)

Thank you for the review; pushed as:
https://hg.mozilla.org/projects/nss/rev/4bc22e14a592

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(kaie)
Resolution: --- → FIXED
Target Milestone: --- → 3.43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: