Closed
Bug 1493936
Opened 6 years ago
Closed 6 years ago
Add way to disable DSA signatures through policy
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.43
People
(Reporter: ueno, Assigned: ueno)
References
Details
Attachments
(1 file)
While the use of DSA signatures are prohibited in TLS 1.3, there is no way to turn it off through the current policy mechanism. It would be nice if there is a new policy keyword for that.
|
||
Comment 1•6 years ago
|
||
Couldn't you just remove support for "DSA"?
|
Assignee | |
Comment 2•6 years ago
|
||
This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier.
We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though.
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9011797 [details]
Bug 1493936, add a new "DSA" policy keyword
Kai Engert (:kaie:) has approved the revision.
Attachment #9011797 -
Flags: review+
|
|
Assignee | |
Comment 5•6 years ago
|
||
Kai, sorry for not responding earlier; as noted on phabricator, I put this on hold because the patch didn't have sufficient test coverage. In fact, it was revised after we realized that client still sends DSA algorithms in the "signature_algorithms" extension.
Now it has a test for both client and server; could you take a look at it again?
Flags: needinfo?(kaie)
|
|
Assignee | |
Comment 6•6 years ago
|
||
Thank you for the review; pushed as:
https://hg.mozilla.org/projects/nss/rev/4bc22e14a592
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(kaie)
Resolution: --- → FIXED
Target Milestone: --- → 3.43
You need to log in
before you can comment on or make changes to this bug.
Description
•