Open Bug 1632292 Opened 5 years ago Updated 5 years ago

Disable DSA for all TLS operations

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox-esr68

---

wontfix

firefox75

---

wontfix

firefox76

---

wontfix

firefox77

---

wontfix

firefox78

---

affected

People

(Reporter: jcj, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

J.C. Jones [:jcj] (he/they)

Reporter

Description

•

5 years ago

Bug 1493936 added a SSL policy to disable DSA from all TLS signatures, much like the MD5 policy of yesteryear.

While we don't support any DSA ciphersuites, some actions like client authentication still could perform DSA without this policy set.

In NSSCertDBTrustDomain we have a method DisableMD5 [0] which sets the equivalent policy to prohibit MD5 across the board. We should do the same with DSA using the new policy from Bug 1493936.

[0] https://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#1473

Dana Keeler (she/her) [:keeler]

Updated

•

5 years ago

Severity: -- → N/A

status-firefox75: --- → wontfix

status-firefox76: --- → wontfix

status-firefox77: --- → wontfix

status-firefox78: --- → affected

status-firefox-esr68: --- → wontfix

Dana Keeler (she/her) [:keeler]

Updated

•

5 years ago

Priority: -- → P2

Whiteboard: [psm-backlog]

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Disable DSA for all TLS operations

Categories

(Core :: Security: PSM, enhancement, P2)

Tracking

()

People

(Reporter: jcj, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Crash Data

Security

(public)

User Story

Description

Updated

Updated