Closed Bug 262186 Opened 21 years ago Closed 12 years ago

SSL cipher policy updates

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.9.2
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 848384
Milestone:
3.15.2

People

(Reporter: julien.pierre, Assigned: wtc)

Details

It would appear that the export and France policies are essentially obsolete nowadays, since the US export regulations were relaxed, and the France import regulations were as well. Therefore, I think we should document NSS_SetExportPolicy and NSS_SetFrancePolicy as obsolete, and make them return SECFailure. Regarding the domestic policy, it includes as a subset many weak cipher suites, for compatibility with old export clients. Given the relaxing of US export regulation many years ago, I don't think it is desirable to use the export cipher suites any longer in new products. I think we should document the domestic policy as obsolete for product use for this reason. I'm not sure what policy we should add as a replacement for the current domestic policy with, if any. It seems to me that it is impossible for NSS to provide a universal cipher policy for use in products. The domestic policy is mainly useful for use in our own NSS tools as a default. Products often want to do different things with their cipher policies - but they don't always implement it using NSS policy objects at all. The biggest problem with providing a policy for use in products IMO within NSS is that it has to be set in stone, otherwise it can cause problems with products' code getting out of sync with the policies if the NSS policy changes (this happened at least once in the past).
There still exist deployed servers that support only the weak cipher suites. Do we want to make our clients incompatible with those servers?
Julien, please elaborate on the "set in stone" comment. I don't follow. Applications have the ability to create their own custom policies. The functions that set "domestic", "export" and "france" policies are merely convenience functions that embody 3 pre-set sets of values for the policies. Those functions use the same NSS functions to set those policies that an application could use for that purpose. Those functions allow applications to minic the policies formerly implemented by "export" versions of the Netscape browsers. But they are by no means the only combinations of ciphersuite policies that applications can use.
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Priority: -- → P3
This will be addressed in bug 848384.
Assignee: nobody → wtc
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.15.2
You need to log in before you can comment on or make changes to this bug.