Closed Bug 262186 Opened 20 years ago Closed 11 years ago

SSL cipher policy updates

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.9.2
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 848384
Milestone:
3.15.2

People

(Reporter: julien.pierre, Assigned: wtc)

Details

It would appear that the export and France policies are essentially obsolete
nowadays, since the US export regulations were relaxed, and the France import
regulations were as well. Therefore, I think we should document
NSS_SetExportPolicy and NSS_SetFrancePolicy as obsolete, and make them return
SECFailure.

Regarding the domestic policy, it includes as a subset many weak cipher suites,
for compatibility with old export clients.  Given the relaxing of US export
regulation many years ago, I don't think it is desirable to use the export
cipher suites any longer in new products. I think we should document the
domestic policy as obsolete for product use for this reason.

I'm not sure what policy we should add as a replacement for the current domestic
policy with, if any. It seems to me that it is impossible for NSS to provide a
universal cipher policy for use in products. The domestic policy is mainly
useful for use in our own NSS tools as a default. Products often want to do
different things with their cipher policies - but they don't always implement it
using NSS policy objects at all. The biggest problem with providing a policy for
use in products IMO within NSS is that it has to be set in stone, otherwise it
can cause problems with products' code getting out of sync with the policies if
the NSS policy changes (this happened at least once in the past).
There still exist deployed servers that support only the weak cipher suites. 
Do we want to make our clients incompatible with those servers?
Julien, please elaborate on the "set in stone" comment.  I don't follow.
Applications have the ability to create their own custom policies.  

The functions that set "domestic", "export" and "france" policies are 
merely convenience functions that embody 3 pre-set sets of values for the
policies.  Those functions use the same NSS functions to set those 
policies that an application could use for that purpose.  Those functions
allow applications to minic the policies formerly implemented by "export"
versions of the Netscape browsers.  But they are by no means the only 
combinations of ciphersuite policies that applications can use.
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Priority: -- → P3
This will be addressed in bug 848384.
Assignee: nobody → wtc
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.15.2
You need to log in before you can comment on or make changes to this bug.