Open Bug 482882 Opened 15 years ago Updated 1 year ago

All uses of MD2 algorithm should be disabled


(NSS :: Libraries, defect, P3)



(Not tracked)


(Reporter: julien.pierre, Unassigned)


(Blocks 1 open bug)


These 2 hashing algorithms have been broken and are no longer in wide use. There was agreement in bug 471539 that they should be turned off for signature verification by default. I haven't heard any rationale for continuing to support them for any other uses. So, I propose that we turn off these algorithms for all uses.

This would necessitate changes in 2 places :

1) in pk11wrap

This should take care of all uses by higher levels, including for certificate
signatures, S/MIME, VFY APIs, and of course pk11wrap APIs, regardless of which PKCS#11 module provides the mechanisms for MD2 and MD4.

These algorithms should be off by default.

It should be possible to turn them back on either by environment variable  or
programmatically. For the environment variable method, we may
want fine-grain control for each algorithm, not one variable controlling a
bunch of algorithms together.

2) in softoken or freebl

This is needed to prevent use of MD2 and MD4 by programs such as Java apps that
only use the softoken PKCS#11 library, but not the higher-level NSS libraries.

softoken already has a method of passing initialization parameters in to
C_Initialize. This may not be acceptable to many applications, however.

So we may want to also use the same environment variables as I propose to use
in pk11wrap to turn off these algorithms in softoken/freebl.
I have verified that MD4 not only has no implementation in softoken, but has no way to hook a PKCS #11 module up. There is no MD4 mechanism defined for PKCS #11, and the MD4 OID in NSS maps to CKM_INVALID_MECHANISM.


Thanks ! I think that means we can make this bug about MD2 only.
Summary: All uses of MD2 and MD4 algorithms should be disabled → All uses of MD2 algorithm should be disabled
In today's meeting, Bob suggested that we only disable MD2/MD4 in the VFY layer, the rationale for that being that they can still be used for checksum type, non cryptographic operations. MD4 is no longer an issue.

That leaves MD2, which Nelson said is a fairly slow algorithm, and thus would seem to be a poor choice of checksum algorithm. Do we know anyone who is using MD2 in that fashion ? I also don't think it's the role of NSS to provide algorithms for non-secure uses.

However, MD2 support is a compatibility issue, and is still needed for several SSL2 cipher suites, for those people still intent on using that broken protocol.
Regardless of what default we choose, I still think we need a switch for it, and I would prefer it to be an all-off switch than a partial one (as in bug 471539) or just for VFY.
I thought all uses of MD2 had already been disabled.

Is this bug still open for a reason?
We don't disable MD2 everywhere currently. We do reject it for signatures*, but we do have an implementation for MD2 internally.

We don't actually explicitly use it anywhere, but it is possible that it could show up in, say, an S/MIME signature or something.

*I think it's only turned off for CRL, Cert and soon to be OCSP signatures.
Assignee: nobody → kjacobs.bugzilla
Priority: -- → P1
QA Contact: jjones

Bob - is it critical that all tests pass when MD2 is disabled (vs. failing expectedly on tests that use MD2)? On one hand, users might expect that all tests should pass unless there's a problem, but if someone is actually relying on MD2 and running tests, we'd want a failure to indicate that MD2 was not included in the build.

On CI we'll keep it enabled, but I'm not sure it's worth the effort to make tests context-aware if we plan to remove them in the near future. See: with MD2 disabled.


Blocks: 1648191

The bug assignee didn't login in Bugzilla in the last months and this bug has priority 'P1'.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.

Assignee: kjacobs.bugzilla → nobody
Flags: needinfo?(bbeurdouche)
Flags: needinfo?(bbeurdouche)
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.