bug 1330043 - disable SHA-1 in signatures on certificates issued by publicly-trusted roots r?jcj
Unfortunately, this doesn't cover delegated OCSP responder certificates. While
gathering telemetry on the use of SHA-1, we encountered
bug 1183822 (basically,
that the method of gathering telemetry was causing OCSP verification failures
due to delegated responders signed with SHA-1). As a temporary solution, we
changed the verifier to always allow SHA-1 for OCSP certificates when verifying
an OCSP response. Consequently, we now have no idea what the compatibility
impact of disabling SHA-1 in OCSP responder certificates will be, so it's
probably not a good idea to do that right now.
Even if someone does manage to forge an OCSP responder certificate using a SHA-1
collision, they will have about as much power as an active network attacker
blocking OCSP requests or injecting bad stapled OCSP responses, so this isn't a
disaster.
MozReview-Commit-ID: 10r23W1APiR
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -49,18 +49,18 @@ pref("security.enterprise_roots.enabled"
pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);
pref("security.pki.cert_short_lifetime_in_days", 10);
// NB: Changes to this pref affect CERT_CHAIN_SHA1_POLICY_STATUS telemetry.
// See the comment in CertVerifier.cpp.
-// 4 = allow SHA-1 for certificates issued before 2016 or by an imported root.
-pref("security.pki.sha1_enforcement_level", 4);
+// 3 = only allow SHA-1 for certificates issued by an imported root.
+pref("security.pki.sha1_enforcement_level", 3);
// security.pki.name_matching_mode controls how the platform matches hostnames
// to name information in TLS certificates. The possible values are:
// 0: always fall back to the subject common name if necessary (as in, if the
// subject alternative name extension is either not present or does not
// contain any DNS names or IP addresses)
// 1: fall back to the subject common name for certificates valid before 23
// August 2016 if necessary
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -639,21 +639,19 @@ CertVerifier::VerifyCert(CERTCertificate
break;
}
if (keySizeStatus) {
*keySizeStatus = KeySizeStatus::AlreadyBad;
}
// The telemetry probe CERT_CHAIN_SHA1_POLICY_STATUS gives us feedback on
// the result of setting a specific policy. However, we don't want noise
- // from users who have manually set the policy to Allowed or Forbidden, so
- // we only collect for ImportedRoot or ImportedRootOrBefore2016.
- if (sha1ModeResult &&
- (mSHA1Mode == SHA1Mode::ImportedRoot ||
- mSHA1Mode == SHA1Mode::ImportedRootOrBefore2016)) {
+ // from users who have manually set the policy to something other than the
+ // default, so we only collect for ImportedRoot (which is the default).
+ if (sha1ModeResult && mSHA1Mode == SHA1Mode::ImportedRoot) {
*sha1ModeResult = SHA1ModeResult::Failed;
}
break;
}
case certificateUsageSSLCA: {
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,