Bug 1335915
Summary: | Disable the MD5 as a signing algorithm in NSS library | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | |
Component: | nss | Assignee: | Daiki Ueno <dueno> | |
Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | |
Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | unspecified | |||
Version: | 6.9 | CC: | dueno, hkario, kengert, qe-baseos-security, rrelyea, szidek, tmraz | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | nss-3.27.1-1.el6 | Doc Type: | Deprecated Functionality | |
Doc Text: |
MD5 as the signing algorithm disabled
This change prevents the Network Security Services (NSS) library from using MD5 as the signing algorithm in *TLS*. This change ensures that programs using *NSS* are not vulnerable to attacks such as the SLOTH attack.
A system administrator can enable MD5 support by modifying the `/etc/pki/nss-legacy/nss-rhel6.config` policy configuration file to:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="allow=MD5"
Note that an empty line is required at the end of the file.
|
Story Points: | --- | |
Clone Of: | 1335914 | |||
: | 1335919 1335920 (view as bug list) | Environment: | ||
Last Closed: | 2017-03-21 10:26:29 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1335911, 1343211, 1397979 |
Description
Nikos Mavrogiannopoulos
2016-05-13 14:23:47 UTC
Hubert, do you know the syntax of the NSS_HASH_ALG_SUPPORT variable? If not, I can try to find old emails, where this had been discussed. Another clarification question: Is this about "disable active signing of certificates with algorithms that involve a MD5 hash" ? Or, is this about "reject any signatures that involve a MD5 hash"? Or is it about both? Also, how will we test? Hubert, do you expect Daiki to test that this works locally, before submitting a build to QE? If yes, do you possibly already have commands that could be used to test it? (In reply to Kai Engert (:kaie) from comment #4) > Hubert, do you know the syntax of the NSS_HASH_ALG_SUPPORT variable? If not, > I can try to find old emails, where this had been discussed. sorry, didn't notice this question before the syntax is "NSS_HASH_ALG_SUPPORT=+MD5" for allowing support, "NSS_HASH_ALG_SUPPORT=-MD5" explicitly disabling support and "NSS_HASH_ALG_SUPPORT=" for using the default Issue with NSS requiring an empty line at the end of policy file before it is recognised is tracked in bug 1397979. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0671.html |