RHEL includes several cryptographic components who's security doesn't remain constant over time. Algorithms such as (cryptographic) hashing and encryption typically have a lifetime after which they are considered either too risky to use or plain insecure. That would mean we need to phase out such algorithms from the default settings, or completely disable if they could cause irreparable issue.
This bug is about disabling the MD5 algorithm from the NSS library, while at the same hand providing a configuration method for MD5 to be allowed when needed.
For future extensibility in RHEL-7 it is recommended for any introduced configuration method to be re-usable for future algorithm or parameter deprecation (e.g., SHA1 or less than 1024-bit RSA/DH parameters), and ideally part of upstream.
Hubert, do you know the syntax of the NSS_HASH_ALG_SUPPORT variable? If not, I can try to find old emails, where this had been discussed.
Another clarification question:
Is this about "disable active signing of certificates with algorithms that involve a MD5 hash" ?
Or, is this about "reject any signatures that involve a MD5 hash"?
Or is it about both?
Also, how will we test?
Hubert, do you expect Daiki to test that this works locally, before submitting a build to QE? If yes, do you possibly already have commands that could be used to test it?
(In reply to Kai Engert (:kaie) from comment #4)
> Hubert, do you know the syntax of the NSS_HASH_ALG_SUPPORT variable? If not,
> I can try to find old emails, where this had been discussed.
sorry, didn't notice this question before
the syntax is "NSS_HASH_ALG_SUPPORT=+MD5" for allowing support, "NSS_HASH_ALG_SUPPORT=-MD5" explicitly disabling support and "NSS_HASH_ALG_SUPPORT=" for using the default
Issue with NSS requiring an empty line at the end of policy file before it is recognised is tracked in bug 1397979.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.