Description of problem:
When server has a certificate signed with rsa-pss algorithm, Firefox rejects it with SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED error
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a regular RSA CA
2. Sign a server certificate with PKCS#1 RSASSA-PSS algorithm (certutil --pss-sign)
3. Import CA to Firefox
4. Start a server with the certificate signed in step 2.
5. Connect Firefox to the server
Your connection is not secure
Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
Connection established, certificate accepted as valid
Note that support for RSA-PSS in certificates on NSS side was added in 3.34.
Hm, is that something on FF side?
See also reply of Brian Smith in upstream bug.
It's an issue in mozilla::pkix, and mozilla::pkix is not part of NSS.
According to upstream this is unlikely to happen in the RHEL 7.5 time frame. So essentially there's nothing to do for the Firefox maintainers at Red Hat, but this is rather a tracking bug for this feature becoming available. Let's at least post pone this bug to 7.6.
Sorry we don't have a fix for that.
As you can see the upstream bug are still open. We can have this opened for tracking purpose if you wish but don't expect it in upcoming Firefox 68 ESR rebase.