Commit 4a9f753d authored by David Keeler's avatar David Keeler
Browse files

bug 1254667 - change certificate verification SHA1 policy to "allow for... 

bug 1254667 - change certificate verification SHA1 policy to "allow for locally-installed roots" r=jcj

Before this patch, the default policy for the use of SHA1 in certificate
signatures was "allow all" due to compatibility concerns.
After gathering telemetry, we are confident that we can enforce the policy of
"allow for locally-installed roots" (or certificates valid before 2016) without
too much breakage.

MozReview-Commit-ID: 8GxtgdbaS3P

--HG--
extra : rebase_source : 7e81131a6c215bf7af514f150ebe2eb16a5c612a
parent 342c0867

browser/app/profile/firefox.js

+2 −2
Original line number Diff line number Diff line
@@ -1445,8 +1445,8 @@ pref("security.cert_pinning.enforcement_level", 1); 


// NB: Changes to this pref affect CERT_CHAIN_SHA1_POLICY_STATUS telemetry.

// See the comment in CertVerifier.cpp.

// 0 = allow SHA-1

pref("security.pki.sha1_enforcement_level", 0);

// 3 = allow SHA-1 for certificates issued before 2016 or by an imported root.

pref("security.pki.sha1_enforcement_level", 3);



// Required blocklist freshness for OneCRL OCSP bypass

// (default is 1.25x extensions.blocklist.interval, or 30 hours)

mobile/android/app/mobile.js

+2 −2
Original line number Diff line number Diff line
@@ -520,8 +520,8 @@ pref("security.cert_pinning.enforcement_level", 1); 


// NB: Changes to this pref affect CERT_CHAIN_SHA1_POLICY_STATUS telemetry.

// See the comment in CertVerifier.cpp.

// Allow SHA-1 certificates

pref("security.pki.sha1_enforcement_level", 0);

// 3 = allow SHA-1 for certificates issued before 2016 or by an imported root.

pref("security.pki.sha1_enforcement_level", 3);



// Required blocklist freshness for OneCRL OCSP bypass

// (default is 1.25x extensions.blocklist.interval, or 30 hours)

security/certverifier/CertVerifier.cpp

+1 −1
Original line number Diff line number Diff line
@@ -484,7 +484,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, 
      // Only collect CERT_CHAIN_SHA1_POLICY_STATUS telemetry indicating a

      // failure when mSHA1Mode is the default.

      // NB: When we change the default, we have to change this.

      if (sha1ModeResult && mSHA1Mode == SHA1Mode::Allowed) {

      if (sha1ModeResult && mSHA1Mode == SHA1Mode::ImportedRoot) {

        *sha1ModeResult = SHA1ModeResult::Failed;

      }