Is Firefox SHA-1 Deprecation Policy configurable?

[theri...@gmail.com]

Working with a client on "workarounds" for avoiding SHA-1 deprecation on a system they are woefully behind on updating for SHA-256 compatible. They asked/stated that Chrome & probably Firefox were "configurable" in regards to shutting out the trust for SHA-1 SSL/TLS certs. I'm skeptical as I haven't seen anything like that.

Is there any configurability in Firefox regarding this (e.g. from a GPO perspective - Windows environment), or is all the SHA-1 deprecation policy embedded in the Firefox code - to be enforced when that update is pushed out (presumably on/around 1/1/17)? Thanks

Rick

[s...@gmx.ch]

I think that's the security.pki.sha1_enforcement_level pref [1][2].

Regards,
Jonas


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c35
[2]
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[Andrew R. Whalley]

For Chrome, there's the EnableSha1ForLocalAnchors policy that was
introduced in Chrome 54. That will operate as described here
<https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls/sha-1>
.

Andrew