Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Is Firefox SHA-1 Deprecation Policy configurable?

537 views

Skip to first unread message

theri...@gmail.com

unread,

Sep 16, 2016, 11:44:12 AM9/16/16

to mozilla-dev-s...@lists.mozilla.org

Working with a client on "workarounds" for avoiding SHA-1 deprecation on a system they are woefully behind on updating for SHA-256 compatible. They asked/stated that Chrome & probably Firefox were "configurable" in regards to shutting out the trust for SHA-1 SSL/TLS certs. I'm skeptical as I haven't seen anything like that.

Is there any configurability in Firefox regarding this (e.g. from a GPO perspective - Windows environment), or is all the SHA-1 deprecation policy embedded in the Firefox code - to be enforced when that update is pushed out (presumably on/around 1/1/17)? Thanks

Rick

s...@gmx.ch

unread,

Sep 17, 2016, 4:50:00 AM9/17/16

to dev-secur...@lists.mozilla.org

I think that's the security.pki.sha1_enforcement_level pref [1][2].

Regards,
Jonas

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c35
[2]
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

signature.asc

Andrew R. Whalley

unread,

Sep 19, 2016, 11:28:00 AM9/19/16

to s...@gmx.ch, dev-secur...@lists.mozilla.org

For Chrome, there's the EnableSha1ForLocalAnchors policy that was
introduced in Chrome 54. That will operate as described here
<https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls/sha-1>
.

Andrew

0 new messages