old ciphers: Does NSS allow usage of old, deprecated or weak ciphers

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

old ciphers: Does NSS allow usage of old, deprecated or weak ciphers

gajanan.x.kulkarni
Hi

For legacy reason customer wants to use old weak ciphers for internal
communication.

So I want to know if NSS allow usage of old, deprecated or weak ciphers

Did NSS removed any old ciphers ?

Does NSS throw errors while connecting the server using old weak ciphers?

How to enable old weak ciphers?

Thanks

Gajanan.


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: old ciphers: Does NSS allow usage of old, deprecated or weak ciphers

Martin Thomson
 NSS has removed some extremely crufty stuff, but most of the primitives
are still in place.

You can still access MD2 or single-DES via the PKCS#11 interface if you
need access to the raw primitives.

For TLS, which I'm assuming is what you are interested in, we have removed
SSL version 2, but we still have SSL version 3.  It's disabled by default,
but it can be enabled if you really need it.  The same goes for a bunch of
ciphersuites or primitives that are equally inadvisable.

Many of these are now turned off by default, but if you need RC4, SHA-1, or
single-DES in TLS, the code is mostly still there and accessible.  To turn
these on, take a look at:

SSL_VersionRangeSet for TLS versions
SSL_CipherPrefSet for cipher suites
SSL_SignatureSchemePrefSet for signing algorithms
SSL_NamedGroupConfig for key exchange algorithms

For really old configurations, you might have to use all of these.  If you
have more specific requirements or questions, just ask.

Finally, I'm assuming here that you have verified that a) you really need
this stuff, b) you don't genuinely depend on these algorithms, and c)
upgrading the other end is infeasible.  Because when you do this, you
aren't getting anything like what we would consider "security"  by modern
standards.

On Wed, Dec 11, 2019 at 7:42 PM <[hidden email]> wrote:

> Hi
>
> For legacy reason customer wants to use old weak ciphers for internal
> communication.
>
> So I want to know if NSS allow usage of old, deprecated or weak ciphers
>
> Did NSS removed any old ciphers ?
>
> Does NSS throw errors while connecting the server using old weak ciphers?
>
> How to enable old weak ciphers?
>
> Thanks
>
> Gajanan.
>
>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

support dates for NSS 3.x

gajanan.x.kulkarni
In reply to this post by gajanan.x.kulkarni
NSS Team

Please let me know how long NSS 3.x is supported?

Thanks

Gajanan.


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: support dates for NSS 3.x

JC Jones
On Tuesday, December 17, 2019 at 7:03:13 AM UTC+1, [hidden email] wrote:
> NSS Team
>
> Please let me know how long NSS 3.x is supported?
>
> Thanks
>
> Gajanan.

There are no plans to halt support of the NSS 3.x series. That said, we don't back-port fixes indefinitely, choosing to generally follow the Firefox ESR model for one version of NSS.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security