Bug 917047: Remove the security.enable_md5_signatures pref, r=briansmith
authorAjitesh Gupta <ajgupta93@gmail.com>
Tue, 19 Nov 2013 16:05:26 -0800
changeset 173982 230be93de11f0df5fcc23089ba4ff0ff6a95ceba
parent 173981 ca4c295c94542e09918bec9884f34c20b2f2f6a7
child 173983 da83eb7cb686ca7882b159d09828b592ed29ef76
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith
bugs917047
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 917047: Remove the security.enable_md5_signatures pref, r=briansmith
media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
netwerk/base/public/security-prefs.js
security/manager/ssl/src/PublicSSL.h
security/manager/ssl/src/nsNSSComponent.cpp
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
@@ -107,17 +107,17 @@ static nsresult InitNSSInContent()
     return NS_ERROR_FAILURE;
   }
 
   if (NS_FAILED(mozilla::psm::InitializeCipherSuite())) {
     CSFLogError(logTag, "Fail to set up nss cipher suite.");
     return NS_ERROR_FAILURE;
   }
 
-  mozilla::psm::ConfigureMD5(false);
+  mozilla::psm::DisableMD5();
 
   nssStarted = true;
 
   return NS_OK;
 }
 #endif // MOZILLA_INTERNAL_API
 
 namespace mozilla {
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -1,15 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 pref("security.tls.version.min", 0);
 pref("security.tls.version.max", 3);
-pref("security.enable_md5_signatures", false);
 
 pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
 pref("security.ssl.renego_unrestricted_hosts", "");
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_ocsp_stapling", true);
 pref("security.ssl.enable_false_start", true);
--- a/security/manager/ssl/src/PublicSSL.h
+++ b/security/manager/ssl/src/PublicSSL.h
@@ -10,16 +10,16 @@
 namespace mozilla {
 
 void ClearPrivateSSLState();
 
 namespace psm {
 
 void InitializeSSLServerCertVerificationThreads();
 void StopSSLServerCertVerificationThreads();
-void ConfigureMD5(bool enabled);
+void DisableMD5();
 nsresult InitializeCipherSuite();
 
 } //namespace psm
 } // namespace mozilla
 
 #endif
 
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -926,17 +926,16 @@ setNonPkixOcspEnabled(int32_t ocspEnable
 #define OCSP_REQUIRED_DEFAULT false
 #define FRESH_REVOCATION_REQUIRED_DEFAULT false
 #define MISSING_CERT_DOWNLOAD_DEFAULT false
 #define FIRST_REVO_METHOD_DEFAULT "ocsp"
 #define USE_NSS_LIBPKIX_DEFAULT false
 #define OCSP_STAPLING_ENABLED_DEFAULT true
 
 static const bool SUPPRESS_WARNING_PREF_DEFAULT = false;
-static const bool MD5_ENABLED_DEFAULT = false;
 static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
 static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false;
 static const bool FALSE_START_ENABLED_DEFAULT = true;
 static const bool CIPHER_ENABLED_DEFAULT = false;
 
 namespace {
 
 class CipherSuiteChangeObserver : public nsIObserver
@@ -1289,19 +1288,17 @@ nsNSSComponent::InitializeNSS(bool showW
       SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
 
       rv = setEnabledTLSVersions();
       if (NS_FAILED(rv)) {
         nsPSMInitPanic::SetPanic();
         return NS_ERROR_UNEXPECTED;
       }
 
-      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
-                                             MD5_ENABLED_DEFAULT);
-      ConfigureMD5(md5Enabled);
+      DisableMD5();
 
       SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, true);
 
       bool requireSafeNegotiation =
         Preferences::GetBool("security.ssl.require_safe_negotiation",
                              REQUIRE_SAFE_NEGOTIATION_DEFAULT);
       SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
 
@@ -1703,21 +1700,16 @@ nsNSSComponent::Observe(nsISupports *aSu
     nsNSSShutDownPreventionLock locker;
     bool clearSessionCache = false;
     NS_ConvertUTF16toUTF8  prefName(someData);
 
     if (prefName.Equals("security.tls.version.min") ||
         prefName.Equals("security.tls.version.max")) {
       (void) setEnabledTLSVersions();
       clearSessionCache = true;
-    } else if (prefName.Equals("security.enable_md5_signatures")) {
-      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
-                                             MD5_ENABLED_DEFAULT);
-      ConfigureMD5(md5Enabled);
-      clearSessionCache = true;
     } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
       bool requireSafeNegotiation =
         Preferences::GetBool("security.ssl.require_safe_negotiation",
                              REQUIRE_SAFE_NEGOTIATION_DEFAULT);
       SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
     } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
       bool allowUnrestrictedRenego =
         Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
@@ -2030,34 +2022,24 @@ setPassword(PK11SlotInfo *slot, nsIInter
   }
  loser:
   return rv;
 }
 
 namespace mozilla {
 namespace psm {
 
-void ConfigureMD5(bool enabled)
+void DisableMD5()
 {
-  if (enabled) { // set flags
-    NSS_SetAlgorithmPolicy(SEC_OID_MD5,
-        NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE, 0);
-    NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
-        NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE, 0);
-    NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
-        NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE, 0);
-  }
-  else { // clear flags
-    NSS_SetAlgorithmPolicy(SEC_OID_MD5,
-        0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
-    NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
-        0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
-    NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
-        0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
-  }
+  NSS_SetAlgorithmPolicy(SEC_OID_MD5,
+      0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
+  NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
+      0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
+  NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
+      0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
 }
 
 nsresult InitializeCipherSuite()
 {
   NS_ASSERTION(NS_IsMainThread(), "InitializeCipherSuite() can only be accessed in main thread");
 
   if (NSS_SetDomesticPolicy() != SECSuccess) {
     return NS_ERROR_FAILURE;