Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)

Andrew Ayer agwa at andrewayer.name
Tue Jun 2 19:12:28 UTC 2015


On Mon, 1 Jun 2015 16:46:35 +0900
Mike Hommey <mh at glandium.org> wrote:

> > It's up to Mike whether to fix that in the upcoming point release.
> > We're not planning a DSA for this issue alone, but it can be fixed
> > along when upstream releases changes to address the weakdh issue.
> 
> ... which, afaik, is in 3.19.1 released a few days ago (and now in
> unstable).

Indeed it is, according to the release notes [1]:

"The minimum strength of keys that libssl will accept for
finite field algorithms (RSA, Diffie-Hellman, and DSA) have been
increased to 1023 bits (bug 1138554)."

A DSA fixing the weakdh and chain building issues would be great!

Cheers,
Andrew

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes



More information about the pkg-mozilla-maintainers mailing list