[cabfpub] Fwd: Re: SHA-256 support

Gervase Markham gerv at mozilla.org
Tue Nov 26 10:32:40 UTC 2013

Hi everyone,

Here is a more nuanced answer from wtc about when and how much NSS
supports SHA-2.

NSS 3.11.1/3.11.4 or later were included in Firefox 2.0 and later.


-------- Original Message --------
Subject: Re: SHA-256 support
Date: Tue, 19 Nov 2013 10:40:25 -0800
From: Wan-Teh Chang <wtc at google.com>
Reply-To: mozilla's crypto code discussion list
<dev-tech-crypto at lists.mozilla.org>
To: mozilla's crypto code discussion list
<dev-tech-crypto at lists.mozilla.org>
Newsgroups: mozilla.dev.tech.crypto
References: <v8ydnXNXANDjthfPnZ2dnUVZ_j6dnZ2d at mozilla.org>
<528ACAD1.3090708 at REDHAT.COM>

Bob's answer is accurate.

Note that CAs are more interested in SHA-2 based signature support
rather than plain SHA-2 support. So another way to track down the NSS
version is to look at the CVS history of the secvfy.c file:


The relevant revisions are:

1.7 nelsonb%netscape.com2002-12-11 22:05 Support SHA256, SHA384, and
SHA512 hashes in NSS.

1.14 wtchang%redhat.com2005-08-12 16:50 Bugzilla Bug 296410: enlarge
the buffer size for message digest so that we can generate and verify
signatures that use SHA-512.

1.17 rrelyea%redhat.com2006-02-07 22:14 Bug 320583 Support for
SHA256/384/512 with ECC signing

So it is safe to say that by mid 2006 (NSS 3.11.1, released on
2006-05-05) the support of SHA-2 based signatures in NSS was already
stable and complete, covering both RSA and ECDSA signatures. Another
evidence of mature support is the FIPS 140-2 validation of NSS 3.11.4

A very conservative response would be NSS 3.11.4
and later.


More information about the Public mailing list