Make sure certificates signed with SHA-1 are not accepted anymore in ESR 45
MOzilla released Firefox 43 which did not accept SHA-1 signed certificates anymore. However, this apparently broke some MITM boxes (https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/) and they released a point update reverting this change.
We don't want to have this security feature reverted and should make sure our ESR 45 based code is rejecting SHA-1 signed certificates as expected.
Activity
The situation is much more complicated (even Mozilla released several out of schedule patches :) It started from M$: they decided to deprecate SHA-1 for CAs from 2016. So Mozilla had to update their products. But XP SP2, Vista (SP?), Win7 were incompatible with their solution, so they decided to split their development process into two trees: for newer and for older systems (no future updates on main branch since FF 43.0.1). Thinking that deprecation will improve security, Mozilla decided to suppress SHA-1 in certificates (which is not required by M$). But a lot of software is still using it that leads to incompatibility, so another chemspill (43.0.4) was fired.
Summary: SHA-1 officially reported as weak but secured. CAs continue to issue SHA-1 certs, but must use SHA-2 certs for themselves. Rejecting SHA-1 certs not optionally is definitely wrong solution.
FWIW: This is basically done by setting
security.pki.sha1_enforcement_levelproperly. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1236975 for reverting the SHA-1 blocking and https://bugzilla.mozilla.org/show_bug.cgi?id=942515 for the implementation.Seems that Mozilla is planning to do it as you want - in their 45.0esr. (status-firefox-esr45: affected) But comment https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c56 greatly demonstrates that the situation with SHA-1 is far from seamless resolution.
mentioned in issue #18274 (moved)
mentioned in issue #21431 (moved)
