NSS Config Options¶
` NSS Config Options Format <#nss_config_options_format>`__¶
The specified ciphers will be allowed by policy, but an application may allow more by policy explicitly:
Only the specified hashes and curves will be allowed:
Only the specified hashes and curves will be allowed, and RSA keys of 2048 or more will be accepted, and DH key exchange with 1024-bit primes or more:
A policy that enables the AES ciphersuites and the SECP256/384 curves:
Turn off md5
Turn off md5 and sha1 only for SSL
Disallow values are parsed first, and then allow values, independent of the order in which they appear.
Future key words (not yet implemented): enable: turn on ciphersuites by default. disable: turn off ciphersuites by default without disallowing them by policy. flags: turn on the following flags: ssl-lock: turn off the ability for applications to change policy with the SSL_SetCipherPolicy (or SSL_SetPolicy). policy-lock: turn off the ability for applications to change policy with the call NSS_SetAlgorithmPolicy. ssl-default-lock: turn off the ability for applications to change cipher suite states with SSL_EnableCipher, SSL_DisableCipher.
SSL Key exchanges
Restrictions for asymmetric keys (integers)
Constraints on SSL Protocols Versions (integers)
Constraints on DTLS Protocols Versions (integers)
Policy flags for algorithms