Update NSS to NSS 3.14 RC1.

nss/mozilla/security/nss/lib/util/secoid.c

Index: nss/mozilla/security/nss/lib/util/secoid.c
===================================================================
--- nss/mozilla/security/nss/lib/util/secoid.c	(revision 162724)
+++ nss/mozilla/security/nss/lib/util/secoid.c	(working copy)
@@ -1916,9 +1916,12 @@
 	/* initialize any policy flags that are disabled by default */
 	xOids[SEC_OID_MD2                           ].notPolicyFlags = ~0;
 	xOids[SEC_OID_MD4                           ].notPolicyFlags = ~0;
+	xOids[SEC_OID_MD5                           ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
+	xOids[SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
+	xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~0;

[wtc, 2012/10/18 21:20:42]

Do we need to add the calls to allow MD5 signatures?

We should make sure we are mapping SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
to net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM or
net::ERR_CERT_INVALID.

[Ryan Sleevi, 2012/10/18 21:28:51]

We already block them. I'd be more concerned for the unit test results to make
sure they're being handled appropriately. I suspect we may get different error
codes back from libpkix

     }
 
     envVal = PR_GetEnv("NSS_HASH_ALG_SUPPORT");