diff -r 699541a7793b lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c	2021-04-16 14:43:41.668835607 -0700
+++ b/lib/pk11wrap/pk11pars.c	2021-04-16 14:43:50.585888411 -0700
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
 static const oidValDef hashOptList[] = {
     /* Hashes */
     { CIPHER_NAME("MD2"), SEC_OID_MD2,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+      0 },
     { CIPHER_NAME("MD4"), SEC_OID_MD4,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+      0 },
     { CIPHER_NAME("MD5"), SEC_OID_MD5,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+      0 },
     { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c	Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c	Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
             int i;
 
             for (i = 1; i < SEC_OID_TOTAL; i++) {
+                switch (i) {
+                case SEC_OID_MD2:
+                case SEC_OID_MD4:
+                case SEC_OID_MD5:
+                case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+                case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+                case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+                case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+                case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+                    continue;
+                default:
+                    break;
+                }
                 if (oids[i].desc && strstr(arg, oids[i].desc)) {
                     xOids[i].notPolicyFlags = notEnable |
                                               (xOids[i].notPolicyFlags & ~(DEF_FLAGS));