From 17f536942af6f4839759fd4c2a7e1cefe92e9cd7 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Mon, 14 Sep 2015 18:15:13 -0700 Subject: [PATCH] - Fix patches that disable ssl2 and export cipher suites support - Fix libssl patch that disables ssl2 & export cipher suites not disable RSA_WITH_NULL ciphers - Fix syntax erros in patch to skip ssl2 and export cipher suite tests to only skip what;s needed - Turn ssl2 off by default in the tstclnt tool - Disable ssl stress tests containing TLS RC4 128 with MD5 - Resolves: Bug 1263005 --- disableSSL2libssl.patch | 19 +- disableSSL2tests.patch | 248 +++++-------------------- nss.spec | 13 +- skip_stress_TLS_RC4_128_with_MD5.patch | 52 ++++++ tstclnt-ssl2-off-by-default.patch | 21 +++ 5 files changed, 141 insertions(+), 212 deletions(-) create mode 100644 skip_stress_TLS_RC4_128_with_MD5.patch create mode 100644 tstclnt-ssl2-off-by-default.patch diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch index 6286184..10e583a 100644 --- a/disableSSL2libssl.patch +++ b/disableSSL2libssl.patch @@ -25,7 +25,7 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c -@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh +@@ -674,16 +674,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; @@ -48,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; } ss->opt.enableSSL2 = on; -@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh +@@ -691,52 +697,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh ss->opt.v2CompatibleHello = on; } ss->preferredCipher = NULL; @@ -116,7 +116,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c rv = SECFailure; } else { if (PR_FALSE != on) { -@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo +@@ -1163,16 +1184,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo } return SECSuccess; } @@ -129,8 +129,17 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c + /* both ssl2 and export cipher suites disabled */ + if (SSL_IS_SSL2_CIPHER(suite)) + return PR_TRUE; -+ if (SSL_IsExportCipherSuite(suite)) -+ return PR_TRUE; ++ if (SSL_IsExportCipherSuite(suite)) { ++ SSLCipherSuiteInfo csdef; ++ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) { ++ /* failure to retrieve info, disable */ ++ return PR_TRUE; ++ } ++ if (csdef.symCipher != ssl_calg_null) { ++ /* disable all except NULL ciphersuites */ ++ return PR_TRUE; ++ } ++ } +#endif /* NSS_NO_SSL2_NO_EXPORT */ switch (suite) { case SSL_FORTEZZA_DMS_WITH_NULL_SHA: diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch index 4fecca2..9011bfe 100644 --- a/disableSSL2tests.patch +++ b/disableSSL2tests.patch @@ -1,7 +1,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh -@@ -57,19 +57,23 @@ ssl_init() +@@ -57,19 +57,24 @@ ssl_init() fi PORT=${PORT-8443} @@ -11,8 +11,6 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt -- SSLAUTH=${QADIR}/ssl/sslauth.txt -- SSLSTRESS=${QADIR}/ssl/sslstress.txt + if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then + SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt + SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt @@ -20,6 +18,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh + SSLCOV=${QADIR}/ssl/sslcov.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt + fi + SSLAUTH=${QADIR}/ssl/sslauth.txt +- SSLSTRESS=${QADIR}/ssl/sslstress.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files @@ -28,7 +28,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh R_SERVERPID=../tests_pid.$$ -@@ -115,17 +119,21 @@ is_selfserv_alive() +@@ -115,17 +120,21 @@ is_selfserv_alive() if [ "${OS_ARCH}" = "WINNT" ] && \ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then PID=${SHELL_SERVERPID} @@ -37,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh fi echo "kill -0 ${PID} >/dev/null 2>/dev/null" -+ if [[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then ++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then + echo "No server to kill" + else kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" @@ -50,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # local shell function to wait until selfserver is running and initialized ######################################################################## wait_for_selfserv() -@@ -138,17 +146,21 @@ wait_for_selfserv() +@@ -138,17 +147,21 @@ wait_for_selfserv() if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to selfserv at `date`" @@ -59,7 +59,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} if [ $? -ne 0 ]; then -+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then ++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then + html_passed "Server never started" + else html_failed "Waiting for Server" @@ -72,7 +72,37 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ########################### kill_selfserv ############################## # local shell function to kill the selfserver after the tests are done ######################################################################## -@@ -273,16 +285,19 @@ ssl_cov() +@@ -209,25 +222,26 @@ start_selfserv() + ECC_OPTIONS="" + fi + if [ "$1" = "mixed" ]; then + ECC_OPTIONS="-e ${HOSTADDR}-ecmixed" + fi + echo "selfserv starting at `date`" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" +- echo " $verbose -H 1 &" ++ echo " $verbose -H 1 -V ssl3: &" + if [ ${fileout} -eq 1 ]; then + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ +- > ${SERVEROUTFILE} 2>&1 & ++ -V ssl3:> ${SERVEROUTFILE} 2>&1 & + RET=$? + else + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ +- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & ++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ ++ -V ssl3: & + RET=$? + fi + + # The PID $! returned by the MKS or Cygwin shell is not the PID of + # the real background process, but rather the PID of a helper + # process (sh.exe). MKS's kill command has a bug: invoking kill + # on the helper process does not terminate the real background + # process. Our workaround has been to have selfserv save its PID +@@ -274,16 +288,22 @@ ssl_cov() exec < ${SSLCOV} while read ectype testmax param testname do @@ -82,7 +112,10 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh SSL2=$? + # skip export and ssl2 tests when build has disabled SSL2 -+ [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue ++ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ ${EXP} -eq 0 || ${SSL2} -eq 0 ]; then ++ echo "yyy exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})" ++ continue ++ fi + if [ "${SSL2}" -eq 0 ] ; then # We cannot use asynchronous cert verification with SSL2 @@ -92,200 +125,3 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by # default in libssl but it is enabled by default in tstclnt; we want # to test the libssl default whenever possible. -diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt -new file mode 100644 ---- /dev/null -+++ b/tests/ssl/sslcov.noSSL2orExport.txt -@@ -0,0 +1,134 @@ -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+# -+# This file enables test coverage of the various SSL ciphers -+# -+# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We -+# mix up the enable functions so we can tests boths paths. -+# -+# Enable Enable Cipher Test Name -+# EC TLS -+# -+# -+ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 -+ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA -+ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 -+ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA -+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA -+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA -+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA -+# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA -+# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA -+# -+ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 -+ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA -+ noECC TLS10 i TLS_RSA_WITH_NULL_MD5 -+ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA -+ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA -+ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA -+ noECC TLS10 z TLS_RSA_WITH_NULL_SHA -+# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA -+# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA -+# -+# -+ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 -+ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA -+ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 -+ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA -+ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA -+ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA -+ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA -+# -+ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 -+ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA -+ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA -+ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 -+ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA -+ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA -+ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA -+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA -+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA -+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA -+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 -+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 -+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 -+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 -+# -+# ECC ciphers (TLS) -+# -+ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA -+ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA -+ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA -+ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -+ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA -+ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA -+ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA -+ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA -+ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -+# -+ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA -+ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA -+ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA -+ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA -+ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA -+ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA -+ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA -+ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA -+ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA -+# -+ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA -+ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA -+ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA -+ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA -+ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA -+ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA -+ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA -+ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA -+ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA -+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA -+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt -new file mode 100644 ---- /dev/null -+++ b/tests/ssl/sslstress.noSSL2orExport.txt -@@ -0,0 +1,53 @@ -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+# -+# This file defines the stress tests for SSL/TLS. -+# -+# expected -+# Enable return server client Test Case name -+# ECC value params params -+# ------- ------ ------ ------ --------------- -+ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 -+ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -+ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) -+ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) -+ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) -+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) -+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) -+ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) -+ -+# -+# add client auth versions here... -+# -+ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) -+ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) -+ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) -+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) -+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) -+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) -+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) -+ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) -+ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) -+ -+# -+# ############################ ECC ciphers ############################ -+# -+ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) -+ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) -+ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) -+ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) -+ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) -+ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA -+ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 -+ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM -+ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) -+# -+# add client auth versions here... -+# -+ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) -+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) -+ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) -+ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) -+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) -+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) diff --git a/nss.spec b/nss.spec index 9422280..3e1dd03 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.20.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -90,6 +90,8 @@ Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch Patch52: disableSSL2libssl.patch Patch53: disableSSL2tests.patch +Patch54: tstclnt-ssl2-off-by-default.patch +Patch55: skip_stress_TLS_RC4_128_with_MD5.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -176,6 +178,8 @@ pushd nss %patch52 -p1 -b .disableSSL2libssl %patch53 -p1 -b .disableSSL2tests popd +%patch54 -p0 -b .ssl2_off +%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5 ######################################################### # Higher-level libraries and test tools need access to @@ -789,6 +793,13 @@ fi %changelog +* Mon Sep 14 2015 Elio Maldonado - 3.20.0-3 +- Fix patches that disable ssl2 and export cipher suites support +- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers +- Fix syntax erros in patch to skip ssl2 and export cipher suite tests +- Turn ssl2 off by default in the tstclnt tool +- Disable ssl stress tests containing TLS RC4 128 with MD5 + * Thu Aug 20 2015 Elio Maldonado - 3.20.0-2 - Update to NSS 3.20 diff --git a/skip_stress_TLS_RC4_128_with_MD5.patch b/skip_stress_TLS_RC4_128_with_MD5.patch new file mode 100644 index 0000000..fed0ade --- /dev/null +++ b/skip_stress_TLS_RC4_128_with_MD5.patch @@ -0,0 +1,52 @@ +diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt +--- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700 ++++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700 +@@ -8,29 +8,29 @@ + # Enable return server client Test Case name + # ECC value params params + # ------- ------ ------ ------ --------------- +- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 +- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 +- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 +- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) +- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) +- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) +- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) +- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) +- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) ++# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 ++# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 ++# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 ++# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) ++# noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) ++# noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) ++# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) ++# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) ++# SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) + + # + # add client auth versions here... + # +- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth) +- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) +- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) +- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) +- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) +- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) +- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) +- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) +- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) +- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) ++# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth) ++# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) ++# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) ++# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) ++# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) ++# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) ++# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) ++# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) ++# SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) ++# SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) + + # + # ############################ ECC ciphers ############################ diff --git a/tstclnt-ssl2-off-by-default.patch b/tstclnt-ssl2-off-by-default.patch new file mode 100644 index 0000000..e442d36 --- /dev/null +++ b/tstclnt-ssl2-off-by-default.patch @@ -0,0 +1,21 @@ +diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c +--- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700 ++++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700 +@@ -212,7 +212,7 @@ static void PrintParameterUsage(void) + fprintf(stderr, + "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" + "%-20s All versions are enabled by default.\n" +- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n" ++ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" + "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n", + "-V [min]:[max]", "", "", ""); + fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K"); +@@ -911,7 +911,7 @@ int main(int argc, char **argv) + int npds; + int override = 0; + SSLVersionRange enabledVersions; +- PRBool enableSSL2 = PR_TRUE; ++ PRBool enableSSL2 = PR_FALSE; + int bypassPKCS11 = 0; + int disableLocking = 0; + int useExportPolicy = 0;