- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity

- Set NSS_SSL_CBC_RANDOM_IV to 0 by default and change to 1 on user request
2012-01-06 15:50:45 -08:00 · 2012-01-06 15:50:45 -08:00 · 40928cb8e3
commit 40928cb8e3
parent d5f0675cc9
2 changed files with 32 additions and 1 deletions
--- a/nss-ssl-cbc-random-iv-off-by-default.patch
+++ b/nss-ssl-cbc-random-iv-off-by-default.patch
@ -0,0 +1,25 @@
+diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.compatible ./mozilla/security/nss/lib/ssl/sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c.compatible	2012-01-05 13:54:36.430389994 -0800
+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2012-01-05 13:55:25.810750394 -0800
+@@ -184,7 +184,7 @@ static sslOptions ssl_defaults = {
+     3,          /* enableRenegotiation (default: transitional) */
+     PR_FALSE,   /* requireSafeNegotiation */
+     PR_FALSE,   /* enableFalseStart   */
+-    PR_TRUE     /* cbcRandomIV        */
+    PR_FALSE    /* cbcRandomIV        */ /* defaults to off for compatibility */
+ };
+ 
+ sslSessionIDLookupFunc  ssl_sid_lookup;
+@@ -2359,9 +2359,9 @@ ssl_SetDefaultsFromEnvironment(void)
+ 	                PR_TRUE));
+ 	}
+ 	ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+-	if (ev && ev[0] == '0') {
+-	    ssl_defaults.cbcRandomIV = PR_FALSE;
+-	    SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+	if (ev && ev[0] == '1') {
+	    ssl_defaults.cbcRandomIV = PR_TRUE;
+	    SSL_TRACE(("SSL: cbcRandomIV set to 1"));
+ 	}
+     }
+ #endif /* NSS_HAVE_GETENV */
--- a/nss.spec
+++ b/nss.spec
@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.13.1
-Release:          9%{?dist}
+Release:          10%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -70,6 +70,7 @@ Patch25:          nsspem-use-system-freebl.patch
 Patch26:          nofipstest.patch
 # include this patch in the upstream pem review
 Patch28:          nsspem-bz754771.patch
+Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch


 %description
@ -158,6 +159,7 @@ low level services.
 %patch25 -p0 -b .systemfreebl
 %patch26 -p0 -b .nofipstest
 %patch28 -p0 -b .754771
+%patch29 -p0 -b .770682


 %build
@ -572,6 +574,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h


 %changelog
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
 * Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9
 - Revert to using current nss_softokn_version
 - Patch to deal with lack of sha224 is no longer needed