- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity

- Set NSS_SSL_CBC_RANDOM_IV to 0 by default and change to 1 on user request
This commit is contained in:
Elio Maldonado 2012-01-06 15:50:45 -08:00
parent d5f0675cc9
commit 40928cb8e3
2 changed files with 32 additions and 1 deletions

View File

@ -0,0 +1,25 @@
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.compatible ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.compatible 2012-01-05 13:54:36.430389994 -0800
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-01-05 13:55:25.810750394 -0800
@@ -184,7 +184,7 @@ static sslOptions ssl_defaults = {
3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
- PR_TRUE /* cbcRandomIV */
+ PR_FALSE /* cbcRandomIV */ /* defaults to off for compatibility */
};
sslSessionIDLookupFunc ssl_sid_lookup;
@@ -2359,9 +2359,9 @@ ssl_SetDefaultsFromEnvironment(void)
PR_TRUE));
}
ev = getenv("NSS_SSL_CBC_RANDOM_IV");
- if (ev && ev[0] == '0') {
- ssl_defaults.cbcRandomIV = PR_FALSE;
- SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+ if (ev && ev[0] == '1') {
+ ssl_defaults.cbcRandomIV = PR_TRUE;
+ SSL_TRACE(("SSL: cbcRandomIV set to 1"));
}
}
#endif /* NSS_HAVE_GETENV */

View File

@ -7,7 +7,7 @@
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: 3.13.1 Version: 3.13.1
Release: 9%{?dist} Release: 10%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -70,6 +70,7 @@ Patch25: nsspem-use-system-freebl.patch
Patch26: nofipstest.patch Patch26: nofipstest.patch
# include this patch in the upstream pem review # include this patch in the upstream pem review
Patch28: nsspem-bz754771.patch Patch28: nsspem-bz754771.patch
Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
%description %description
@ -158,6 +159,7 @@ low level services.
%patch25 -p0 -b .systemfreebl %patch25 -p0 -b .systemfreebl
%patch26 -p0 -b .nofipstest %patch26 -p0 -b .nofipstest
%patch28 -p0 -b .754771 %patch28 -p0 -b .754771
%patch29 -p0 -b .770682
%build %build
@ -572,6 +574,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog %changelog
* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-10
- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
* Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9 * Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9
- Revert to using current nss_softokn_version - Revert to using current nss_softokn_version
- Patch to deal with lack of sha224 is no longer needed - Patch to deal with lack of sha224 is no longer needed