Enable ECC cipher-suites by default [hrbz#1185708]
- Split the enabling patch in two for easier maintenance - Remove unused patches rendered obsolete by prior rebase
This commit is contained in:
Elio Maldonado
parent
ae64727ebb
commit
82653be6b2
12
nss.spec
12
nss.spec
|
|
@ -21,7 +21,7 @@ Name: nss
|
|||
Version: 3.20.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
|
@ -96,8 +96,10 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
|||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
|
||||
# See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
|
||||
Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
|
||||
# TODO: File a bug usptream
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
|
||||
Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
|
@ -190,6 +192,7 @@ popd
|
|||
pushd nss
|
||||
%patch57 -p1 -b .1185708
|
||||
popd
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
|
@ -803,6 +806,11 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
- Split the enabling patch in two for easier maintenance
|
||||
- Remove unused patches rendered obsolete by prior rebase
|
||||
|
||||
* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-5
|
||||
- Enable ECC cipher-suites by default [hrbz#1185708]
|
||||
- Implement corrections requested in code review
|
||||
|
|
|
|||
|
|
@ -0,0 +1,14 @@
|
|||
diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
|
||||
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2015-09-29 16:24:18.717593591 -0700
|
||||
+++ ./nss/lib/ssl/ssl3con.c 2015-09-29 16:25:22.672879926 -0700
|
||||
@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
#endif /* NSS_DISABLE_ECC */
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -85,29 +85,29 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
|
||||
@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
|
||||
*
|
||||
* Important: See bug 946147 before enabling, reordering, or adding any cipher
|
||||
* suites to this list.
|
||||
|
|
@ -23,21 +23,17 @@ diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
|||
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
#endif /* NSS_DISABLE_ECC */
|
||||
|
||||
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
|
|
|
|||
|
|
@ -1,87 +0,0 @@
|
|||
diff --git a/tests/all.sh b/tests/all.sh
|
||||
--- a/tests/all.sh
|
||||
+++ b/tests/all.sh
|
||||
@@ -296,17 +296,17 @@ fi
|
||||
|
||||
# NOTE:
|
||||
# Since in make at the top level, modutil is the last file
|
||||
# created, we check for modutil to know whether the build
|
||||
# is complete. If a new file is created after that, the
|
||||
# following test for modutil should check for that instead.
|
||||
# Exception: when building softoken only, shlibsign is the
|
||||
# last file created.
|
||||
-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
|
||||
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
|
||||
LAST_FILE_BUILT=shlibsign
|
||||
else
|
||||
LAST_FILE_BUILT=modutil
|
||||
fi
|
||||
|
||||
if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
|
||||
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
|
||||
html_head "Testing Initialization"
|
||||
diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
|
||||
--- a/tests/cipher/cipher.sh
|
||||
+++ b/tests/cipher/cipher.sh
|
||||
@@ -119,17 +119,17 @@ cipher_cleanup()
|
||||
}
|
||||
|
||||
################## main #################################################
|
||||
|
||||
# When building without softoken, bltest isn't built. It was already
|
||||
# built and the cipher suite run as part of an nss-softoken build.
|
||||
if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
|
||||
echo "bltest not built, skipping this test." >> ${LOGFILE}
|
||||
- res = 0
|
||||
+ res=0
|
||||
html_msg $res $EXP_RET "$TESTNAME"
|
||||
return 0
|
||||
fi
|
||||
cipher_init
|
||||
# Skip cipher_main if this an NSS without softoken build.
|
||||
if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
|
||||
cipher_main
|
||||
fi
|
||||
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
||||
--- a/tests/common/init.sh
|
||||
+++ b/tests/common/init.sh
|
||||
@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
|
||||
{
|
||||
|
||||
html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
|
||||
html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>"
|
||||
echo "$SCRIPTNAME: $* ==============================="
|
||||
}
|
||||
html_msg()
|
||||
{
|
||||
- if [ "$1" -ne "$2" ] ; then
|
||||
+ if [ $1 -ne $2 ] ; then
|
||||
html_failed "$3" "$4"
|
||||
else
|
||||
html_passed "$3" "$4"
|
||||
fi
|
||||
}
|
||||
HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
|
||||
HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
|
||||
HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
|
||||
diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
|
||||
--- a/tests/dbtests/dbtests.sh
|
||||
+++ b/tests/dbtests/dbtests.sh
|
||||
@@ -170,7 +170,7 @@ dbtest_main()
|
||||
|
||||
# skipping the next two tests when user is root,
|
||||
# otherwise they would fail due to rooty powers
|
||||
- if [ $UID -ne 0 ] then
|
||||
+ if [[ $EUID -ne 0 ]]; then
|
||||
${BINDIR}/dbtest -d $RONLY_DIR
|
||||
ret=$?
|
||||
if [ $ret -ne 46 ]; then
|
||||
@@ -181,7 +181,7 @@ dbtest_main()
|
||||
else
|
||||
html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
|
||||
fi
|
||||
- if [ $UID -ne 0 ] then
|
||||
+ if [[ $EUID -ne 0 ]]; then
|
||||
${BINDIR}/certutil -D -n "TestUser" -d .
|
||||
ret=$?
|
||||
if [ $ret -ne 255 ]; then
|
||||
36
tls12.patch
36
tls12.patch
|
|
@ -1,36 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Martin Thomson <martin.thomson@gmail.com>
|
||||
# Date 1413479112 25200
|
||||
# Thu Oct 16 10:05:12 2014 -0700
|
||||
# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d
|
||||
# Parent 24852c6f89ea7ed2b8f231320d9a0a03bdd706d4
|
||||
Bug 1083900 - Updating default maximum version to 1.2
|
||||
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE /* enableFallbackSCSV */
|
||||
};
|
||||
|
||||
/*
|
||||
* default range of enabled SSL/TLS protocols
|
||||
*/
|
||||
static SSLVersionRange versions_defaults_stream = {
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
- SSL_LIBRARY_VERSION_TLS_1_0
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2
|
||||
};
|
||||
|
||||
static SSLVersionRange versions_defaults_datagram = {
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
- SSL_LIBRARY_VERSION_TLS_1_1
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2
|
||||
};
|
||||
|
||||
#define VERSIONS_DEFAULTS(variant) \
|
||||
(variant == ssl_variant_stream ? &versions_defaults_stream : \
|
||||
&versions_defaults_datagram)
|
||||
|
||||
sslSessionIDLookupFunc ssl_sid_lookup;
|
||||
sslSessionIDCacheFunc ssl_sid_cache;
|
||||
Loading…
Reference in New Issue