diff --git a/mozbz1277569backport.patch b/mozbz1277569backport.patch new file mode 100644 index 0000000..8a38ac9 --- /dev/null +++ b/mozbz1277569backport.patch @@ -0,0 +1,102 @@ +--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700 ++++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700 +@@ -675,16 +675,28 @@ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } + ssl_EnableSSL3(&ss->vrange, on); + break; + ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ /* We no longer support SSL v2. ++ * However, if an old application requests to disable SSL v2, ++ * we shouldn't fail. ++ */ ++ if (on) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ } ++ break; ++ + case SSL_NO_CACHE: + ss->opt.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ss->opt.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; +@@ -856,16 +868,20 @@ + on = ss->opt.handshakeAsServer; + break; + case SSL_ENABLE_TLS: + on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; + break; + case SSL_ENABLE_SSL3: + on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; + break; ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ on = PR_FALSE; ++ break; + case SSL_NO_CACHE: + on = ss->opt.noCache; + break; + case SSL_ENABLE_FDX: + on = ss->opt.fdx; + break; + case SSL_ROLLBACK_DETECTION: + on = ss->opt.detectRollBack; +@@ -967,16 +983,20 @@ + on = ssl_defaults.handshakeAsServer; + break; + case SSL_ENABLE_TLS: + on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; + break; + case SSL_ENABLE_SSL3: + on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; + break; ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ on = PR_FALSE; ++ break; + case SSL_NO_CACHE: + on = ssl_defaults.noCache; + break; + case SSL_ENABLE_FDX: + on = ssl_defaults.fdx; + break; + case SSL_ROLLBACK_DETECTION: + on = ssl_defaults.detectRollBack; +@@ -1100,16 +1120,28 @@ + case SSL_ENABLE_TLS: + ssl_EnableTLS(&versions_defaults_stream, on); + break; + + case SSL_ENABLE_SSL3: + ssl_EnableSSL3(&versions_defaults_stream, on); + break; + ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ /* We no longer support SSL v2. ++ * However, if an old application requests to disable SSL v2, ++ * we shouldn't fail. ++ */ ++ if (on) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return SECFailure; ++ } ++ break; ++ + case SSL_NO_CACHE: + ssl_defaults.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ssl_defaults.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; diff --git a/nss.spec b/nss.spec index 3c5799f..79c2578 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2.1%{?dist} +Release: 2.2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -96,6 +96,8 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # TODO: file a bug usptream Patch59: nss-check-policy-file.patch Patch60: nss-pem-unitialized-vars.path +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569 +Patch64: mozbz1277569backport.patch # Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/ # TODO: file a bug usptream Patch61: nss-skip-util-gtest.patch @@ -812,6 +814,10 @@ fi %changelog +* Thu Jun 02 2016 Elio Maldonado - 3.24.0-2.2 +- Allow application requests to disable SSL v2 to succeed +- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails + * Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 - Rebase to NSS 3.24.0 - Restore setting the policy file location