Update to NSS 3.27.0

2016-10-03 09:03:41 +02:00 · 2016-10-03 09:03:41 +02:00 · 8baf3374a0
parent 96e48417c4
commit 8baf3374a0
6 changed files with 40 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,4 +9,4 @@ TestUser50.cert
 TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.26.0.tar.gz
+/nss-3.27.0.tar.gz
--- a/nss-skip-bltest-and-fipstest.patch
+++ b/nss-skip-bltest-and-fipstest.patch
@ -1,9 +1,9 @@
 diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
--- ./nss/cmd/Makefile.skipem	2016-06-24 10:10:38.143165159 -0700
-+++ ./nss/cmd/Makefile	2016-06-24 10:13:08.566457400 -0700
-@@ -17,7 +17,11 @@ endif
- ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
- BLTEST_SRCDIR =
+--- ./nss/cmd/Makefile.skipthem	2016-09-29 12:02:16.143413684 +0200
+++ ./nss/cmd/Makefile	2016-09-29 12:03:58.776522901 +0200
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ ECTEST_SRCDIR =
 FIPSTEST_SRCDIR =
 +ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
 +SHLIBSIGN_SRCDIR = shlibsign
@ -12,4 +12,4 @@ diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
 +endif
 else
 BLTEST_SRCDIR = bltest
- FIPSTEST_SRCDIR = fipstest
+ ECPERF_SRCDIR = ecperf
--- a/nss-skip-ecperf.patch
+++ b/nss-skip-ecperf.patch
@ -1,12 +0,0 @@
-diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
--- ./cmd/manifest.mn.skip_ecperf	2016-08-05 17:43:39.000000000 +0200
-+++ ./cmd/manifest.mn	2016-08-10 13:11:02.416273517 +0200
-@@ -42,8 +42,6 @@ NSS_SRCDIRS = \
-  dbtest \
-  derdump  \
-  digest  \
- ecperf \
- ectest \
-  httpserv  \
-  listsuites \
-  makepqg  \
--- a/nss-skip-util-gtest.patch
+++ b/nss-skip-util-gtest.patch
@ -1,11 +1,12 @@
-diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
--- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest	2016-06-20 10:11:28.000000000 -0700
-+++ ./external_tests/manifest.mn	2016-06-26 10:09:55.429858648 -0700
-@@ -9,7 +9,4 @@ DIRS = \
+diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
+--- ./external_tests/manifest.mn.skip_util_gtest	2016-09-29 12:05:28.858019733 +0200
+++ ./external_tests/manifest.mn	2016-09-29 12:06:17.298681765 +0200
+@@ -9,8 +9,5 @@ DIRS = \
 	google_test \
 	common \
 	der_gtest \
 -	util_gtest \
 -	pk11_gtest \
 -	ssl_gtest \
+         nss_bogo_shim \
 	$(NULL)
--- a/nss.spec
+++ b/nss.spec
@ -1,6 +1,6 @@
-%global nspr_version 4.12.0
-%global nss_util_version 3.26.0
-%global nss_softokn_version 3.26.0
+%global nspr_version 4.13.0
+%global nss_util_version 3.27.0
+%global nss_softokn_version 3.27.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"

@ -18,10 +18,10 @@

 Summary:          Network Security Services
 Name:             nss
-Version:          3.26.0
+Version:          3.27.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.0%{?dist}
+Release:          1.1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -99,8 +99,6 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch59: nss-check-policy-file.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1293944
-Patch70: nss-skip-ecperf.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -184,7 +182,6 @@ low level services.
 pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p0 -b .skip_util_gtest
-%patch70 -p1 -b .skip_ecperf
 popd

 #########################################################
@ -286,6 +283,18 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 export NSS_ECC_MORE_THAN_SUITE_B=1

 export NSS_BLTEST_NOT_AVAILABLE=1
+
+# NSS 3.27 enabled TLS 1.3 by default, disable it for now.
+#
+# The rationale is, while the maximum TLS version enabled by default
+# is TLS 1.2, some applications query the maximum TLS version and
+# enable it.  That prevents those applications from connecting to
+# servers which are not tolerant ot TLS versions.
+#
+# Note that this is a temporary solution and should be removed when
+# packaging the next upstream release.
+export NSS_DISABLE_TLS_1_3=1
+
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm

@ -394,6 +403,8 @@ export USE_64

 export NSS_BLTEST_NOT_AVAILABLE=1

+export NSS_DISABLE_TLS_1_3=1
+
 # needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}

@ -791,6 +802,14 @@ fi


 %changelog
+* Sun Oct  2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.1
+- Disable TLS 1.3 for now, to avoid reported regression with TLS to
+  version intolerant servers
+
+* Thu Sep 29 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.0
+- Rebase to NSS 3.27.0
+- Remove upstreamed ectest patch
+
 * Mon Aug  8 2016 Daiki Ueno <dueno@redhat.com> - 3.26.0-1.0
 - Rebase to NSS 3.26.0
 - Update check policy file patch to better match what was upstreamed
--- a/2
+++ b/2
@ -3,4 +3,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-6afba822ab9da3ae4e948a9fd5501289  nss-3.26.0.tar.gz
+e980f7c3bb70ca122e0f6f5e914ec29a  nss-3.27.0.tar.gz