From 8baf3374a06a191d181014d936e7c82cc1834611 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 3 Oct 2016 09:03:41 +0200 Subject: [PATCH] Update to NSS 3.27.0 --- .gitignore | 2 +- nss-skip-bltest-and-fipstest.patch | 12 +++++----- nss-skip-ecperf.patch | 12 ---------- nss-skip-util-gtest.patch | 9 ++++---- nss.spec | 35 +++++++++++++++++++++++------- sources | 2 +- 6 files changed, 40 insertions(+), 32 deletions(-) delete mode 100644 nss-skip-ecperf.patch diff --git a/.gitignore b/.gitignore index 82d881f..8632550 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,4 @@ TestUser50.cert TestUser51.cert /PayPalRootCA.cert /PayPalICA.cert -/nss-3.26.0.tar.gz +/nss-3.27.0.tar.gz diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch index 1dadf60..96000f8 100644 --- a/nss-skip-bltest-and-fipstest.patch +++ b/nss-skip-bltest-and-fipstest.patch @@ -1,9 +1,9 @@ diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile ---- ./nss/cmd/Makefile.skipem 2016-06-24 10:10:38.143165159 -0700 -+++ ./nss/cmd/Makefile 2016-06-24 10:13:08.566457400 -0700 -@@ -17,7 +17,11 @@ endif - ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) - BLTEST_SRCDIR = +--- ./nss/cmd/Makefile.skipthem 2016-09-29 12:02:16.143413684 +0200 ++++ ./nss/cmd/Makefile 2016-09-29 12:03:58.776522901 +0200 +@@ -19,7 +19,11 @@ BLTEST_SRCDIR = + ECPERF_SRCDIR = + ECTEST_SRCDIR = FIPSTEST_SRCDIR = +ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) +SHLIBSIGN_SRCDIR = shlibsign @@ -12,4 +12,4 @@ diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile +endif else BLTEST_SRCDIR = bltest - FIPSTEST_SRCDIR = fipstest + ECPERF_SRCDIR = ecperf diff --git a/nss-skip-ecperf.patch b/nss-skip-ecperf.patch deleted file mode 100644 index 61ca891..0000000 --- a/nss-skip-ecperf.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn ---- ./cmd/manifest.mn.skip_ecperf 2016-08-05 17:43:39.000000000 +0200 -+++ ./cmd/manifest.mn 2016-08-10 13:11:02.416273517 +0200 -@@ -42,8 +42,6 @@ NSS_SRCDIRS = \ - dbtest \ - derdump \ - digest \ -- ecperf \ -- ectest \ - httpserv \ - listsuites \ - makepqg \ diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch index 86bef9f..e69330a 100644 --- a/nss-skip-util-gtest.patch +++ b/nss-skip-util-gtest.patch @@ -1,11 +1,12 @@ -diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn ---- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest 2016-06-20 10:11:28.000000000 -0700 -+++ ./external_tests/manifest.mn 2016-06-26 10:09:55.429858648 -0700 -@@ -9,7 +9,4 @@ DIRS = \ +diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn +--- ./external_tests/manifest.mn.skip_util_gtest 2016-09-29 12:05:28.858019733 +0200 ++++ ./external_tests/manifest.mn 2016-09-29 12:06:17.298681765 +0200 +@@ -9,8 +9,5 @@ DIRS = \ google_test \ common \ der_gtest \ - util_gtest \ - pk11_gtest \ - ssl_gtest \ + nss_bogo_shim \ $(NULL) diff --git a/nss.spec b/nss.spec index 5d0c535..89ba97c 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ -%global nspr_version 4.12.0 -%global nss_util_version 3.26.0 -%global nss_softokn_version 3.26.0 +%global nspr_version 4.13.0 +%global nss_util_version 3.27.0 +%global nss_softokn_version 3.27.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -18,10 +18,10 @@ Summary: Network Security Services Name: nss -Version: 3.26.0 +Version: 3.27.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.0%{?dist} +Release: 1.1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -99,8 +99,6 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch59: nss-check-policy-file.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1293944 -Patch70: nss-skip-ecperf.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -184,7 +182,6 @@ low level services. pushd nss %patch59 -p1 -b .check_policy_file %patch62 -p0 -b .skip_util_gtest -%patch70 -p1 -b .skip_ecperf popd ######################################################### @@ -286,6 +283,18 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1 export NSS_ECC_MORE_THAN_SUITE_B=1 export NSS_BLTEST_NOT_AVAILABLE=1 + +# NSS 3.27 enabled TLS 1.3 by default, disable it for now. +# +# The rationale is, while the maximum TLS version enabled by default +# is TLS 1.2, some applications query the maximum TLS version and +# enable it. That prevents those applications from connecting to +# servers which are not tolerant ot TLS versions. +# +# Note that this is a temporary solution and should be removed when +# packaging the next upstream release. +export NSS_DISABLE_TLS_1_3=1 + %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm @@ -394,6 +403,8 @@ export USE_64 export NSS_BLTEST_NOT_AVAILABLE=1 +export NSS_DISABLE_TLS_1_3=1 + # needed for the fips mangling test export SOFTOKEN_LIB_DIR=%{_libdir} @@ -791,6 +802,14 @@ fi %changelog +* Sun Oct 2 2016 Daiki Ueno - 3.27.0-1.1 +- Disable TLS 1.3 for now, to avoid reported regression with TLS to + version intolerant servers + +* Thu Sep 29 2016 Daiki Ueno - 3.27.0-1.0 +- Rebase to NSS 3.27.0 +- Remove upstreamed ectest patch + * Mon Aug 8 2016 Daiki Ueno - 3.26.0-1.0 - Rebase to NSS 3.26.0 - Update check policy file patch to better match what was upstreamed diff --git a/sources b/sources index 7f8b64d..65c1b48 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db -6afba822ab9da3ae4e948a9fd5501289 nss-3.26.0.tar.gz +e980f7c3bb70ca122e0f6f5e914ec29a nss-3.27.0.tar.gz