rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove unused patches

This commit is contained in:
Elio Maldonado 2016-02-07 19:30:44 -08:00
parent dc759e0041
commit 90ab17ff72
9 changed files with 0 additions and 441 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
Bug-1001841-disable-sslv2-libssl.patch
View File

@ -1,75 +0,0 @@
diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
+++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800
+++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800
@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ ss->opt.enableSSL2 = on;
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
if (on) {
ss->opt.v2CompatibleHello = on;
}
+#endif
ss->preferredCipher = NULL;
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ break;
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
}
break;
}
+#endif
ss->opt.v2CompatibleHello = on;
if (!on) {
ss->opt.enableSSL2 = on;
@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
if (ssl_IsRemovedCipherSuite(which)) {
rv = SECSuccess;
} else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+#else
rv = ssl2_SetPolicy(which, policy);
+#endif
} else {
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
}

13
Bug-1001841-disable-sslv2-tests.patch
View File

@ -1,13 +0,0 @@
diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
--- ./nss/tests/ssl/ssl.sh.disableSSL2 2013-09-25 06:57:55.000000000 -0700
+++ ./nss/tests/ssl/ssl.sh 2013-11-03 16:43:48.905914207 -0800
@@ -278,6 +278,9 @@ ssl_cov()
echo "${testname}" | grep "SSL2" > /dev/null
SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2
+ if [ "${NSS_NO_SSL2}" = 1 ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
+
if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2
SSL2_FLAGS=-O

21
determineLastFileBuilt.patch
View File

@ -1,21 +0,0 @@
diff -up ./tests/all.sh.lastbuild ./tests/all.sh
--- ./tests/all.sh.lastbuild 2014-06-17 15:34:41.624628370 -0700
+++ ./tests/all.sh 2014-06-17 15:38:49.692101477 -0700
@@ -299,9 +299,15 @@ fi
# created, we check for modutil to know whether the build
# is complete. If a new file is created after that, the
# following test for modutil should check for that instead.
+# Exception: when building softoken only, shlibsign is the
+# last file created.
+if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
+ LAST_FILE_BUILT=shlibsign
+else
+ LAST_FILE_BUILT=modutil
+fi
-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
html_head "Testing Initialization"
Exit "Checking for build"

123
dont-hold-issuer-cert-handles-in-crl-cache.patch
View File

@ -1,123 +0,0 @@
diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
--- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800
+++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800
@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
#else
PRLock* lock;
#endif
- CERTCertificate* issuer; /* issuer cert
- XXX there may be multiple issuer certs,
- with different validity dates. Also
- need to deal with SKID/AKID . See
- bugzilla 217387, 233118 */
+ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
+ to the actual cert so the trust can be
+ updated on the cert automatically.
+ XXX there may be multiple issuer certs,
+ with different validity dates. Also
+ need to deal with SKID/AKID . See
+ bugzilla 217387, 233118 */
+
+ CERTCertDBHandle *dbHandle;
+
SECItem* subject; /* DER of issuer subject */
SECItem* distributionPoint; /* DER of distribution point. This may be
NULL when distribution points aren't
@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
NSSRWLock* lock;
CRLDPCache** dps;
PLHashTable* distributionpoints;
- CERTCertificate* issuer;
+ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
#endif
};
diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
--- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800
+++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800
@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
PORT_Free(cache->crls);
}
/* destroy the cert */
- if (cache->issuer)
+ if (cache->issuerDERCert)
{
- CERT_DestroyCertificate(cache->issuer);
+ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
}
/* free the subject */
if (cache->subject)
@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
else
{
SECStatus signstatus = SECFailure;
- if (cache->issuer)
+ if (cache->issuerDERCert)
{
- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
+ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
+ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
+
+ if (issuer) {
+ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
wincx);
+ CERT_DestroyCertificate(issuer);
+ }
}
if (SECSuccess != signstatus)
{
- if (!cache->issuer)
+ if (!cache->issuerDERCert)
{
/* we tried to verify without an issuer cert . This is
because this CRL came through a call to SEC_FindCrlByName.
@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
}
/* add issuer certificate if it was previously unavailable */
- if (issuer && (NULL == cache->issuer) &&
+ if (issuer && (NULL == cache->issuerDERCert) &&
(SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
{
/* if we didn't have a valid issuer cert yet, but we do now. add it */
DPCache_LockWrite();
- if (!cache->issuer)
+ if (!cache->issuerDERCert)
{
dirty = PR_TRUE;
- cache->issuer = CERT_DupCertificate(issuer);
+ cache->dbHandle = issuer->dbhandle;
+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
}
DPCache_UnlockWrite();
}
@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
SEC_FindCrlByName, or through manual insertion, rather than through a
certificate verification (CERT_CheckCRL) */
- if (cache->issuer && vfdate )
+ if (cache->issuerDERCert && vfdate )
{
mustunlock = PR_FALSE;
/* re-process all unverified CRLs */
@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
}
if (issuer)
{
- cache->issuer = CERT_DupCertificate(issuer);
+ cache->dbHandle = issuer->dbhandle;
+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
}
cache->distributionPoint = SECITEM_DupItem(dp);
cache->subject = SECITEM_DupItem(subject);
diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
--- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800
+++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800
@@ -974,6 +974,7 @@ check_ocsp()
OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+ echo "Cert = ${CERT_NICK}.cert"
echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
return $?

78
enable-fips-when-system-is-in-fips-mode.patch
View File

@ -1,78 +0,0 @@
diff -up nss/lib/pk11wrap/pk11pars.c.fips nss/lib/pk11wrap/pk11pars.c
--- nss/lib/pk11wrap/pk11pars.c.fips 2013-05-28 14:43:24.000000000 -0700
+++ nss/lib/pk11wrap/pk11pars.c 2013-07-10 18:54:16.733465910 -0700
@@ -150,6 +150,10 @@ SECMOD_CreateModule(const char *library,
}
mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
+ /* if the system FIPS mode is enabled, force FIPS to be on */
+ if (SECMOD_GetSystemFIPSEnabled()) {
+ mod->isFIPS = PR_TRUE;
+ }
mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc);
mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
diff -up nss/lib/pk11wrap/pk11util.c.fips nss/lib/pk11wrap/pk11util.c
--- nss/lib/pk11wrap/pk11util.c.fips 2013-05-28 14:43:24.000000000 -0700
+++ nss/lib/pk11wrap/pk11util.c 2013-07-10 18:54:16.734465927 -0700
@@ -95,6 +95,25 @@ SECMOD_Shutdown()
return SECSuccess;
}
+int SECMOD_GetSystemFIPSEnabled(void) {
+#ifdef LINUX
+ FILE *f;
+ char d;
+ size_t size;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+ return 0;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
+ if (size != 1)
+ return 0;
+ if (d == '1')
+ return 1;
+#endif
+ return 0;
+}
/*
* retrieve the internal module
@@ -417,7 +436,7 @@ SECMOD_DeleteInternalModule(const char *
SECMODModuleList **mlpp;
SECStatus rv = SECFailure;
- if (pendingModule) {
+ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
PORT_SetError(SEC_ERROR_MODULE_STUCK);
return rv;
}
@@ -888,7 +907,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
PRBool
SECMOD_CanDeleteInternalModule(void)
{
- return (PRBool) (pendingModule == NULL);
+ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
}
/*
diff -up nss/lib/pk11wrap/secmodi.h.fips nss/lib/pk11wrap/secmodi.h
--- nss/lib/pk11wrap/secmodi.h.fips 2013-07-10 18:55:06.358298154 -0700
+++ nss/lib/pk11wrap/secmodi.h 2013-07-10 18:56:52.050069372 -0700
@@ -116,7 +116,12 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
SECItem **param, SECItem *pwd, PRBool faulty3DES);
-
+/* Get the state of the system FIPS mode */
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
+ * mode */
+int SECMOD_GetSystemFIPSEnabled();
extern void pk11sdr_Init(void);
extern void pk11sdr_Shutdown(void);

23
nss-versus-softoken-tests.patch
View File

@ -1,23 +0,0 @@
diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
--- a/tests/cipher/cipher.sh
+++ b/tests/cipher/cipher.sh
@@ -124,11 +124,17 @@ cipher_cleanup()
# built and the cipher suite run as part of an nss-softoken build.
if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
echo "bltest not built, skipping this test." >> ${LOGFILE}
res = 0
html_msg $res $EXP_RET "$TESTNAME"
return 0
fi
cipher_init
-cipher_main
-cipher_gcm
+# Skip cipher_main if this an NSS without softoken build.
+if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
+ cipher_main
+fi
+# Skip cipher_gcm if this is a softoken only build.
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then
+ cipher_gcm
+fi
cipher_cleanup

38
ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
View File

@ -1,38 +0,0 @@
diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
--- ./nss/tests/ssl/sslauth.txt.ocsp_sni 2015-05-28 10:50:45.000000000 -0700
+++ ./nss/tests/ssl/sslauth.txt 2015-08-30 08:49:22.025299419 -0700
@@ -65,12 +65,12 @@
# SNI Tests
#
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
--- ./nss/tests/ssl/ssl.sh.ocsp_sni 2015-08-30 08:49:21.905301105 -0700
+++ ./nss/tests/ssl/ssl.sh 2015-08-30 08:49:22.017299531 -0700
@@ -457,10 +457,10 @@ ssl_stapling_sub()
start_selfserv
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
- echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+ echo " -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
- -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+ -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$

31
p-ignore-setpolicy.patch
View File

@ -1,31 +0,0 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -1252,25 +1252,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
}
return rv;
}
SECStatus
NSS_SetDomesticPolicy(void)
{
- SECStatus status = SECSuccess;
const PRUint16 *cipher;
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
- if (status != SECSuccess)
- break;
+ SSL_SetPolicy(*cipher, SSL_ALLOWED);
}
- return status;
+ return SECSuccess;
}
SECStatus
NSS_SetExportPolicy(void)
{
return NSS_SetDomesticPolicy();
}

39
rhbz1185708-enable-ecc-ciphers-by-default.patch
View File

@ -1,39 +0,0 @@
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
*
* Important: See bug 946147 before enabling, reordering, or adding any cipher
* suites to this list.
*/
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
/* cipher_suite policy enabled isPresent */
#ifndef NSS_DISABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
* bug 946147.
*/
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_DISABLE_ECC */
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},