Merge remote-tracking branch 'origin/private-rebase-work-fedora-rawhide' into private-emaldona-crypto-policy-work

2016-07-13 08:11:08 -07:00 · 2016-07-13 08:11:08 -07:00 · a06fcaba6f
parent 8baa8a8f80 90700e6be2
commit a06fcaba6f
5 changed files with 94 additions and 132 deletions
--- a/nss-conditionally-ignore-system-policy.patch
+++ b/nss-conditionally-ignore-system-policy.patch
@ -1,6 +1,32 @@
+<<<<<<< HEAD
 --- ./lib/nss/nssinit.c.ignore_system_policy	2016-06-06 07:57:54.924457084 -0700
 +++ ./lib/nss/nssinit.c	2016-06-06 08:01:27.753830455 -0700
@@ -678,17 +678,18 @@
+=======
+--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
+@@ -529,16 +529,19 @@
+ {
+     SECMODModule *parent = NULL;
+     PKIX_UInt32 actualMinorVersion = 0;
+     PKIX_Error *pkixError = NULL;
+     PRBool isReallyInitted;
+     char *configStrings = NULL;
+     char *configName = NULL;
+     PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+    char *ignoreVar;
+#endif
+ 
+     /* if we are trying to init with a traditional NSS_Init call, maintain
+      * the traditional idempotent behavior. */
+     if (!initContextPtr && nssIsInitted) {
+ 	return SECSuccess;
+     }
+   
+     /* make sure our lock and condition variable are initialized one and only
+@@ -678,32 +681,38 @@
+>>>>>>> origin/private-rebase-work-fedora-rawhide
 		    dbpath = NULL;
 		}
 		if (dbpath) {
@ -10,13 +36,44 @@
 	}
 #ifdef POLICY_FILE
 -        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+<<<<<<< HEAD
 +        if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
 +            PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+=======
+	/* Load the system crypo policy file if it exists,
+	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
+	 * variable has been set to 1. */
+	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+>>>>>>> origin/private-rebase-work-fedora-rawhide
 	    SECMODModule *module = SECMOD_LoadModule(
 		"name=\"Policy File\" "
 		"parameters=\"configdir='sql:" POLICY_PATH "' "
 		"secmod='" POLICY_FILE "' "
 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+<<<<<<< HEAD
 		parent, PR_TRUE); 
 	    if (module) {
+=======
+-		parent, PR_TRUE); 
+		parent, PR_TRUE);
+ 	    if (module) {
+ 		PRBool isLoaded = module->loaded;
+ 		SECMOD_DestroyModule(module);
+ 		if (!isLoaded) {
+ 		    goto loser;
+ 		}
+ 	    }
+ 	}
+    }
+ #endif
+ 	pk11sdr_Init();
+ 	cert_CreateSubjectKeyIDHashTable();
+ 
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+ 
+>>>>>>> origin/private-rebase-work-fedora-rawhide
--- a/nss-pem-unitialized-vars.path
+++ b/nss-pem-unitialized-vars.path
@ -1,15 +0,0 @@
-diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c
--- ./lib/ckfw/pem/pinst.c.unitialized_var	2016-05-21 19:04:24.471221863 -0700
-+++ ./lib/ckfw/pem/pinst.c	2016-05-21 19:31:07.124298651 -0700
-@@ -534,9 +534,9 @@ CK_RV
- AddCertificate(char *certfile, char *keyfile, PRBool cacert,
-                CK_SLOT_ID slotID)
- {
-    pemInternalObject *o;
-+    pemInternalObject *o = NULL;
-     CK_RV error = 0;
-    int objid, i;
-+    int objid, i = 0;
-     int nobjs = 0;
-     SECItem **objs = NULL;
-     char *ivstring = NULL;
--- a/nss-skip-ecperf.patch
+++ b/nss-skip-ecperf.patch
@ -1,6 +1,6 @@
-diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
--- ./nss/cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
-+++ ./nss/cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
+diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
+--- ./cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
+++ ./cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
  dbtest \
  derdump  \
--- a/nss.spec
+++ b/nss.spec
@ -24,7 +24,7 @@ Name:             nss
 Version:          3.25.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          6%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -97,6 +97,7 @@ Patch50:          iquote.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
+<<<<<<< HEAD
 # TODO: file a bug usptream
 # Upstream commit that caused problems with gtests
 # https://git.fedorahosted.org/cgit/nss-pem.git/commit/
@ -109,7 +110,15 @@ Patch64: nss-conditionally-ignore-system-policy.patch
 Patch65: tests-data-adjust-for-policy.patch
 Patch66: listsuites-do-queries.patch
 # TODO: file a bug upstream
+=======
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch60: nss-conditionally-ignore-system-policy.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
+Patch62: nss-skip-util-gtest.patch
+# TODO: file a bug upstream similar to the one for rsaperf
+>>>>>>> origin/private-rebase-work-fedora-rawhide
 Patch70: nss-skip-ecperf.patch
+Patch71: listsuites-do-queries.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -192,13 +201,17 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
+%patch60 -p1 -b .cond_ignore
 %patch62 -p0 -b .skip_util_gtest
+<<<<<<< HEAD
 %patch63 -p1 -b .check_policy
 %patch64 -p0 -b .ignore_system_policy
 %patch66 -p1 -b .do_queries
+=======
+%patch70 -p1 -b .skip_ecperf
+%patch71 -p1 -b .do_queries
+>>>>>>> origin/private-rebase-work-fedora-rawhide
 popd
-# temporary
-%patch70 -p0 -b .skip_ecperf

 #########################################################
 # Higher-level libraries and test tools need access to
@ -308,8 +321,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/lib/dbm

 # Set the policy file location
-# if set NSS will always check for the policy file and load it if it exists
-# TODO: restore the POLICY_FILE and POLICY_PATH exports
+# if set NSS will always check for the policy file and load if it exists
 export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
@ -410,10 +422,6 @@ fi

 # Begin -- copied from the build section

-# inform the ssl test scripts that policy is enabled
-export POLICY_FILE="nss.config"
-export POLICY_PATH="/etc/crypto-policies/back-ends"
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND

@ -438,6 +446,8 @@ export NSS_IGNORE_SYSTEM_POLICY=1

 # End -- copied from the build section

+export NSS_IGNORE_SYSTEM_POLICY=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f

@ -482,13 +492,13 @@ pushd ./nss/tests/
 #  the full list from all.sh is:
 #  "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
 %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
-#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
-#  nss_ssl_run: cov auth stress
+#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+#  nss_ssl_run: cov auth stapling stress
 #
 # Uncomment these lines if you need to temporarily
 # disable some test suites for faster test builds
-# global nss_ssl_tests "normal_fips"
-# global nss_ssl_run "cov auth"
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"

 SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`

@ -826,6 +836,17 @@ fi


 %changelog
+* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+- Add support to listsuites to list ciphers allowed by policy
+
+* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
+- Add support for conditionally ignoring the system policy (#1157720)
+- Remove unneeded test scripts patches in order to run more tests
+- Remove unneeded test data modifications from the spec file
+
+* Tue Jun 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-4
+- Remove obsolete patch and spurious lines from the spec file (#1347336)
+
 * Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
 - Cleanup spec file and patches and add references to bugs filed upstream

--- a/tests-data-adjust-for-policy.patch
+++ b/tests-data-adjust-for-policy.patch
@ -1,101 +0,0 @@
-diff -up ./tests/ssl/sslauth.txt.expected_result ./tests/ssl/sslauth.txt
--- ./tests/ssl/sslauth.txt.expected_result	2016-05-17 00:58:45.000000000 -0700
-+++ ./tests/ssl/sslauth.txt	2016-05-28 15:21:11.800761721 -0700
-@@ -14,12 +14,12 @@
-   noECC    254      -r_-r        -w_nss_-n_none           TLS Require client auth (client does not provide auth)
-   noECC    254      -r_-r        -w_bogus_-n_TestUser     TLS Require client auth (bad password)
-   noECC     0       -r_-r        -w_nss_-n_TestUser_      TLS Require client auth (client auth)
-  noECC     0       -r           -V_:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
-  noECC     0       -r           -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
-  noECC     0       -r           -V_:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
-+  noECC    254      -r           -V_:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
-+  noECC    254      -r           -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
-+  noECC    254      -r           -V_:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
-   noECC    254      -r_-r        -V_:ssl3_-w_nss_-n_none        SSL3 Require client auth (client does not provide auth)
-   noECC    254      -r_-r        -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Require client auth (bad password)
-  noECC     0       -r_-r        -V_:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
-+  noECC    254      -r_-r        -V_:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
-   noECC     0       -r_-r_-r     -V_ssl3:_-w_nss_-n_none        TLS Request don't require client auth on 2nd hs (client does not provide auth)
-   noECC     0       -r_-r_-r     -V_ssl3:_-w_bogus_-n_TestUser  TLS Request don't require client auth on 2nd hs (bad password)
-   noECC     0       -r_-r_-r     -V_ssl3:_-w_nss_-n_TestUser    TLS Request don't require client auth on 2nd hs (client auth)
-@@ -32,9 +32,9 @@
-   noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_none        TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
-   noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser  TLS 1.0 Require client auth on 2nd hs (bad password)
-   noECC     0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser    TLS 1.0 Require client auth on 2nd hs (client auth)
-  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
-  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
-  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
-+  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
-+  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
-+  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
-   noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Require client auth on 2nd hs (client does not provide auth)
-   noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
-   noECC     0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
-@@ -57,17 +57,17 @@
-    ECC      0       -r_-r_-r     -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec    TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
-    ECC      1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec  TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
-    ECC      0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_   TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
-   ECC      0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
-   ECC      0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
-+   ECC     254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
-+   ECC     254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
-    ECC      1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
-   ECC      0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
-+   ECC     254      -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
- #
- # SNI Tests
- #
-   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
-   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-   SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
-  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
-+  SNI    254      -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
-   SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
-   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
-   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-diff -up ./tests/ssl/sslpolicy.txt.expected_result ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.expected_result	2016-05-17 00:58:45.000000000 -0700
-+++ ./tests/ssl/sslpolicy.txt	2016-05-28 15:21:11.800761721 -0700
-@@ -148,26 +148,26 @@
- # Exp Enable Enable Cipher Config Policy      Test Name
- # Ret  EC     TLS
- # turn on single cipher 
-  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
-  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
-  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
-  1 noECC  SSL3   d    disallow=all Disallow All Explicitly.
-+#  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
-+#  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
-+#  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
-+#  1 noECC  SSL3   d    disallow=all Disallow All Explicitly.
- # turn off signature only
-  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Signatures Explicitly.
-  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
-  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
-+#  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Signatures Explicitly.
-+#  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
- # turn off single cipher 
-  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
-  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
-  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
-+#  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
-+#  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
- # turn off H-Mac
-  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
-  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
-  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
-+#  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
-+#  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
- # turn off key exchange 
-  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
-  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
-  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
-+#  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
-+#  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
- # turn off  version
-   1 noECC  SSL3   d    allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
-   1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.