rpms/nss
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/private-rebase-work-fedora-rawhide' into private-emaldona-crypto-policy-work

Browse Source
This commit is contained in:
Elio Maldonado 2016-07-13 08:11:08 -07:00
commit a06fcaba6f
5 changed files with 94 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
nss-conditionally-ignore-system-policy.patch
View File

@ -1,6 +1,32 @@
<<<<<<< HEAD
--- ./lib/nss/nssinit.c.ignore_system_policy 2016-06-06 07:57:54.924457084 -0700 --- ./lib/nss/nssinit.c.ignore_system_policy 2016-06-06 07:57:54.924457084 -0700
+++ ./lib/nss/nssinit.c 2016-06-06 08:01:27.753830455 -0700 +++ ./lib/nss/nssinit.c 2016-06-06 08:01:27.753830455 -0700
@@ -678,17 +678,18 @@ @@ -678,17 +678,18 @@
=======
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700
@@ -529,16 +529,19 @@
{
SECMODModule *parent = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_Error *pkixError = NULL;
PRBool isReallyInitted;
char *configStrings = NULL;
char *configName = NULL;
PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+ char *ignoreVar;
+#endif
/* if we are trying to init with a traditional NSS_Init call, maintain
* the traditional idempotent behavior. */
if (!initContextPtr && nssIsInitted) {
return SECSuccess;
}
/* make sure our lock and condition variable are initialized one and only
@@ -678,32 +681,38 @@
>>>>>>> origin/private-rebase-work-fedora-rawhide
dbpath = NULL; dbpath = NULL;
} }
if (dbpath) { if (dbpath) {
@ -10,13 +36,44 @@
} }
#ifdef POLICY_FILE #ifdef POLICY_FILE
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { - if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
<<<<<<< HEAD
+ if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") && + if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
+ PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { + PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
=======
+ /* Load the system crypo policy file if it exists,
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
+ * variable has been set to 1. */
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
>>>>>>> origin/private-rebase-work-fedora-rawhide
SECMODModule *module = SECMOD_LoadModule( SECMODModule *module = SECMOD_LoadModule(
"name=\"Policy File\" " "name=\"Policy File\" "
"parameters=\"configdir='sql:" POLICY_PATH "' " "parameters=\"configdir='sql:" POLICY_PATH "' "
"secmod='" POLICY_FILE "' " "secmod='" POLICY_FILE "' "
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
<<<<<<< HEAD
parent, PR_TRUE); parent, PR_TRUE);
if (module) { if (module) {
=======
- parent, PR_TRUE);
+ parent, PR_TRUE);
if (module) {
PRBool isLoaded = module->loaded;
SECMOD_DestroyModule(module);
if (!isLoaded) {
goto loser;
}
}
}
+ }
#endif
pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable();
pkixError = PKIX_Initialize
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
>>>>>>> origin/private-rebase-work-fedora-rawhide

15
nss-pem-unitialized-vars.path
View File

@ -1,15 +0,0 @@
diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c
--- ./lib/ckfw/pem/pinst.c.unitialized_var 2016-05-21 19:04:24.471221863 -0700
+++ ./lib/ckfw/pem/pinst.c 2016-05-21 19:31:07.124298651 -0700
@@ -534,9 +534,9 @@ CK_RV
AddCertificate(char *certfile, char *keyfile, PRBool cacert,
CK_SLOT_ID slotID)
{
- pemInternalObject *o;
+ pemInternalObject *o = NULL;
CK_RV error = 0;
- int objid, i;
+ int objid, i = 0;
int nobjs = 0;
SECItem **objs = NULL;
char *ivstring = NULL;

6
nss-skip-ecperf.patch
View File

@ -1,6 +1,6 @@
diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
--- ./nss/cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700 --- ./cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700
+++ ./nss/cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700 +++ ./cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700
@@ -42,7 +42,6 @@ NSS_SRCDIRS = \ @@ -42,7 +42,6 @@ NSS_SRCDIRS = \
dbtest \ dbtest \
derdump \ derdump \

47
nss.spec
View File

@ -24,7 +24,7 @@ Name: nss
Version: 3.25.0 Version: 3.25.0
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 3%{?dist} Release: 6%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -97,6 +97,7 @@ Patch50: iquote.patch
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch59: nss-check-policy-file.patch Patch59: nss-check-policy-file.patch
<<<<<<< HEAD
# TODO: file a bug usptream # TODO: file a bug usptream
# Upstream commit that caused problems with gtests # Upstream commit that caused problems with gtests
# https://git.fedorahosted.org/cgit/nss-pem.git/commit/ # https://git.fedorahosted.org/cgit/nss-pem.git/commit/
@ -109,7 +110,15 @@ Patch64: nss-conditionally-ignore-system-policy.patch
Patch65: tests-data-adjust-for-policy.patch Patch65: tests-data-adjust-for-policy.patch
Patch66: listsuites-do-queries.patch Patch66: listsuites-do-queries.patch
# TODO: file a bug upstream # TODO: file a bug upstream
=======
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch60: nss-conditionally-ignore-system-policy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
Patch62: nss-skip-util-gtest.patch
# TODO: file a bug upstream similar to the one for rsaperf
>>>>>>> origin/private-rebase-work-fedora-rawhide
Patch70: nss-skip-ecperf.patch Patch70: nss-skip-ecperf.patch
Patch71: listsuites-do-queries.patch
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -192,13 +201,17 @@ low level services.
%patch58 -p0 -b .1185708_3des %patch58 -p0 -b .1185708_3des
pushd nss pushd nss
%patch59 -p1 -b .check_policy_file %patch59 -p1 -b .check_policy_file
%patch60 -p1 -b .cond_ignore
%patch62 -p0 -b .skip_util_gtest %patch62 -p0 -b .skip_util_gtest
<<<<<<< HEAD
%patch63 -p1 -b .check_policy %patch63 -p1 -b .check_policy
%patch64 -p0 -b .ignore_system_policy %patch64 -p0 -b .ignore_system_policy
%patch66 -p1 -b .do_queries %patch66 -p1 -b .do_queries
=======
%patch70 -p1 -b .skip_ecperf
%patch71 -p1 -b .do_queries
>>>>>>> origin/private-rebase-work-fedora-rawhide
popd popd
# temporary
%patch70 -p0 -b .skip_ecperf
######################################################### #########################################################
# Higher-level libraries and test tools need access to # Higher-level libraries and test tools need access to
@ -308,8 +321,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
%{__make} -C ./nss/lib/dbm %{__make} -C ./nss/lib/dbm
# Set the policy file location # Set the policy file location
# if set NSS will always check for the policy file and load it if it exists # if set NSS will always check for the policy file and load if it exists
# TODO: restore the POLICY_FILE and POLICY_PATH exports
export POLICY_FILE="nss.config" export POLICY_FILE="nss.config"
# location of the policy file # location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends" export POLICY_PATH="/etc/crypto-policies/back-ends"
@ -410,10 +422,6 @@ fi
# Begin -- copied from the build section # Begin -- copied from the build section
# inform the ssl test scripts that policy is enabled
export POLICY_FILE="nss.config"
export POLICY_PATH="/etc/crypto-policies/back-ends"
FREEBL_NO_DEPEND=1 FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND export FREEBL_NO_DEPEND
@ -438,6 +446,8 @@ export NSS_IGNORE_SYSTEM_POLICY=1
# End -- copied from the build section # End -- copied from the build section
export NSS_IGNORE_SYSTEM_POLICY=1
# enable the following line to force a test failure # enable the following line to force a test failure
# find ./nss -name \*.chk | xargs rm -f # find ./nss -name \*.chk | xargs rm -f
@ -482,13 +492,13 @@ pushd ./nss/tests/
# the full list from all.sh is: # the full list from all.sh is:
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" # "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
# nss_ssl_run: cov auth stress # nss_ssl_run: cov auth stapling stress
# #
# Uncomment these lines if you need to temporarily # Uncomment these lines if you need to temporarily
# disable some test suites for faster test builds # disable some test suites for faster test builds
# global nss_ssl_tests "normal_fips" # % define nss_ssl_tests "normal_fips"
# global nss_ssl_run "cov auth" # % define nss_ssl_run "cov"
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
@ -826,6 +836,17 @@ fi
%changelog %changelog
* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
- Add support to listsuites to list ciphers allowed by policy
* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
- Add support for conditionally ignoring the system policy (#1157720)
- Remove unneeded test scripts patches in order to run more tests
- Remove unneeded test data modifications from the spec file
* Tue Jun 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-4
- Remove obsolete patch and spurious lines from the spec file (#1347336)
* Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3 * Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
- Cleanup spec file and patches and add references to bugs filed upstream - Cleanup spec file and patches and add references to bugs filed upstream

101
tests-data-adjust-for-policy.patch
View File

@ -1,101 +0,0 @@
diff -up ./tests/ssl/sslauth.txt.expected_result ./tests/ssl/sslauth.txt
--- ./tests/ssl/sslauth.txt.expected_result 2016-05-17 00:58:45.000000000 -0700
+++ ./tests/ssl/sslauth.txt 2016-05-28 15:21:11.800761721 -0700
@@ -14,12 +14,12 @@
noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
- noECC 0 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
- noECC 0 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
- noECC 0 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
+ noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
+ noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
+ noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
- noECC 0 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
+ noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
@@ -32,9 +32,9 @@
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
@@ -57,17 +57,17 @@
ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
- ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
+ ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
#
# SNI Tests
#
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
diff -up ./tests/ssl/sslpolicy.txt.expected_result ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.expected_result 2016-05-17 00:58:45.000000000 -0700
+++ ./tests/ssl/sslpolicy.txt 2016-05-28 15:21:11.800761721 -0700
@@ -148,26 +148,26 @@
# Exp Enable Enable Cipher Config Policy Test Name
# Ret EC TLS
# turn on single cipher
- 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
- 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
- 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
- 1 noECC SSL3 d disallow=all Disallow All Explicitly.
+# 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
+# 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
+# 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
+# 1 noECC SSL3 d disallow=all Disallow All Explicitly.
# turn off signature only
- 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
+# 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
# turn off single cipher
- 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
+# 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
# turn off H-Mac
- 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
- 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
+# 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
+# 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
# turn off key exchange
- 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
+# 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
# turn off version
1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.