Disable support for ssl2
- Support is disabled by setting a built time environmenet variable, export NSS_NO_SSL2=1, in the spec file - Support can be restored by not setting that environment variable
This commit is contained in:
parent
fd6a1f2171
commit
ab703f693c
|
@ -0,0 +1,72 @@
|
|||
diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
|
||||
--- ./nss/lib/ssl/config.mk.disableSSL2 2014-06-24 13:45:27.000000000 -0700
|
||||
+++ ./nss/lib/ssl/config.mk 2014-07-12 12:32:06.011646588 -0700
|
||||
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2
|
||||
+DEFINES += -DNSS_NO_SSL2
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2014-07-12 12:32:05.970645943 -0700
|
||||
+++ ./nss/lib/ssl/sslsock.c 2014-07-12 12:36:46.096072901 -0700
|
||||
@@ -653,6 +653,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -670,6 +676,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
ss->cipherSpecs = NULL;
|
||||
ss->sizeCipherSpecs = 0;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2 */
|
||||
break;
|
||||
|
||||
case SSL_NO_CACHE:
|
||||
@@ -685,6 +692,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -696,6 +709,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
}
|
||||
+#endif /* NSS_NO_SSL2 */
|
||||
break;
|
||||
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
@@ -1146,7 +1160,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
|
||||
if (ssl_IsRemovedCipherSuite(which)) {
|
||||
rv = SECSuccess;
|
||||
} else if (SSL_IS_SSL2_CIPHER(which)) {
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+#else
|
||||
rv = ssl2_SetPolicy(which, policy);
|
||||
+#endif
|
||||
} else {
|
||||
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
||||
}
|
|
@ -0,0 +1,54 @@
|
|||
diff -up ./nss/tests/chains/chains.sh.disableSSL2 ./nss/tests/chains/chains.sh
|
||||
--- ./nss/tests/chains/chains.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
|
||||
+++ ./nss/tests/chains/chains.sh 2014-07-12 12:38:36.407821766 -0700
|
||||
@@ -40,7 +40,11 @@ is_httpserv_alive()
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
|
||||
+ echo "skipping kill because SSL2 was disabled"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "httpserv with PID ${PID} found at `date`"
|
||||
}
|
||||
@@ -59,7 +63,11 @@ wait_for_httpserv()
|
||||
echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
|
||||
${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
|
||||
if [ $? -ne 0 ]; then
|
||||
- html_failed "Waiting for Server"
|
||||
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
|
||||
+ html_passed "Waiting for Server is supposed to fail"
|
||||
+ else
|
||||
+ html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_httpserv_alive
|
||||
TESTNAME="Test that OCSP server is reachable"
|
||||
check_ocsp ${VALUE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [[ "${NSS_NO_SSL2}" = "1" ]]; then
|
||||
+ html_passed "$TESTNAME"
|
||||
+ else
|
||||
html_failed "$TESTNAME"
|
||||
+ fi
|
||||
break;
|
||||
else
|
||||
html_passed "$TESTNAME"
|
||||
diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
|
||||
--- ./nss/tests/ssl/ssl.sh.disableSSL2 2014-06-24 13:45:27.000000000 -0700
|
||||
+++ ./nss/tests/ssl/ssl.sh 2014-07-12 12:37:25.476697212 -0700
|
||||
@@ -278,6 +278,11 @@ ssl_cov()
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [[ "${NSS_NO_SSL2}" = "1" ]] && [[ -n ${EXP} -o -n ${SSL2} ]] ; then
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
17
nss.spec
17
nss.spec
|
@ -19,7 +19,7 @@
|
|||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.16.2
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -91,6 +91,8 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
Patch52: disable-sslv2-libssl.patch
|
||||
Patch53: disable-sslv2-tests.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -178,6 +180,8 @@ low level services.
|
|||
%patch47 -p0 -b .templates
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
%patch52 -p0 -b .disableSSL2
|
||||
%patch53 -p0 -b .disableSSL2
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -208,6 +212,8 @@ done
|
|||
|
||||
%build
|
||||
|
||||
export NSS_NO_SSL2=1
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
|
||||
|
@ -355,6 +361,10 @@ if [ ${DISABLETEST:-0} -eq 1 ]; then
|
|||
fi
|
||||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that SSL2 is disabled
|
||||
export NSS_NO_SSL2=1
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
|
@ -537,7 +547,7 @@ for f in nss-config setup-nsssysinit; do
|
|||
done
|
||||
# Copy the man pages for the nss tools
|
||||
for f in "%{allTools}"; do
|
||||
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
|
||||
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
|
||||
done
|
||||
# Copy the man pages for the configuration files
|
||||
for f in pkcs11.txt; do
|
||||
|
@ -747,6 +757,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Jul 18 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
|
||||
- Disable support for ssl2
|
||||
|
||||
* Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
|
||||
- Update to nss-3.16.2
|
||||
|
||||
|
|
Loading…
Reference in New Issue