diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch index 80a785e..cb36160 100644 --- a/nss-skip-util-gtest.patch +++ b/nss-skip-util-gtest.patch @@ -1,6 +1,6 @@ -diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn ---- ./nss/external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700 -+++ ./nss/external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700 +diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn +--- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700 ++++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700 @@ -8,7 +8,6 @@ DEPTH = .. DIRS = \ google_test \ diff --git a/nss.spec b/nss.spec index 2f888b5..3c5799f 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2.0%{?dist} +Release: 2.1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -97,8 +97,12 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch59: nss-check-policy-file.patch Patch60: nss-pem-unitialized-vars.path # Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/ +# TODO: file a bug usptream Patch61: nss-skip-util-gtest.patch - +# TODO: file a bug usptream when enough tests are run +Patch62: tests-check-policy-file.patch +# TODO: file a bug usptream when enough tests are run +Patch63: tests-data-adjust-for-policy.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -185,8 +189,10 @@ low level services. pushd nss %patch59 -p1 -b .check_policy_file %patch60 -p1 -b .unitialized_vars -popd %patch61 -p0 -b .skip_util_gtest +%patch62 -p1 -b .check_policy +%patch63 -p1 -b .expected_result +popd ######################################################### # Higher-level libraries and test tools need access to @@ -223,15 +229,15 @@ done %{__rm} -rf ./nss/external_tests/util_gtests pushd nss/tests/ssl -# Create versions of sslcov.txt and sslstress.txt that disable tests -# for SSL2 and EXPORT ciphers. -cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt -cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt +# Create versions of ssauth.txt, sslcov.txt and sslstress.txt that disable +# tests for non policy compliant ciphers. +cat sslauth.txt| sed -r "s/^([^#].*EXPORT|^[^#].*MD5)/#disabled \1/" > sslauth.noPolicy.txt +cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt +cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt popd %build -export NSS_NO_SSL2_NO_EXPORT=1 NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS @@ -306,9 +312,9 @@ export NSS_BLTEST_NOT_AVAILABLE=1 # Set the policy file location # if set NSS will always check for the policy file and load it if it exists # TODO: restore the POLICY_FILE and POLICY_PATH exports -#export POLICY_FILE="nss.config" +export POLICY_FILE="nss.config" # location of the policy file -#export POLICY_PATH="/etc/crypto-policies/back-ends" +export POLICY_PATH="/etc/crypto-policies/back-ends" # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c # need nss/lib/util/verref.h which is exported privately, @@ -395,6 +401,10 @@ fi # Begin -- copied from the build section +# inform the ssl test scripts that policy is enabled +export POLICY_FILE="nss.config" +export POLICY_PATH="/etc/crypto-policies/back-ends" + FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -802,6 +812,12 @@ fi %changelog +* Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 +- Rebase to NSS 3.24.0 +- Restore setting the policy file location +- Make ssl tests scripts aware of policy +- Ajust tests data expected result for policy + * Tue May 24 2016 Elio Maldonado - 3.24.0-2.0 - Bootstrap build to rebase to NSS 3.24.0 - Temporarily not setting the policy file location diff --git a/tests-check-policy-file.patch b/tests-check-policy-file.patch new file mode 100644 index 0000000..76f23c7 --- /dev/null +++ b/tests-check-policy-file.patch @@ -0,0 +1,84 @@ +diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt +diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh +--- ./tests/ssl/ssl.sh.check_policy 2016-05-17 00:58:45.000000000 -0700 ++++ ./tests/ssl/ssl.sh 2016-05-28 15:45:07.645964005 -0700 +@@ -61,10 +61,19 @@ ssl_init() + nss_ssl_run="stapling signed_cert_timestamps cov auth stress" + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} + ++ NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \ ++ ? "${POLICY_PATH}/${POLICY_FILE}" \ ++ : "" + # Test case files +- SSLCOV=${QADIR}/ssl/sslcov.txt +- SSLAUTH=${QADIR}/ssl/sslauth.txt +- SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ if [ -n ${NSS_POLICY_FILE} ]; then ++ SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt ++ SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt ++ else ++ SSLAUTH=${QADIR}/ssl/sslauth.txt ++ SSLCOV=${QADIR}/ssl/sslcov.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ fi + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt + REQUEST_FILE=${QADIR}/ssl/sslreq.dat + +@@ -122,7 +131,11 @@ is_selfserv_alive() + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" ++ if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then ++ echo "No server to kill" ++ else + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" ++ fi + + echo "selfserv with PID ${PID} found at `date`" + } +@@ -145,7 +158,11 @@ wait_for_selfserv() + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} + if [ $? -ne 0 ]; then ++ if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then ++ html_passed "Server never started" ++ else + html_failed "Waiting for Server" ++ fi + fi + fi + is_selfserv_alive +@@ -216,15 +233,16 @@ start_selfserv() + echo "selfserv starting at `date`" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" +- echo " $verbose -H 1 &" ++ VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : "" ++ echo " $verbose -H 1 ${VMIN_OPT} &" + if [ ${fileout} -eq 1 ]; then + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ +- > ${SERVEROUTFILE} 2>&1 & ++ ${VMIN_OPT}> ${SERVEROUTFILE} 2>&1 & + RET=$? + else + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ +- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & ++ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 ${VMIN_OPT} & + RET=$? + fi + +@@ -275,6 +293,12 @@ ssl_cov() + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? + ++ # trace these types of tests when build has policy enabled ++ if [ -n ${NSS_POLICY_FILE} ] && ++ [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then ++ echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})" ++ fi ++ + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then diff --git a/tests-data-adjust-for-policy.patch b/tests-data-adjust-for-policy.patch new file mode 100644 index 0000000..48c350a --- /dev/null +++ b/tests-data-adjust-for-policy.patch @@ -0,0 +1,101 @@ +diff -up ./tests/ssl/sslauth.txt.expected_result ./tests/ssl/sslauth.txt +--- ./tests/ssl/sslauth.txt.expected_result 2016-05-17 00:58:45.000000000 -0700 ++++ ./tests/ssl/sslauth.txt 2016-05-28 15:21:11.800761721 -0700 +@@ -14,12 +14,12 @@ + noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) + noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) + noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) +- noECC 0 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) +- noECC 0 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) +- noECC 0 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) ++ noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) ++ noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) ++ noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) + noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) + noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) +- noECC 0 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) ++ noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) + noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) +@@ -32,9 +32,9 @@ + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth) +- noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) +- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) +- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) ++ noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) ++ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) ++ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) +@@ -57,17 +57,17 @@ + ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth) +- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) +- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) ++ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) ++ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) +- ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) ++ ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) + # + # SNI Tests + # + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert +- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI ++ SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI +diff -up ./tests/ssl/sslpolicy.txt.expected_result ./tests/ssl/sslpolicy.txt +--- ./tests/ssl/sslpolicy.txt.expected_result 2016-05-17 00:58:45.000000000 -0700 ++++ ./tests/ssl/sslpolicy.txt 2016-05-28 15:21:11.800761721 -0700 +@@ -148,26 +148,26 @@ + # Exp Enable Enable Cipher Config Policy Test Name + # Ret EC TLS + # turn on single cipher +- 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy +- 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy +- 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly +- 1 noECC SSL3 d disallow=all Disallow All Explicitly. ++# 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy ++# 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy ++# 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly ++# 1 noECC SSL3 d disallow=all Disallow All Explicitly. + # turn off signature only +- 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly. +- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow. +- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly. ++# 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly. ++# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow. ++# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly. + # turn off single cipher +- 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly +- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow. +- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly. ++# 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly ++# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow. ++# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly. + # turn off H-Mac +- 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly +- 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow. +- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly. ++# 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly ++# 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow. ++# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly. + # turn off key exchange +- 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly. +- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow. +- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly. ++# 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly. ++# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow. ++# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly. + # turn off version + 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.