diff --git a/mozbz1277569backport.patch b/mozbz1277569backport.patch new file mode 100644 index 0000000..8a38ac9 --- /dev/null +++ b/mozbz1277569backport.patch @@ -0,0 +1,102 @@ +--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700 ++++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700 +@@ -675,16 +675,28 @@ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } + ssl_EnableSSL3(&ss->vrange, on); + break; + ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ /* We no longer support SSL v2. ++ * However, if an old application requests to disable SSL v2, ++ * we shouldn't fail. ++ */ ++ if (on) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ } ++ break; ++ + case SSL_NO_CACHE: + ss->opt.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ss->opt.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; +@@ -856,16 +868,20 @@ + on = ss->opt.handshakeAsServer; + break; + case SSL_ENABLE_TLS: + on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; + break; + case SSL_ENABLE_SSL3: + on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; + break; ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ on = PR_FALSE; ++ break; + case SSL_NO_CACHE: + on = ss->opt.noCache; + break; + case SSL_ENABLE_FDX: + on = ss->opt.fdx; + break; + case SSL_ROLLBACK_DETECTION: + on = ss->opt.detectRollBack; +@@ -967,16 +983,20 @@ + on = ssl_defaults.handshakeAsServer; + break; + case SSL_ENABLE_TLS: + on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; + break; + case SSL_ENABLE_SSL3: + on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; + break; ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ on = PR_FALSE; ++ break; + case SSL_NO_CACHE: + on = ssl_defaults.noCache; + break; + case SSL_ENABLE_FDX: + on = ssl_defaults.fdx; + break; + case SSL_ROLLBACK_DETECTION: + on = ssl_defaults.detectRollBack; +@@ -1100,16 +1120,28 @@ + case SSL_ENABLE_TLS: + ssl_EnableTLS(&versions_defaults_stream, on); + break; + + case SSL_ENABLE_SSL3: + ssl_EnableSSL3(&versions_defaults_stream, on); + break; + ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ /* We no longer support SSL v2. ++ * However, if an old application requests to disable SSL v2, ++ * we shouldn't fail. ++ */ ++ if (on) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return SECFailure; ++ } ++ break; ++ + case SSL_NO_CACHE: + ssl_defaults.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ssl_defaults.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; diff --git a/nss.spec b/nss.spec index 403ac81..a7eeda5 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.1%{?dist} +Release: 1.2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -96,7 +96,8 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch60: nss-pem-unitialized-vars.path Patch61: nss-skip-util-gtest.patch - +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569 +Patch62: mzbz1277569backport.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -184,6 +185,7 @@ low level services. pushd nss %patch60 -p1 -b .unitialized_vars %patch61 -p0 -b .skip_util_gtest +%patch62 -p1 -b .compatibility popd ######################################################### @@ -793,6 +795,10 @@ fi %changelog +* Thu Jun 02 2016 Elio Maldonado - 3.24.0-1.2 +- Allow application requests to disable SSL v2 to succeed +- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails + * Mon May 30 2016 Elio Maldonado - 3.24.0-1.1 - Update nss_tests with some of the new gtests from upstream