Allow application requests to disable SSL v2 to succeed
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
This commit is contained in:
parent
996e173db6
commit
d0d1a5f997
102
mozbz1277569backport.patch
Normal file
102
mozbz1277569backport.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700
|
||||||
|
+++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700
|
||||||
|
@@ -675,16 +675,28 @@
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
rv = SECFailure; /* not allowed */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
ssl_EnableSSL3(&ss->vrange, on);
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case SSL_ENABLE_SSL2:
|
||||||
|
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||||
|
+ /* We no longer support SSL v2.
|
||||||
|
+ * However, if an old application requests to disable SSL v2,
|
||||||
|
+ * we shouldn't fail.
|
||||||
|
+ */
|
||||||
|
+ if (on) {
|
||||||
|
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
+ rv = SECFailure;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case SSL_NO_CACHE:
|
||||||
|
ss->opt.noCache = on;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ENABLE_FDX:
|
||||||
|
if (on && ss->opt.noLocks) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
rv = SECFailure;
|
||||||
|
@@ -856,16 +868,20 @@
|
||||||
|
on = ss->opt.handshakeAsServer;
|
||||||
|
break;
|
||||||
|
case SSL_ENABLE_TLS:
|
||||||
|
on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
|
||||||
|
break;
|
||||||
|
case SSL_ENABLE_SSL3:
|
||||||
|
on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
|
||||||
|
break;
|
||||||
|
+ case SSL_ENABLE_SSL2:
|
||||||
|
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||||
|
+ on = PR_FALSE;
|
||||||
|
+ break;
|
||||||
|
case SSL_NO_CACHE:
|
||||||
|
on = ss->opt.noCache;
|
||||||
|
break;
|
||||||
|
case SSL_ENABLE_FDX:
|
||||||
|
on = ss->opt.fdx;
|
||||||
|
break;
|
||||||
|
case SSL_ROLLBACK_DETECTION:
|
||||||
|
on = ss->opt.detectRollBack;
|
||||||
|
@@ -967,16 +983,20 @@
|
||||||
|
on = ssl_defaults.handshakeAsServer;
|
||||||
|
break;
|
||||||
|
case SSL_ENABLE_TLS:
|
||||||
|
on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
|
||||||
|
break;
|
||||||
|
case SSL_ENABLE_SSL3:
|
||||||
|
on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
|
||||||
|
break;
|
||||||
|
+ case SSL_ENABLE_SSL2:
|
||||||
|
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||||
|
+ on = PR_FALSE;
|
||||||
|
+ break;
|
||||||
|
case SSL_NO_CACHE:
|
||||||
|
on = ssl_defaults.noCache;
|
||||||
|
break;
|
||||||
|
case SSL_ENABLE_FDX:
|
||||||
|
on = ssl_defaults.fdx;
|
||||||
|
break;
|
||||||
|
case SSL_ROLLBACK_DETECTION:
|
||||||
|
on = ssl_defaults.detectRollBack;
|
||||||
|
@@ -1100,16 +1120,28 @@
|
||||||
|
case SSL_ENABLE_TLS:
|
||||||
|
ssl_EnableTLS(&versions_defaults_stream, on);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ENABLE_SSL3:
|
||||||
|
ssl_EnableSSL3(&versions_defaults_stream, on);
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case SSL_ENABLE_SSL2:
|
||||||
|
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||||
|
+ /* We no longer support SSL v2.
|
||||||
|
+ * However, if an old application requests to disable SSL v2,
|
||||||
|
+ * we shouldn't fail.
|
||||||
|
+ */
|
||||||
|
+ if (on) {
|
||||||
|
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case SSL_NO_CACHE:
|
||||||
|
ssl_defaults.noCache = on;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ENABLE_FDX:
|
||||||
|
if (on && ssl_defaults.noLocks) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
return SECFailure;
|
10
nss.spec
10
nss.spec
@ -21,7 +21,7 @@ Name: nss
|
|||||||
Version: 3.24.0
|
Version: 3.24.0
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 1.1%{?dist}
|
Release: 1.2%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -96,7 +96,8 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
|||||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
Patch60: nss-pem-unitialized-vars.path
|
Patch60: nss-pem-unitialized-vars.path
|
||||||
Patch61: nss-skip-util-gtest.patch
|
Patch61: nss-skip-util-gtest.patch
|
||||||
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
|
||||||
|
Patch62: mzbz1277569backport.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -184,6 +185,7 @@ low level services.
|
|||||||
pushd nss
|
pushd nss
|
||||||
%patch60 -p1 -b .unitialized_vars
|
%patch60 -p1 -b .unitialized_vars
|
||||||
%patch61 -p0 -b .skip_util_gtest
|
%patch61 -p0 -b .skip_util_gtest
|
||||||
|
%patch62 -p1 -b .compatibility
|
||||||
popd
|
popd
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
@ -793,6 +795,10 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.2
|
||||||
|
- Allow application requests to disable SSL v2 to succeed
|
||||||
|
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
|
||||||
|
|
||||||
* Mon May 30 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.1
|
* Mon May 30 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.1
|
||||||
- Update nss_tests with some of the new gtests from upstream
|
- Update nss_tests with some of the new gtests from upstream
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user