NSS: Update list of ciphers

Resolves: #1387868
2017-01-30 14:43:40 +01:00 · 2017-01-30 14:43:40 +01:00 · 0cc5bf7254
commit 0cc5bf7254
parent 22dbdbf78a
2 changed files with 176 additions and 1 deletions
--- a/openldap-nss-ciphers-definitions.patch
+++ b/openldap-nss-ciphers-definitions.patch
@ -0,0 +1,170 @@
+Update MozNSS definitions of ciphers
+
+Author: Matus Honek <mhonek@redhat.com>
+PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
+@@ -255,69 +255,103 @@ typedef struct {
+ /* Cipher translation */
+ static cipher_properties ciphers_def[] = {
+ 
+-	/*
+-	 * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
+-	 */
+-
+ 	/* SSLv2 ciphers */
+-	{"DES-CBC-MD5",     SSL_EN_DES_64_CBC_WITH_MD5,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5,  SSL2, SSL_LOW,      SSL_NOT_ALLOWED},
+-	{"DES-CBC3-MD5",    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH,     SSL_NOT_ALLOWED},
+-	{"RC2-CBC-MD5",     SSL_EN_RC2_128_CBC_WITH_MD5,          SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
+-	{"RC4-MD5",         SSL_EN_RC4_128_WITH_MD5,              SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
+-	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
+-	{"EXP-RC4-MD5",     SSL_EN_RC4_128_EXPORT40_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
+	{"DES-CBC-MD5",     SSL_EN_DES_64_CBC_WITH_MD5,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5,  SSL2, SSL_LOW},
+	{"DES-CBC3-MD5",    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
+	{"RC2-CBC-MD5",     SSL_EN_RC2_128_CBC_WITH_MD5,          SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_MEDIUM},
+	{"RC4-MD5",         SSL_EN_RC4_128_WITH_MD5,              SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_MEDIUM},
+	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_EXPORT40},
+	{"EXP-RC4-MD5",     SSL_EN_RC4_128_EXPORT40_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_EXPORT40},
+ 
+ 	/* SSLv3 ciphers */
+-	{"NULL-MD5",             SSL_RSA_WITH_NULL_MD5,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5,  SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
+-	{"NULL-SHA",             SSL_RSA_WITH_NULL_SHA,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
+-	{"DES-CBC-SHA",          SSL_RSA_WITH_DES_CBC_SHA,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
+-	{"DES-CBC3-SHA",         SSL_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
+-	{"RC4-MD5",              SSL_RSA_WITH_RC4_128_MD5,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"RC4-SHA",              SSL_RSA_WITH_RC4_128_SHA,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,   SSL3, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"EXP-RC2-CBC-MD5",      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
+-	{"EXP-RC4-MD5",          SSL_RSA_EXPORT_WITH_RC4_40_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
+-	{"EDH-RSA-DES-CBC-SHA",  SSL_DHE_RSA_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
+-	{"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
+-	{"EDH-DSS-DES-CBC-SHA",  SSL_DHE_DSS_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
+-	{"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
+	{"NULL-MD5",             TLS_RSA_WITH_NULL_MD5,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5,  SSL3, SSL_NULL},      /* SSL_RSA_WITH_NULL_MD5 */
+	{"NULL-SHA",             TLS_RSA_WITH_NULL_SHA,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL},	 /* SSL_RSA_WITH_NULL_SHA */
+	{"DES-CBC-SHA",          TLS_RSA_WITH_DES_CBC_SHA,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW},	 /* SSL_RSA_WITH_DES_CBC_SHA */
+	{"DES-CBC3-SHA",         TLS_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH},	 /* SSL_RSA_WITH_3DES_EDE_CBC_SHA */
+	{"RC4-MD5",              TLS_RSA_WITH_RC4_128_MD5,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_MEDIUM},	 /* SSL_RSA_WITH_RC4_128_MD5 */
+	{"RC4-SHA",              TLS_RSA_WITH_RC4_128_SHA,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,   SSL3, SSL_MEDIUM},	 /* SSL_RSA_WITH_RC4_128_SHA */
+	{"EXP-RC2-CBC-MD5",      TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,    SSL3, SSL_EXPORT40},	 /* SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
+	{"EXP-RC4-MD5",          TLS_RSA_EXPORT_WITH_RC4_40_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_EXPORT40},	 /* SSL_RSA_EXPORT_WITH_RC4_40_MD5 */
+	{"EDH-RSA-DES-CBC-SHA",  TLS_DHE_RSA_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW},	 /* SSL_DHE_RSA_WITH_DES_CBC_SHA */
+	{"EDH-RSA-DES-CBC3-SHA", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH},	 /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
+	{"EDH-DSS-DES-CBC-SHA",  TLS_DHE_DSS_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW},	 /* SSL_DHE_DSS_WITH_DES_CBC_SHA */
+	{"EDH-DSS-DES-CBC3-SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH},	 /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
+ 
+ 	/* TLSv1 ciphers */
+-	{"EXP1024-DES-CBC-SHA",      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,   SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
+-	{"EXP1024-RC4-SHA",          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
+-	{"SEED-SHA",                 TLS_RSA_WITH_SEED_CBC_SHA,             SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"AES128-SHA",               TLS_RSA_WITH_AES_128_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"AES256-SHA",               TLS_RSA_WITH_AES_256_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"CAMELLIA256-SHA",          TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"CAMELLIA128-SHA",          TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-RSA-AES128-SHA",       TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-RSA-AES256-SHA",       TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-RSA-CAMELLIA128-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-RSA-CAMELLIA256-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-DSS-RC4-SHA",          TLS_DHE_DSS_WITH_RC4_128_SHA,          SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"DHE-DSS-AES128-SHA",       TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-DSS-AES256-SHA",       TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-DSS-CAMELLIA128-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"DHE-DSS-CAMELLIA256-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDH-RSA-NULL-SHA",        TLS_ECDH_RSA_WITH_NULL_SHA,            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1,      TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
+-	{"ECDH-RSA-RC4-SHA",         TLS_ECDH_RSA_WITH_RC4_128_SHA,         SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"ECDH-RSA-DES-CBC3-SHA",    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1,       TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDH-RSA-AES128-SHA",      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDH-RSA-AES256-SHA",      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDH-ECDSA-NULL-SHA",      TLS_ECDH_ECDSA_WITH_NULL_SHA,          SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1,    TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
+-	{"ECDH-ECDSA-RC4-SHA",       TLS_ECDH_ECDSA_WITH_RC4_128_SHA,       SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1,      TLS1, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"ECDH-ECDSA-DES-CBC3-SHA",  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDH-ECDSA-AES128-SHA",    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDH-ECDSA-AES256-SHA",    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDHE-RSA-NULL-SHA",       TLS_ECDHE_RSA_WITH_NULL_SHA,           SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1,     TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
+-	{"ECDHE-RSA-RC4-SHA",        TLS_ECDHE_RSA_WITH_RC4_128_SHA,        SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1,       TLS1, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"ECDHE-RSA-DES-CBC3-SHA",   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,   SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDHE-RSA-AES128-SHA",     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDHE-RSA-AES256-SHA",     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDHE-ECDSA-NULL-SHA",     TLS_ECDHE_ECDSA_WITH_NULL_SHA,         SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1,   TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
+-	{"ECDHE-ECDSA-RC4-SHA",      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1,     TLS1, SSL_MEDIUM,   SSL_ALLOWED},
+-	{"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDHE-ECDSA-AES128-SHA",   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"ECDHE-ECDSA-AES256-SHA",   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
+	{"EXP1024-DES-CBC-SHA",      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,   SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,         TLS1, SSL_EXPORT56},
+	{"EXP1024-RC4-SHA",          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_EXPORT56},
+	{"SEED-SHA",                 TLS_RSA_WITH_SEED_CBC_SHA,             SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1,        TLS1, SSL_MEDIUM},
+	{"AES128-SHA",               TLS_RSA_WITH_AES_128_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"AES256-SHA",               TLS_RSA_WITH_AES_256_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"CAMELLIA256-SHA",          TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+	{"CAMELLIA128-SHA",          TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+	{"DHE-RSA-AES128-SHA",       TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"DHE-RSA-AES256-SHA",       TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"DHE-RSA-CAMELLIA128-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+	{"DHE-RSA-CAMELLIA256-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+	{"DHE-DSS-RC4-SHA",          TLS_DHE_DSS_WITH_RC4_128_SHA,          SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_MEDIUM},
+	{"DHE-DSS-AES128-SHA",       TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"DHE-DSS-AES256-SHA",       TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"DHE-DSS-CAMELLIA128-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+	{"DHE-DSS-CAMELLIA256-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+	{"ECDH-RSA-NULL-SHA",        TLS_ECDH_RSA_WITH_NULL_SHA,            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1,      TLS1, SSL_NULL},
+	{"ECDH-RSA-RC4-SHA",         TLS_ECDH_RSA_WITH_RC4_128_SHA,         SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1,        TLS1, SSL_MEDIUM},
+	{"ECDH-RSA-DES-CBC3-SHA",    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1,       TLS1, SSL_HIGH},
+	{"ECDH-RSA-AES128-SHA",      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1,     TLS1, SSL_HIGH},
+	{"ECDH-RSA-AES256-SHA",      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1,     TLS1, SSL_HIGH},
+	{"ECDH-ECDSA-NULL-SHA",      TLS_ECDH_ECDSA_WITH_NULL_SHA,          SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1,    TLS1, SSL_NULL},
+	{"ECDH-ECDSA-RC4-SHA",       TLS_ECDH_ECDSA_WITH_RC4_128_SHA,       SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1,      TLS1, SSL_MEDIUM},
+	{"ECDH-ECDSA-DES-CBC3-SHA",  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1,     TLS1, SSL_HIGH},
+	{"ECDH-ECDSA-AES128-SHA",    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1,   TLS1, SSL_HIGH},
+	{"ECDH-ECDSA-AES256-SHA",    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1,   TLS1, SSL_HIGH},
+	{"ECDHE-RSA-NULL-SHA",       TLS_ECDHE_RSA_WITH_NULL_SHA,           SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1,     TLS1, SSL_NULL},
+	{"ECDHE-RSA-RC4-SHA",        TLS_ECDHE_RSA_WITH_RC4_128_SHA,        SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1,       TLS1, SSL_MEDIUM},
+	{"ECDHE-RSA-DES-CBC3-SHA",   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,   SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1,      TLS1, SSL_HIGH},
+	{"ECDHE-RSA-AES128-SHA",     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1,    TLS1, SSL_HIGH},
+	{"ECDHE-RSA-AES256-SHA",     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1,    TLS1, SSL_HIGH},
+	{"ECDHE-ECDSA-NULL-SHA",     TLS_ECDHE_ECDSA_WITH_NULL_SHA,         SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1,   TLS1, SSL_NULL},
+	{"ECDHE-ECDSA-RC4-SHA",      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1,     TLS1, SSL_MEDIUM},
+	{"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1,    TLS1, SSL_HIGH},
+	{"ECDHE-ECDSA-AES128-SHA",   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1,  TLS1, SSL_HIGH},
+	{"ECDHE-ECDSA-AES256-SHA",   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1,  TLS1, SSL_HIGH},
+
+	// Ciphers commented out are not in NSS yet.
+
+	{"NULL-SHA256",              TLS_RSA_WITH_NULL_SHA256,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256,     TLS1_2, SSL_NULL},
+	{"AES128-SHA256",            TLS_RSA_WITH_AES_128_CBC_SHA256,       SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256,    TLS1_2, SSL_HIGH},
+	{"AES256-SHA256",            TLS_RSA_WITH_AES_256_CBC_SHA256,       SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256,    TLS1_2, SSL_HIGH},
+	{"AES128-GCM-SHA256",        TLS_RSA_WITH_AES_128_GCM_SHA256,       SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD,   TLS1_2, SSL_HIGH},
+	{"AES256-GCM-SHA384",        0x009d /* TLS_RSA_WITH_AES_256_GCM_SHA384 */,       SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD,   TLS1_2, SSL_HIGH},
+
+	{"DHE-RSA-AES256-SHA256",     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256,            TLS1_2, SSL_HIGH},
+	{"DHE-RSA-AES128-SHA256",     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256,            TLS1_2, SSL_HIGH},
+	{"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD,   TLS1_2, SSL_HIGH},
+	{"DHE-RSA-AES256-GCM-SHA384", 0x009f /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD,   TLS1_2, SSL_HIGH},
+
+	{"DHE-DSS-AES128-SHA256",     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256,          TLS1_2, SSL_HIGH},
+	{"DHE-DSS-AES256-SHA256",     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256,          TLS1_2, SSL_HIGH},
+	{"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+	{"DHE-DSS-AES128-GCM-SHA256", 0x00a3 /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+	//{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+	{"ECDHE-ECDSA-AES128-SHA256",     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256,          TLS1_2, SSL_HIGH},
+	{"ECDHE-RSA-AES128-SHA256",       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256,            TLS1_2, SSL_HIGH},
+	{"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+	{"ECDHE-RSA-AES128-GCM-SHA256",   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD,   TLS1_2, SSL_HIGH},
+	{"ECDHE-ECDSA-AES256-GCM-SHA384", 0xc02c /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+	{"ECDHE-RSA-AES256-GCM-SHA384",   0xc030 /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */,   SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD,   TLS1_2, SSL_HIGH},
+	{"ECDHE-ECDSA-AES256-SHA384",     0xc024 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384,          TLS1_2, SSL_HIGH},
+	{"ECDHE-RSA-AES256-SHA384",       0xc028 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */,   SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384,            TLS1_2, SSL_HIGH},
+
+	{"ECDHE-PSK-AES128-GCM-SHA256",   0xd001 /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */,         SSL_kECDHE|SSL_aPSK|SSL_AES128|SSL_AESGCM|SSL_AEAD,  TLS1_2, SSL_HIGH},
+	{"ECDHE-PSK-CHACHA20-POLY1305",   0xccac /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */,   SSL_kECDHE|SSL_aPSK|SSL_CHACHA20POLY1305|SSL_AEAD,   TLS1_2, SSL_HIGH},
+	{"ECDHE-PSK-AES256-GCM-SHA384",   0xd002 /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */,         SSL_kECDHE|SSL_aPSK|SSL_AES256|SSL_AESGCM|SSL_AEAD,  TLS1_2, SSL_HIGH},
+	{"",                              0x00aa /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */,           SSL_kEDH|SSL_aPSK|SSL_AES128|SSL_AESGCM|SSL_AEAD,    TLS1_2, SSL_HIGH},
+	{"",                              0xccad /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */,     SSL_kEDH|SSL_aPSK|SSL_CHACHA20POLY1305|SSL_AEAD,     TLS1_2, SSL_HIGH},
+	{"",                              0x00ab /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */,           SSL_kEDH|SSL_aPSK|SSL_AES256|SSL_AESGCM|SSL_AEAD,    TLS1_2, SSL_HIGH},
+	//{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+	//{"ECDHE-RSA-CHACHA20-POLY1305",   0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */,   SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD,   TLS1_2, SSL_HIGH},
+	//{"DHE-RSA-CHACHA20-POLY1305",     0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */,     SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD,     TLS1_2, SSL_HIGH},
+ };
+ 
+ #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
--- a/openldap.spec
+++ b/openldap.spec
@ -5,7 +5,7 @@

 Name: openldap
 Version: 2.4.44
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -51,6 +51,7 @@ Patch22: openldap-nss-protocol-version-new-api.patch
 Patch50: openldap-nss-cipher-attributes.patch
 Patch51: openldap-nss-ciphers-parsing.patch
 Patch52: openldap-nss-ciphers-use-nss-defaults.patch
+Patch53: openldap-nss-ciphers-definitions.patch

 # check-password module specific patches
 Patch90: check-password-makefile.patch
@ -159,6 +160,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
+%patch53 -p1

 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -551,6 +553,9 @@ exit 0
 %{_mandir}/man3/*

 %changelog
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
+- NSS: Update list of ciphers (#1387868)
+
 * Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
 - NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)