Enable TLS 1.3 middlebox compatibility mode by default

2020-10-22 17:06:28 +02:00 · 2020-10-22 17:06:28 +02:00 · 0d673b36cc
commit 0d673b36cc
parent f73f7ce1e4
2 changed files with 19 additions and 1 deletions
--- a/nss-ccs.patch
+++ b/nss-ccs.patch
@ -0,0 +1,13 @@
+Index: nss/lib/ssl/sslsock.c
+===================================================================
+--- nss.orig/lib/ssl/sslsock.c
+++ nss/lib/ssl/sslsock.c
+@@ -86,7 +86,7 @@ static sslOptions ssl_defaults = {
+     .enableSignedCertTimestamps = PR_FALSE,
+     .requireDHENamedGroups = PR_FALSE,
+     .enable0RttData = PR_FALSE,
+-    .enableTls13CompatMode = PR_FALSE,
+    .enableTls13CompatMode = PR_TRUE,
+     .enableDtls13VersionCompat = PR_FALSE,
+     .enableDtlsShortHeader = PR_FALSE,
+     .enableHelloDowngradeCheck = PR_FALSE,
--- a/nss.spec
+++ b/nss.spec
@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -106,6 +106,8 @@ Patch2:           nss-539183.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1672703
+Patch5:		  nss-ccs.patch
 Patch12:          nss-signtool-format.patch
 %if 0%{?fedora} < 34
 %if 0%{?rhel} < 9
@ -902,6 +904,9 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Thu Oct 22 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-2
+- Enable TLS 1.3 middlebox compatibility mode by default
+
 * Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-1
 - Update to NSS 3.58