From 3648d70a92fa7067319cd39654023fcbb9ce2f42 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Mon, 23 May 2016 18:10:46 -0700 Subject: [PATCH] Update to NSS 3.24.0 - Resolves: Bug 1336849 - nss-3.24 is available - Update patches on account of the rebase - Remove unused patches un account of the rebase - Patch pem module to compile with wrning for unitilaized variables treated as errors - Patch to skip some of the gtests as they use private calls and need to statically link with libnssutil.a - TODO: bring this up with the external_tests framework developers upstream --- .gitignore | 2 +- disableSSL2libssl.patch | 149 ------------------------- disableSSL2tests.patch | 126 --------------------- nss-539183.patch | 56 ++++++---- nss-pem-unitialized-vars.path | 15 +++ nss-skip-util-gtest.patch | 11 ++ nss.spec | 26 ++--- skip_stress_TLS_RC4_128_with_MD5.patch | 52 --------- sources | 2 +- tstclnt-ssl2-off-by-default.patch | 21 ---- 10 files changed, 78 insertions(+), 382 deletions(-) delete mode 100644 disableSSL2libssl.patch delete mode 100644 disableSSL2tests.patch create mode 100644 nss-pem-unitialized-vars.path create mode 100644 nss-skip-util-gtest.patch delete mode 100644 skip_stress_TLS_RC4_128_with_MD5.patch delete mode 100644 tstclnt-ssl2-off-by-default.patch diff --git a/.gitignore b/.gitignore index 214a868..546baa8 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,4 @@ TestUser51.cert /nss-pem-20160308.tar.bz2 /PayPalRootCA.cert /PayPalICA.cert -/nss-3.23.0.tar.gz +/nss-3.24.0.tar.gz diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch deleted file mode 100644 index 6957b00..0000000 --- a/disableSSL2libssl.patch +++ /dev/null @@ -1,149 +0,0 @@ ---- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800 -+++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800 -@@ -2,16 +2,20 @@ - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - - ifdef NISCC_TEST - DEFINES += -DNISCC_TEST - endif - -+ifdef NSS_NO_SSL2_NO_EXPORT -+DEFINES += -DNSS_NO_SSL2_NO_EXPORT -+endif -+ - ifdef NSS_NO_PKCS11_BYPASS - DEFINES += -DNO_PKCS11_BYPASS - else - CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) - - EXTRA_LIBS += \ - $(CRYPTOLIB) \ - $(NULL) ---- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800 -+++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800 -@@ -707,16 +707,22 @@ - if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); - ss->cipherSpecs = NULL; - ss->sizeCipherSpecs = 0; - } - break; - - case SSL_ENABLE_SSL2: -+#ifdef NSS_NO_SSL2_NO_EXPORT -+ if (on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - if (IS_DTLS(ss)) { - if (on) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ - } - break; - } - if (on) { -@@ -731,52 +737,67 @@ - ss->opt.v2CompatibleHello = on; - } - ss->preferredCipher = NULL; - if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); - ss->cipherSpecs = NULL; - ss->sizeCipherSpecs = 0; - } -+#endif /* NSS_NO_SSL2_NO_EXPORT */ - break; - - case SSL_NO_CACHE: - ss->opt.noCache = on; - break; - - case SSL_ENABLE_FDX: - if (on && ss->opt.noLocks) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - } - ss->opt.fdx = on; - break; - - case SSL_V2_COMPATIBLE_HELLO: -+#ifdef NSS_NO_SSL2_NO_EXPORT -+ if (on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - if (IS_DTLS(ss)) { - if (on) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ - } - break; - } - ss->opt.v2CompatibleHello = on; - if (!on) { - ss->opt.enableSSL2 = on; - } -+#endif /* NSS_NO_SSL2_NO_EXPORT */ - break; - - case SSL_ROLLBACK_DETECTION: - ss->opt.detectRollBack = on; - break; - - case SSL_NO_STEP_DOWN: -+#ifdef NSS_NO_SSL2_NO_EXPORT -+ if (!on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - ss->opt.noStepDown = on; - if (on) - SSL_DisableExportCipherSuites(fd); -+#endif /* NSS_NO_SSL2_NO_EXPORT */ - break; - - case SSL_BYPASS_PKCS11: - if (ss->handshakeBegun) { - PORT_SetError(PR_INVALID_STATE_ERROR); - rv = SECFailure; - } else { - if (PR_FALSE != on) { -@@ -1324,16 +1345,32 @@ - } - return SECSuccess; - } - - /* function tells us if the cipher suite is one that we no longer support. */ - static PRBool - ssl_IsRemovedCipherSuite(PRInt32 suite) - { -+#ifdef NSS_NO_SSL2_NO_EXPORT -+ /* both ssl2 and export cipher suites disabled */ -+ if (SSL_IS_SSL2_CIPHER(suite)) -+ return PR_TRUE; -+ if (SSL_IsExportCipherSuite(suite)) { -+ SSLCipherSuiteInfo csdef; -+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) { -+ /* failure to retrieve info, disable */ -+ return PR_TRUE; -+ } -+ if (csdef.symCipher != ssl_calg_null) { -+ /* disable all except NULL ciphersuites */ -+ return PR_TRUE; -+ } -+ } -+#endif /* NSS_NO_SSL2_NO_EXPORT */ - switch (suite) { - case SSL_FORTEZZA_DMS_WITH_NULL_SHA: - case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: - case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: - return PR_TRUE; - default: - return PR_FALSE; - } diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch deleted file mode 100644 index 963e4aa..0000000 --- a/disableSSL2tests.patch +++ /dev/null @@ -1,126 +0,0 @@ ---- ./tests/ssl/ssl.sh.disableSSL2tests 2016-01-29 02:30:10.000000000 -0800 -+++ ./tests/ssl/ssl.sh 2016-02-06 11:50:26.496668124 -0800 -@@ -57,19 +57,24 @@ ssl_init() - fi - - PORT=${PORT-8443} - NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} - nss_ssl_run="stapling signed_cert_timestamps cov auth stress" - NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} - - # Test case files -- SSLCOV=${QADIR}/ssl/sslcov.txt -+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then -+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt -+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt -+ else -+ SSLCOV=${QADIR}/ssl/sslcov.txt -+ SSLSTRESS=${QADIR}/ssl/sslstress.txt -+ fi - SSLAUTH=${QADIR}/ssl/sslauth.txt -- SSLSTRESS=${QADIR}/ssl/sslstress.txt - SSLPOLICY=${QADIR}/ssl/sslpolicy.txt - REQUEST_FILE=${QADIR}/ssl/sslreq.dat - - #temparary files - SERVEROUTFILE=${TMP}/tests_server.$$ - SERVERPID=${TMP}/tests_pid.$$ - - R_SERVERPID=../tests_pid.$$ -@@ -116,17 +121,21 @@ is_selfserv_alive() - if [ "${OS_ARCH}" = "WINNT" ] && \ - [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then - PID=${SHELL_SERVERPID} - else - PID=`cat ${SERVERPID}` - fi - - echo "kill -0 ${PID} >/dev/null 2>/dev/null" -+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ echo "No server to kill" -+ else - kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" -+ fi - - echo "selfserv with PID ${PID} found at `date`" - } - - ########################### wait_for_selfserv ########################## - # local shell function to wait until selfserver is running and initialized - ######################################################################## - wait_for_selfserv() -@@ -139,17 +148,21 @@ wait_for_selfserv() - if [ $? -ne 0 ]; then - sleep 5 - echo "retrying to connect to selfserv at `date`" - echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" - echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" - ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ - -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} - if [ $? -ne 0 ]; then -+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ html_passed "Server never started" -+ else - html_failed "Waiting for Server" -+ fi - fi - fi - is_selfserv_alive - } - - ########################### kill_selfserv ############################## - # local shell function to kill the selfserver after the tests are done - ######################################################################## -@@ -210,25 +223,26 @@ start_selfserv() - ECC_OPTIONS="" - fi - if [ "$1" = "mixed" ]; then - ECC_OPTIONS="-e ${HOSTADDR}-ecmixed" - fi - echo "selfserv starting at `date`" - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" -- echo " $verbose -H 1 &" -+ echo " $verbose -H 1 -V ssl3: &" - if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ -- > ${SERVEROUTFILE} 2>&1 & -+ -V ssl3:> ${SERVEROUTFILE} 2>&1 & - RET=$? - else - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ -- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 & -+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \ -+ -V ssl3: & - RET=$? - fi - - # The PID $! returned by the MKS or Cygwin shell is not the PID of - # the real background process, but rather the PID of a helper - # process (sh.exe). MKS's kill command has a bug: invoking kill - # on the helper process does not terminate the real background - # process. Our workaround has been to have selfserv save its PID -@@ -275,16 +289,22 @@ ssl_cov() - exec < ${SSLCOV} - while read ectype testmax param testname - do - echo "${testname}" | grep "EXPORT" > /dev/null - EXP=$? - echo "${testname}" | grep "SSL2" > /dev/null - SSL2=$? - -+ # skip export and ssl2 tests when build has disabled SSL2 -+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})" -+ continue -+ fi -+ - if [ "${SSL2}" -eq 0 ] ; then - # We cannot use asynchronous cert verification with SSL2 - SSL2_FLAGS=-O - VMIN="ssl2" - else - # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by - # default in libssl but it is enabled by default in tstclnt; we want - # to test the libssl default whenever possible. diff --git a/nss-539183.patch b/nss-539183.patch index c5cc4d8..eda3249 100644 --- a/nss-539183.patch +++ b/nss-539183.patch @@ -1,44 +1,62 @@ -diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c ---- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800 -@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port - PRNetAddr addr; +--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 ++++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 +@@ -953,23 +953,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; PRSocketOptionData opt; - addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); + if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); ++ errExit("PR_SetNetAddr"); + } - listen_sock = PR_NewTCPSocket(); + listen_sock = PR_OpenTCPSocket(PR_AF_INET6); if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSocket error"); +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSockett"); } opt.option = PR_SockOpt_Nonblocking; -diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c ---- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800 -+++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800 -@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port - PRNetAddr addr; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); +--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 ++++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 +@@ -1711,23 +1711,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; PRSocketOptionData opt; - addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); + if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); ++ errExit("PR_SetNetAddr"); + } - listen_sock = PR_NewTCPSocket(); + listen_sock = PR_OpenTCPSocket(PR_AF_INET6); if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); +- errExit("PR_NewTCPSocket"); + errExit("PR_OpenTCPSocket error"); } opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); diff --git a/nss-pem-unitialized-vars.path b/nss-pem-unitialized-vars.path new file mode 100644 index 0000000..f9a93a1 --- /dev/null +++ b/nss-pem-unitialized-vars.path @@ -0,0 +1,15 @@ +diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c +--- ./lib/ckfw/pem/pinst.c.unitialized_var 2016-05-21 19:04:24.471221863 -0700 ++++ ./lib/ckfw/pem/pinst.c 2016-05-21 19:31:07.124298651 -0700 +@@ -534,9 +534,9 @@ CK_RV + AddCertificate(char *certfile, char *keyfile, PRBool cacert, + CK_SLOT_ID slotID) + { +- pemInternalObject *o; ++ pemInternalObject *o = NULL; + CK_RV error = 0; +- int objid, i; ++ int objid, i = 0; + int nobjs = 0; + SECItem **objs = NULL; + char *ivstring = NULL; diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch new file mode 100644 index 0000000..80a785e --- /dev/null +++ b/nss-skip-util-gtest.patch @@ -0,0 +1,11 @@ +diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn +--- ./nss/external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700 ++++ ./nss/external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700 +@@ -8,7 +8,6 @@ DEPTH = .. + DIRS = \ + google_test \ + der_gtest \ +- util_gtest \ + pk11_gtest \ + ssl_gtest \ + $(NULL) diff --git a/nss.spec b/nss.spec index 6857c60..ae3d0ad 100644 --- a/nss.spec +++ b/nss.spec @@ -18,10 +18,10 @@ Summary: Network Security Services Name: nss -Version: 3.23.0 +Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 9%{?dist} +Release: 2.0%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -91,14 +91,13 @@ Patch49: nss-skip-bltest-and-fipstest.patch # headers are older. Such is the case when starting an update with API changes or even private export changes. # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch -Patch52: disableSSL2libssl.patch -Patch53: disableSSL2tests.patch -Patch54: tstclnt-ssl2-off-by-default.patch -Patch55: skip_stress_TLS_RC4_128_with_MD5.patch # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # TODO: file a bug usptream Patch59: nss-check-policy-file.patch +Patch60: nss-pem-unitialized-vars.path +# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/ +Patch61: nss-skip-util-gtest.patch %description @@ -183,15 +182,13 @@ low level services. %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote pushd nss -%patch52 -p1 -b .disableSSL2libssl -%patch53 -p1 -b .disableSSL2tests popd -%patch54 -p0 -b .ssl2_off -%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5 %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file +%patch60 -p1 -b .unitialized_vars popd +%patch61 -p0 -b .skip_util_gtest ######################################################### # Higher-level libraries and test tools need access to @@ -224,6 +221,9 @@ done %{__rm} -rf ./nss/cmd/fipstest %{__rm} -rf ./nss/cmd/rsaperf_low +######## Remove portions that need to statically link with libnssutil.a +%{__rm} -rf ./nss/external_tests/util_gtests + pushd nss/tests/ssl # Create versions of sslcov.txt and sslstress.txt that disable tests # for SSL2 and EXPORT ciphers. @@ -396,9 +396,6 @@ fi # Begin -- copied from the build section -# inform the ssl test scripts that SSL2 is disabled -export NSS_NO_SSL2_NO_EXPORT=1 - FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -806,6 +803,9 @@ fi %changelog +* Tue May 24 2016 Elio Maldonado - 3.24.0-2.0 +- Rebase to NSS 3.24.0 + * Thu May 12 2016 Elio Maldonado - 3.23.0-9 - Change POLICY_FILE to "nss.config" diff --git a/skip_stress_TLS_RC4_128_with_MD5.patch b/skip_stress_TLS_RC4_128_with_MD5.patch deleted file mode 100644 index fed0ade..0000000 --- a/skip_stress_TLS_RC4_128_with_MD5.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt ---- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700 -+++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700 -@@ -8,29 +8,29 @@ - # Enable return server client Test Case name - # ECC value params params - # ------- ------ ------ ------ --------------- -- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 -- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 -- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) -- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) -- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) -- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) -- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) -- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) -+# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 -+# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 -+# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -+# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) -+# noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) -+# noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) -+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) -+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) -+# SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) - - # - # add client auth versions here... - # -- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth) -- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) -- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) -- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) -- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) -- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) -- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) -- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) -- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) -- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) -+# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth) -+# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) -+# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) -+# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) -+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) -+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) -+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) -+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) -+# SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) -+# SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) - - # - # ############################ ECC ciphers ############################ diff --git a/sources b/sources index dbff227..6497ccb 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db 4d8e770b105483e365f3327d883dd229 nss-pem-20160308.tar.bz2 -574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz +2a3ffd2f46b60ecc116ac086343a537a nss-3.24.0.tar.gz diff --git a/tstclnt-ssl2-off-by-default.patch b/tstclnt-ssl2-off-by-default.patch deleted file mode 100644 index e442d36..0000000 --- a/tstclnt-ssl2-off-by-default.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c ---- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700 -+++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700 -@@ -212,7 +212,7 @@ static void PrintParameterUsage(void) - fprintf(stderr, - "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" - "%-20s All versions are enabled by default.\n" -- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n" -+ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" - "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n", - "-V [min]:[max]", "", "", ""); - fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K"); -@@ -911,7 +911,7 @@ int main(int argc, char **argv) - int npds; - int override = 0; - SSLVersionRange enabledVersions; -- PRBool enableSSL2 = PR_TRUE; -+ PRBool enableSSL2 = PR_FALSE; - int bypassPKCS11 = 0; - int disableLocking = 0; - int useExportPolicy = 0;