From 3e2a0ea4de98cd119677c5fd2507a77f91dac301 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 16 Oct 2014 16:36:18 -0700 Subject: [PATCH] Resolves: Bug 994599 - Enable TLS 1.2 by default --- nss.spec | 10 +++++++++- tls12.patch | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 tls12.patch diff --git a/nss.spec b/nss.spec index ba1f378..4a6f255 100644 --- a/nss.spec +++ b/nss.spec @@ -19,7 +19,7 @@ Summary: Network Security Services Name: nss Version: 3.17.2 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -91,6 +91,8 @@ Patch49: nss-skip-bltest-and-fipstest.patch # headers are older. Such is the case when starting an update with API changes or even private export changes. # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900 +Patch51: tls12.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -178,6 +180,9 @@ low level services. %patch47 -p0 -b .templates %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote +pushd nss +%patch51 -p1 -b .994599 +popd ######################################################### # Higher-level libraries and test tools need access to @@ -761,6 +766,9 @@ fi %changelog +* Thu Oct 16 2014 Elio Maldonado - 3.17.2-2 +- Resolves: Bug 994599 - Enable TLS 1.2 by default + * Sun Oct 12 2014 Elio Maldonado - 3.17.2-1 - Update to nss-3.17.2 diff --git a/tls12.patch b/tls12.patch new file mode 100644 index 0000000..0293383 --- /dev/null +++ b/tls12.patch @@ -0,0 +1,36 @@ +# HG changeset patch +# User Martin Thomson +# Date 1413479112 25200 +# Thu Oct 16 10:05:12 2014 -0700 +# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d +# Parent 24852c6f89ea7ed2b8f231320d9a0a03bdd706d4 +Bug 1083900 - Updating default maximum version to 1.2 + +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = { + PR_FALSE /* enableFallbackSCSV */ + }; + + /* + * default range of enabled SSL/TLS protocols + */ + static SSLVersionRange versions_defaults_stream = { + SSL_LIBRARY_VERSION_3_0, +- SSL_LIBRARY_VERSION_TLS_1_0 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + static SSLVersionRange versions_defaults_datagram = { + SSL_LIBRARY_VERSION_TLS_1_1, +- SSL_LIBRARY_VERSION_TLS_1_1 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + #define VERSIONS_DEFAULTS(variant) \ + (variant == ssl_variant_stream ? &versions_defaults_stream : \ + &versions_defaults_datagram) + + sslSessionIDLookupFunc ssl_sid_lookup; + sslSessionIDCacheFunc ssl_sid_cache;