From 40928cb8e33ef2b3cc7adc988f87fa36e7f00261 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 6 Jan 2012 15:50:45 -0800 Subject: [PATCH] - Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity - Set NSS_SSL_CBC_RANDOM_IV to 0 by default and change to 1 on user request --- nss-ssl-cbc-random-iv-off-by-default.patch | 25 ++++++++++++++++++++++ nss.spec | 8 ++++++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 nss-ssl-cbc-random-iv-off-by-default.patch diff --git a/nss-ssl-cbc-random-iv-off-by-default.patch b/nss-ssl-cbc-random-iv-off-by-default.patch new file mode 100644 index 0000000..28dfa48 --- /dev/null +++ b/nss-ssl-cbc-random-iv-off-by-default.patch @@ -0,0 +1,25 @@ +diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.compatible ./mozilla/security/nss/lib/ssl/sslsock.c +--- ./mozilla/security/nss/lib/ssl/sslsock.c.compatible 2012-01-05 13:54:36.430389994 -0800 ++++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-01-05 13:55:25.810750394 -0800 +@@ -184,7 +184,7 @@ static sslOptions ssl_defaults = { + 3, /* enableRenegotiation (default: transitional) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ +- PR_TRUE /* cbcRandomIV */ ++ PR_FALSE /* cbcRandomIV */ /* defaults to off for compatibility */ + }; + + sslSessionIDLookupFunc ssl_sid_lookup; +@@ -2359,9 +2359,9 @@ ssl_SetDefaultsFromEnvironment(void) + PR_TRUE)); + } + ev = getenv("NSS_SSL_CBC_RANDOM_IV"); +- if (ev && ev[0] == '0') { +- ssl_defaults.cbcRandomIV = PR_FALSE; +- SSL_TRACE(("SSL: cbcRandomIV set to 0")); ++ if (ev && ev[0] == '1') { ++ ssl_defaults.cbcRandomIV = PR_TRUE; ++ SSL_TRACE(("SSL: cbcRandomIV set to 1")); + } + } + #endif /* NSS_HAVE_GETENV */ diff --git a/nss.spec b/nss.spec index 2817b79..88abe25 100644 --- a/nss.spec +++ b/nss.spec @@ -7,7 +7,7 @@ Summary: Network Security Services Name: nss Version: 3.13.1 -Release: 9%{?dist} +Release: 10%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -70,6 +70,7 @@ Patch25: nsspem-use-system-freebl.patch Patch26: nofipstest.patch # include this patch in the upstream pem review Patch28: nsspem-bz754771.patch +Patch29: nss-ssl-cbc-random-iv-off-by-default.patch %description @@ -158,6 +159,7 @@ low level services. %patch25 -p0 -b .systemfreebl %patch26 -p0 -b .nofipstest %patch28 -p0 -b .754771 +%patch29 -p0 -b .770682 %build @@ -572,6 +574,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-10 +- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity +- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request + * Tue Dec 13 2011 elio maldonado - 3.13.1-9 - Revert to using current nss_softokn_version - Patch to deal with lack of sha224 is no longer needed