Disable SSL2 support at build time
- Fix syntax errors in various shell scripts - Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
This commit is contained in:
parent
8c142e52fe
commit
8cfb70a447
123
disableSSL2libssl.patch
Normal file
123
disableSSL2libssl.patch
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
|
||||||
|
--- a/lib/ssl/config.mk
|
||||||
|
+++ b/lib/ssl/config.mk
|
||||||
|
@@ -2,16 +2,20 @@
|
||||||
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
ifdef NISCC_TEST
|
||||||
|
DEFINES += -DNISCC_TEST
|
||||||
|
endif
|
||||||
|
|
||||||
|
+ifdef NSS_NO_SSL2
|
||||||
|
+DEFINES += -DNSS_NO_SSL2
|
||||||
|
+endif
|
||||||
|
+
|
||||||
|
# Allow build-time configuration of TLS 1.3 (Experimental)
|
||||||
|
ifdef NSS_ENABLE_TLS_1_3
|
||||||
|
DEFINES += -DNSS_ENABLE_TLS_1_3
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifdef NSS_NO_PKCS11_BYPASS
|
||||||
|
DEFINES += -DNO_PKCS11_BYPASS
|
||||||
|
else
|
||||||
|
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||||
|
--- a/lib/ssl/sslsock.c
|
||||||
|
+++ b/lib/ssl/sslsock.c
|
||||||
|
@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||||
|
if (ss->cipherSpecs) {
|
||||||
|
PORT_Free(ss->cipherSpecs);
|
||||||
|
ss->cipherSpecs = NULL;
|
||||||
|
ss->sizeCipherSpecs = 0;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ENABLE_SSL2:
|
||||||
|
+#ifdef NSS_NO_SSL2
|
||||||
|
+ if (on) {
|
||||||
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||||
|
+ rv = SECFailure; /* not allowed */
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
if (IS_DTLS(ss)) {
|
||||||
|
if (on) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
rv = SECFailure; /* not allowed */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
ss->opt.enableSSL2 = on;
|
||||||
|
@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||||
|
ss->opt.v2CompatibleHello = on;
|
||||||
|
}
|
||||||
|
ss->preferredCipher = NULL;
|
||||||
|
if (ss->cipherSpecs) {
|
||||||
|
PORT_Free(ss->cipherSpecs);
|
||||||
|
ss->cipherSpecs = NULL;
|
||||||
|
ss->sizeCipherSpecs = 0;
|
||||||
|
}
|
||||||
|
+#endif /* NSS_NO_SSL2 */
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_NO_CACHE:
|
||||||
|
ss->opt.noCache = on;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ENABLE_FDX:
|
||||||
|
if (on && ss->opt.noLocks) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
rv = SECFailure;
|
||||||
|
}
|
||||||
|
ss->opt.fdx = on;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_V2_COMPATIBLE_HELLO:
|
||||||
|
+#ifdef NSS_NO_SSL2
|
||||||
|
+ if (on) {
|
||||||
|
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||||
|
+ rv = SECFailure; /* not allowed */
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
if (IS_DTLS(ss)) {
|
||||||
|
if (on) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
rv = SECFailure; /* not allowed */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
ss->opt.v2CompatibleHello = on;
|
||||||
|
if (!on) {
|
||||||
|
ss->opt.enableSSL2 = on;
|
||||||
|
}
|
||||||
|
+#endif /* NSS_NO_SSL2 */
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_ROLLBACK_DETECTION:
|
||||||
|
ss->opt.detectRollBack = on;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSL_NO_STEP_DOWN:
|
||||||
|
ss->opt.noStepDown = on;
|
||||||
|
@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
|
||||||
|
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ssl_IsRemovedCipherSuite(which)) {
|
||||||
|
rv = SECSuccess;
|
||||||
|
} else if (SSL_IS_SSL2_CIPHER(which)) {
|
||||||
|
+#ifdef NSS_NO_SSL2
|
||||||
|
+ rv = SSL_ERROR_SSL2_DISABLED;
|
||||||
|
+#else
|
||||||
|
rv = ssl2_SetPolicy(which, policy);
|
||||||
|
+#endif /* NSS_NO_SSL2 */
|
||||||
|
} else {
|
||||||
|
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
||||||
|
}
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
SECStatus
|
||||||
|
SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
|
289
disableSSL2tests.patch
Normal file
289
disableSSL2tests.patch
Normal file
@ -0,0 +1,289 @@
|
|||||||
|
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
||||||
|
--- a/tests/ssl/ssl.sh
|
||||||
|
+++ b/tests/ssl/ssl.sh
|
||||||
|
@@ -57,18 +57,23 @@ ssl_init()
|
||||||
|
fi
|
||||||
|
|
||||||
|
PORT=${PORT-8443}
|
||||||
|
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
|
||||||
|
nss_ssl_run="stapling cov auth stress"
|
||||||
|
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||||
|
|
||||||
|
# Test case files
|
||||||
|
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||||
|
+ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
|
||||||
|
+ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
|
||||||
|
+ || ${QADIR}/ssl/sslcov.txt
|
||||||
|
SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||||
|
+ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
|
||||||
|
+ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
|
||||||
|
+ || ${QADIR}/ssl/sslstress.txt
|
||||||
|
SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||||
|
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||||
|
|
||||||
|
#temparary files
|
||||||
|
SERVEROUTFILE=${TMP}/tests_server.$$
|
||||||
|
SERVERPID=${TMP}/tests_pid.$$
|
||||||
|
|
||||||
|
R_SERVERPID=../tests_pid.$$
|
||||||
|
@@ -115,17 +120,21 @@ is_selfserv_alive()
|
||||||
|
if [ "${OS_ARCH}" = "WINNT" ] && \
|
||||||
|
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
|
||||||
|
PID=${SHELL_SERVERPID}
|
||||||
|
else
|
||||||
|
PID=`cat ${SERVERPID}`
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||||
|
+ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
|
||||||
|
+ echo "No server to kill"
|
||||||
|
+ else
|
||||||
|
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||||
|
+ fi
|
||||||
|
|
||||||
|
echo "selfserv with PID ${PID} found at `date`"
|
||||||
|
}
|
||||||
|
|
||||||
|
########################### wait_for_selfserv ##########################
|
||||||
|
# local shell function to wait until selfserver is running and initialized
|
||||||
|
########################################################################
|
||||||
|
wait_for_selfserv()
|
||||||
|
@@ -138,17 +147,21 @@ wait_for_selfserv()
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
sleep 5
|
||||||
|
echo "retrying to connect to selfserv at `date`"
|
||||||
|
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
|
||||||
|
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
|
||||||
|
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||||
|
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
+ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
|
||||||
|
+ html_passed "Server never started"
|
||||||
|
+ else
|
||||||
|
html_failed "Waiting for Server"
|
||||||
|
+ fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
is_selfserv_alive
|
||||||
|
}
|
||||||
|
|
||||||
|
########################### kill_selfserv ##############################
|
||||||
|
# local shell function to kill the selfserver after the tests are done
|
||||||
|
########################################################################
|
||||||
|
@@ -273,16 +286,19 @@ ssl_cov()
|
||||||
|
exec < ${SSLCOV}
|
||||||
|
while read ectype testmax param testname
|
||||||
|
do
|
||||||
|
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||||
|
EXP=$?
|
||||||
|
echo "${testname}" | grep "SSL2" > /dev/null
|
||||||
|
SSL2=$?
|
||||||
|
|
||||||
|
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||||
|
+ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
|
||||||
|
+
|
||||||
|
if [ "${SSL2}" -eq 0 ] ; then
|
||||||
|
# We cannot use asynchronous cert verification with SSL2
|
||||||
|
SSL2_FLAGS=-O
|
||||||
|
VMIN="ssl2"
|
||||||
|
else
|
||||||
|
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
|
||||||
|
# default in libssl but it is enabled by default in tstclnt; we want
|
||||||
|
# to test the libssl default whenever possible.
|
||||||
|
diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/ssl/sslcov.noSSL2orExport.txt
|
||||||
|
@@ -0,0 +1,134 @@
|
||||||
|
+# This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
+# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
+#
|
||||||
|
+# This file enables test coverage of the various SSL ciphers
|
||||||
|
+#
|
||||||
|
+# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
|
||||||
|
+# mix up the enable functions so we can tests boths paths.
|
||||||
|
+#
|
||||||
|
+# Enable Enable Cipher Test Name
|
||||||
|
+# EC TLS
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5
|
||||||
|
+ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA
|
||||||
|
+ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5
|
||||||
|
+ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA
|
||||||
|
+ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA
|
||||||
|
+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
|
||||||
|
+# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||||
|
+# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||||
|
+#
|
||||||
|
+ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5
|
||||||
|
+ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA
|
||||||
|
+ noECC TLS10 i TLS_RSA_WITH_NULL_MD5
|
||||||
|
+ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA
|
||||||
|
+ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA
|
||||||
|
+ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ noECC TLS10 z TLS_RSA_WITH_NULL_SHA
|
||||||
|
+# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||||
|
+# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5
|
||||||
|
+ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA
|
||||||
|
+ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5
|
||||||
|
+ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA
|
||||||
|
+ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA
|
||||||
|
+ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA
|
||||||
|
+#
|
||||||
|
+ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5
|
||||||
|
+ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA
|
||||||
|
+ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5
|
||||||
|
+ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA
|
||||||
|
+ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA
|
||||||
|
+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
|
||||||
|
+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
|
||||||
|
+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
|
||||||
|
+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
+#
|
||||||
|
+# ECC ciphers (TLS)
|
||||||
|
+#
|
||||||
|
+ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+#
|
||||||
|
+ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+#
|
||||||
|
+ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
|
||||||
|
+ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
|
||||||
|
+ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||||
|
+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/ssl/sslstress.noSSL2orExport.txt
|
||||||
|
@@ -0,0 +1,53 @@
|
||||||
|
+# This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
+# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
+#
|
||||||
|
+# This file defines the stress tests for SSL/TLS.
|
||||||
|
+#
|
||||||
|
+# expected
|
||||||
|
+# Enable return server client Test Case name
|
||||||
|
+# ECC value params params
|
||||||
|
+# ------- ------ ------ ------ ---------------
|
||||||
|
+ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
|
||||||
|
+ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
|
||||||
|
+ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
|
||||||
|
+ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
|
||||||
|
+ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
|
||||||
|
+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
|
||||||
|
+ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
|
||||||
|
+ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# add client auth versions here...
|
||||||
|
+#
|
||||||
|
+ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
|
||||||
|
+ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
|
||||||
|
+ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
|
||||||
|
+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
|
||||||
|
+ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
|
||||||
|
+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
|
||||||
|
+ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
|
||||||
|
+ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
|
||||||
|
+ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# ############################ ECC ciphers ############################
|
||||||
|
+#
|
||||||
|
+ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
|
||||||
|
+ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
|
||||||
|
+ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse)
|
||||||
|
+ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
|
||||||
|
+ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
|
||||||
|
+ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
|
||||||
|
+ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256
|
||||||
|
+ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM
|
||||||
|
+ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket)
|
||||||
|
+#
|
||||||
|
+# add client auth versions here...
|
||||||
|
+#
|
||||||
|
+ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
|
||||||
|
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
|
||||||
|
+ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
|
||||||
|
+ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
|
||||||
|
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
|
||||||
|
+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
|
21
nss.spec
21
nss.spec
@ -19,7 +19,7 @@
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: 3.17.4
|
Version: 3.17.4
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -92,6 +92,11 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||||||
Patch50: iquote.patch
|
Patch50: iquote.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
|
||||||
Patch51: tls12.patch
|
Patch51: tls12.patch
|
||||||
|
# SSL2 support has been disabled downstream in RHEL since RHEL-7.0
|
||||||
|
Patch52: disableSSL2libssl.patch
|
||||||
|
Patch53: disableSSL2tests.patch
|
||||||
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367
|
||||||
|
Patch92: scripts-syntax-errors.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -180,6 +185,9 @@ low level services.
|
|||||||
%patch50 -p0 -b .iquote
|
%patch50 -p0 -b .iquote
|
||||||
pushd nss
|
pushd nss
|
||||||
%patch51 -p1 -b .994599
|
%patch51 -p1 -b .994599
|
||||||
|
%patch52 -p1 -b .disableSSL2libssl
|
||||||
|
%patch53 -p1 -b .disableSSL2tests
|
||||||
|
%patch92 -p1 -b .syntax
|
||||||
popd
|
popd
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
@ -211,6 +219,8 @@ done
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
|
export NSS_NO_SSL2=1
|
||||||
|
|
||||||
NSS_NO_PKCS11_BYPASS=1
|
NSS_NO_PKCS11_BYPASS=1
|
||||||
export NSS_NO_PKCS11_BYPASS
|
export NSS_NO_PKCS11_BYPASS
|
||||||
|
|
||||||
@ -358,6 +368,10 @@ if [ ${DISABLETEST:-0} -eq 1 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Begin -- copied from the build section
|
# Begin -- copied from the build section
|
||||||
|
|
||||||
|
# inform the ssl test scripts that SSL2 is disabled
|
||||||
|
export NSS_NO_SSL2=1
|
||||||
|
|
||||||
FREEBL_NO_DEPEND=1
|
FREEBL_NO_DEPEND=1
|
||||||
export FREEBL_NO_DEPEND
|
export FREEBL_NO_DEPEND
|
||||||
|
|
||||||
@ -781,6 +795,11 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 09 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-2
|
||||||
|
- Disable SSL2 support at build time
|
||||||
|
- Fix syntax errors in various shell scripts
|
||||||
|
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
|
||||||
|
|
||||||
* Wed Jan 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-1
|
* Wed Jan 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-1
|
||||||
- Update to nss-3.17.4
|
- Update to nss-3.17.4
|
||||||
|
|
||||||
|
87
scripts-syntax-errors.patch
Normal file
87
scripts-syntax-errors.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
diff --git a/tests/all.sh b/tests/all.sh
|
||||||
|
--- a/tests/all.sh
|
||||||
|
+++ b/tests/all.sh
|
||||||
|
@@ -296,17 +296,17 @@ fi
|
||||||
|
|
||||||
|
# NOTE:
|
||||||
|
# Since in make at the top level, modutil is the last file
|
||||||
|
# created, we check for modutil to know whether the build
|
||||||
|
# is complete. If a new file is created after that, the
|
||||||
|
# following test for modutil should check for that instead.
|
||||||
|
# Exception: when building softoken only, shlibsign is the
|
||||||
|
# last file created.
|
||||||
|
-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
|
||||||
|
+if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
|
||||||
|
LAST_FILE_BUILT=shlibsign
|
||||||
|
else
|
||||||
|
LAST_FILE_BUILT=modutil
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
|
||||||
|
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
|
||||||
|
html_head "Testing Initialization"
|
||||||
|
diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
|
||||||
|
--- a/tests/cipher/cipher.sh
|
||||||
|
+++ b/tests/cipher/cipher.sh
|
||||||
|
@@ -119,17 +119,17 @@ cipher_cleanup()
|
||||||
|
}
|
||||||
|
|
||||||
|
################## main #################################################
|
||||||
|
|
||||||
|
# When building without softoken, bltest isn't built. It was already
|
||||||
|
# built and the cipher suite run as part of an nss-softoken build.
|
||||||
|
if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
|
||||||
|
echo "bltest not built, skipping this test." >> ${LOGFILE}
|
||||||
|
- res = 0
|
||||||
|
+ res=0
|
||||||
|
html_msg $res $EXP_RET "$TESTNAME"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
cipher_init
|
||||||
|
# Skip cipher_main if this an NSS without softoken build.
|
||||||
|
if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
|
||||||
|
cipher_main
|
||||||
|
fi
|
||||||
|
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
||||||
|
--- a/tests/common/init.sh
|
||||||
|
+++ b/tests/common/init.sh
|
||||||
|
@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
|
||||||
|
{
|
||||||
|
|
||||||
|
html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
|
||||||
|
html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>"
|
||||||
|
echo "$SCRIPTNAME: $* ==============================="
|
||||||
|
}
|
||||||
|
html_msg()
|
||||||
|
{
|
||||||
|
- if [ "$1" -ne "$2" ] ; then
|
||||||
|
+ if [ $1 -ne $2 ] ; then
|
||||||
|
html_failed "$3" "$4"
|
||||||
|
else
|
||||||
|
html_passed "$3" "$4"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
|
||||||
|
HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
|
||||||
|
HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
|
||||||
|
diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
|
||||||
|
--- a/tests/dbtests/dbtests.sh
|
||||||
|
+++ b/tests/dbtests/dbtests.sh
|
||||||
|
@@ -170,7 +170,7 @@ dbtest_main()
|
||||||
|
|
||||||
|
# skipping the next two tests when user is root,
|
||||||
|
# otherwise they would fail due to rooty powers
|
||||||
|
- if [ $UID -ne 0 ] then
|
||||||
|
+ if [[ $EUID -ne 0 ]]; then
|
||||||
|
${BINDIR}/dbtest -d $RONLY_DIR
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 46 ]; then
|
||||||
|
@@ -181,7 +181,7 @@ dbtest_main()
|
||||||
|
else
|
||||||
|
html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
|
||||||
|
fi
|
||||||
|
- if [ $UID -ne 0 ] then
|
||||||
|
+ if [[ $EUID -ne 0 ]]; then
|
||||||
|
${BINDIR}/certutil -D -n "TestUser" -d .
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 255 ]; then
|
Loading…
Reference in New Issue
Block a user