Bug 1019244
Summary: | ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
Component: | nss-softokn | Assignee: | Elio Maldonado Batiz <emaldona> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | emaldona, eparis, i.grok, jv+fedora, kengert, rrelyea, stransky |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nss-softokn-3.15.2-2.fc21 nss-softokn-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc19 nss-softokn-3.15.2-2.fc18 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-11-01 03:55:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1019390 |
Description
Harald Reindl
2013-10-15 11:11:43 UTC
since OpenSSL in Fedora from now on supports ECDHE depending software needs to be rebuilt to make use of it as well as libraries like NSS/GNUTLS should do the same and depending packages like Firefox needs a rebuild against refreshed NSS to support it also on the client side i made some triage today _____________________________________________________ openssl: https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108 nss-softokn https://bugzilla.redhat.com/show_bug.cgi?id=1019244 nss https://bugzilla.redhat.com/show_bug.cgi?id=1019245 firefox https://bugzilla.redhat.com/show_bug.cgi?id=1019247 thunderbird: https://bugzilla.redhat.com/show_bug.cgi?id=1019249 httpd: https://bugzilla.redhat.com/show_bug.cgi?id=1019251 dovecot: https://bugzilla.redhat.com/show_bug.cgi?id=1019253 postfix: https://bugzilla.redhat.com/show_bug.cgi?id=1019254 openssh: https://bugzilla.redhat.com/show_bug.cgi?id=1019256 dbmail: https://bugzilla.redhat.com/show_bug.cgi?id=1019259 it would be more than nice to have builds for F18/F19/F20 and not only for F21 because these are the versions users are in contect in reality and if there would be a koji/testing-build for F19 you even would have valid karma at least from me ping, i rebuilt the F21-src.rpm recently for F19 and the first time in the history of Fedora Firefox now supports "Forward Secrecy" to Google, Facebook and whatever domains with ECDHE because major site do *not* support DHE-ciphers Oct 27 18:48:04 Updated: nss-softokn-freebl-3.15.2-2.fc19.20131027.rh.x86_64 Oct 27 18:48:05 Updated: nss-softokn-3.15.2-2.fc19.20131027.rh.x86_64 nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20 nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19 confirmed as fixed for Thunderbird/Firefox on F19 Oct 27 18:48:04 Updated: nss-softokn-freebl-3.15.2-2.fc19.20131027.rh.x86_64 Oct 27 18:48:05 Updated: nss-softokn-3.15.2-2.fc19.20131027.rh.x86_64 Oct 27 21:58:31 Installed: nss-softokn-freebl-3.15.2-2.fc19.x86_64 Oct 27 21:58:31 Installed: nss-softokn-3.15.2-2.fc19.x86_64 Oct 27 21:58:47 Updated: nss-util-3.15.2-2.fc19.x86_64 Oct 27 21:58:47 Updated: nss-sysinit-3.15.2-2.fc19.x86_64 Oct 27 21:58:48 Updated: nss-3.15.2-2.fc19.x86_64 Oct 27 21:58:48 Updated: nss-tools-3.15.2-2.fc19.x86_6 nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18 Package nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-util-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc20 nss-3.15.2-3.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20126/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20 then log in and leave karma (feedback). nss-util-3.15.2-2.fc19, nss-softokn-3.15.2-2.fc19, nss-3.15.2-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. BTW - any reason why we do not support GCM ciphers here? CBC get more and more unsafe over the last months is Fedora's NSS missing some patches or needs Firefox 25+ extra support? https://bugzilla.mozilla.org/show_bug.cgi?id=880543 Status: RESOLVED FIXED Target Milestone: 3.15.2 * httpd is configured to do so, verified by "ab"-benchmark * TLS1.2 in FF25 is explicit enabled here * Calomel says Ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Output of APache-Becnhmark: SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128 Document Path: / Document Length: 510 bytes Concurrency Level: 50 Time taken for tests: 40.716 seconds Complete requests: 20000 Requests per second: 491.20 [#/sec] (mean) Apache-Config: SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS https://www.ssllabs.com/ssltest/: Cipher Suites (SSL 3+ suites in server-preferred order) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) TLS_RSA_WITH_RC4_128_SHA (0x5) nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. nss-util-3.15.2-2.fc18, nss-softokn-3.15.2-2.fc18, nss-3.15.2-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1019216 has been marked as a duplicate of this bug. *** |