Bug 1019244

Summary: ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: nss-softoknAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: emaldona, eparis, i.grok, jv+fedora, kengert, rrelyea, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-softokn-3.15.2-2.fc21 nss-softokn-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc19 nss-softokn-3.15.2-2.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-01 03:55:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1019390    

Description Harald Reindl 2013-10-15 11:11:43 UTC 
that is the state of OpenSSL in Fedora after this morining
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

please coordinate with FF/TB maintainers

http://lwn.net/Articles/556731/
Comment 1 Harald Reindl 2013-10-15 11:31:42 UTC 
since OpenSSL in Fedora from now on supports ECDHE
depending software needs to be rebuilt to make use
of it as well as libraries like NSS/GNUTLS should
do the same and depending packages like Firefox
needs a rebuild against refreshed NSS to support 
it also on the client side

i made some triage today
_____________________________________________________

openssl:
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

nss-softokn
https://bugzilla.redhat.com/show_bug.cgi?id=1019244

nss
https://bugzilla.redhat.com/show_bug.cgi?id=1019245

firefox
https://bugzilla.redhat.com/show_bug.cgi?id=1019247

thunderbird:
https://bugzilla.redhat.com/show_bug.cgi?id=1019249

httpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1019251

dovecot:
https://bugzilla.redhat.com/show_bug.cgi?id=1019253

postfix:
https://bugzilla.redhat.com/show_bug.cgi?id=1019254

openssh:
https://bugzilla.redhat.com/show_bug.cgi?id=1019256

dbmail:
https://bugzilla.redhat.com/show_bug.cgi?id=1019259
Comment 2 Harald Reindl 2013-10-24 22:59:32 UTC 
it would be more than nice to have builds for F18/F19/F20 and not only for F21 because these are the versions users are in contect in reality and if there would be a koji/testing-build for F19 you even would have valid karma at least from me
Comment 3 Harald Reindl 2013-10-27 17:59:33 UTC 
ping, i rebuilt the F21-src.rpm recently for F19 and the first time in the history of Fedora Firefox now supports "Forward Secrecy" to Google, Facebook and whatever domains with ECDHE because major site do *not* support DHE-ciphers

Oct 27 18:48:04 Updated: nss-softokn-freebl-3.15.2-2.fc19.20131027.rh.x86_64
Oct 27 18:48:05 Updated: nss-softokn-3.15.2-2.fc19.20131027.rh.x86_64
Comment 4 Fedora Update System 2013-10-27 20:41:43 UTC 
nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20
Comment 5 Fedora Update System 2013-10-27 20:46:03 UTC 
nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19
Comment 6 Harald Reindl 2013-10-27 21:09:16 UTC 
confirmed as fixed for Thunderbird/Firefox on F19

Oct 27 18:48:04 Updated: nss-softokn-freebl-3.15.2-2.fc19.20131027.rh.x86_64
Oct 27 18:48:05 Updated: nss-softokn-3.15.2-2.fc19.20131027.rh.x86_64
Oct 27 21:58:31 Installed: nss-softokn-freebl-3.15.2-2.fc19.x86_64
Oct 27 21:58:31 Installed: nss-softokn-3.15.2-2.fc19.x86_64
Oct 27 21:58:47 Updated: nss-util-3.15.2-2.fc19.x86_64
Oct 27 21:58:47 Updated: nss-sysinit-3.15.2-2.fc19.x86_64
Oct 27 21:58:48 Updated: nss-3.15.2-2.fc19.x86_64
Oct 27 21:58:48 Updated: nss-tools-3.15.2-2.fc19.x86_6
Comment 7 Fedora Update System 2013-10-27 22:46:37 UTC 
nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18
Comment 8 Fedora Update System 2013-10-28 19:20:07 UTC 
Package nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-util-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc20 nss-3.15.2-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20126/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-11-01 03:55:11 UTC 
nss-util-3.15.2-2.fc19, nss-softokn-3.15.2-2.fc19, nss-3.15.2-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Harald Reindl 2013-11-01 23:49:30 UTC 
BTW - any reason why we do not support GCM ciphers here?
CBC get more and more unsafe over the last months
is Fedora's NSS missing some patches or needs Firefox 25+ extra support?

https://bugzilla.mozilla.org/show_bug.cgi?id=880543
Status: RESOLVED FIXED
Target Milestone: 3.15.2

* httpd is configured to do so, verified by "ab"-benchmark
* TLS1.2 in FF25 is explicit enabled here
* Calomel says Ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Output of APache-Becnhmark:
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Document Path:          /
Document Length:        510 bytes
Concurrency Level:      50
Time taken for tests:   40.716 seconds
Complete requests:      20000
Requests per second:    491.20 [#/sec] (mean)

Apache-Config:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

https://www.ssllabs.com/ssltest/:
Cipher Suites (SSL 3+ suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)
TLS_RSA_WITH_RC4_128_SHA (0x5)
Comment 11 Fedora Update System 2013-11-10 08:16:18 UTC 
nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-11-14 03:34:16 UTC 
nss-util-3.15.2-2.fc18, nss-softokn-3.15.2-2.fc18, nss-3.15.2-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Elio Maldonado Batiz 2013-11-24 01:41:21 UTC 
*** Bug 1019216 has been marked as a duplicate of this bug. ***