Bug 1202494

Summary: ECDHE key exchange not enabled by NSS_SetDomesticPolicy()
Product: Red Hat Enterprise Linux 7 Reporter: Stanislav Zidek <szidek>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: unspecified Docs Contact: Bara Ancincova <bancinco>
Priority: unspecified    
Version: 7.0CC: cparadka, ddas, emaldona, hkario, jrieden, kdudka, kengert, ksrot, mmckinst, rrelyea, spurrier, szidek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss-3.19.1-14.el7 Doc Type: Bug Fix
Doc Text:
Applications that use the default NSS cipher list now support connections to servers that require the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:26:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1057566, 1205796, 1246125    

Description Stanislav Zidek 2015-03-16 18:23:19 UTC 
Description of problem:
cURL does not support ECDHE-* cipher suites

Version-Release number of selected component (if applicable):
curl-7.29.0-19.el7

How reproducible:
always

Steps to Reproduce:
1. try to connect somewhere with curl using SSL/TLS
2. observe ciphers it offers (ssltap, wireshark, ...)

Actual results:
WITHOUT --tls1:
                cipher_suites[17] = {
                    (0x009e) TLS/DHE-RSA/AES128-GCM/SHA256
                    (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                    (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                    (0x0067) TLS/DHE-RSA/AES128-CBC/SHA256
                    (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                    (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                    (0x006b) TLS/DHE-RSA/AES256-CBC/SHA256
                    (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                    (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                    (0x009c) TLS/RSA/AES128-GCM/SHA256
                    (0x002f) TLS/RSA/AES128-CBC/SHA
                    (0x003c) TLS/RSA/AES128-CBC/SHA256
                    (0x0035) TLS/RSA/AES256-CBC/SHA
                    (0x003d) TLS/RSA/AES256-CBC/SHA256
                    (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
                    (0x0005) SSL3/RSA/RC4-128/SHA
                    (0x0004) SSL3/RSA/RC4-128/MD5
                }

WITH --tls1:
                cipher_suites[11] = {
                    (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                    (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                    (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                    (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                    (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                    (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                    (0x002f) TLS/RSA/AES128-CBC/SHA
                    (0x0035) TLS/RSA/AES256-CBC/SHA
                    (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
                    (0x0005) SSL3/RSA/RC4-128/SHA
                    (0x0004) SSL3/RSA/RC4-128/MD5
                }


Expected results:
also ECDHE-* cipher suites are offered
Comment 1 Stanislav Zidek 2015-03-16 18:30:45 UTC 
The lists are switched and there is a typo in option, my bad, sorry; the longer one is with --tlsv1 option.
Comment 2 Kamil Dudka 2015-03-19 12:27:46 UTC 
libcurl calls NSS_SetDomesticPolicy() to enable default cipher-suites.  If this bug is about cipher-suites enabled by default, it needs to be fixed in NSS.  For explicit control over the enabled cipher-suites in libcurl, there already is bug 1066065 pending for approval.
Comment 16 errata-xmlrpc 2015-11-19 12:26:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2121.html