The NSSCipherSuite option of mod_nss accepts OpenSSL-styled cipherstrings. It was found that the parsing of such cipherstrings is flawed. If this option is used to disable insecure ciphersuites using the common "!" syntax, e.g.:
NSSCipherSuite !eNULL:!aNULL:AESGCM+aRSA:ECDH+aRSA
it will actually enable those insecure ciphersuites.
Acknowledgements:
This issue was discovered Hubert Kario of Red Hat.
Comment 4Huzaifa S. Sidhpurwala
2015-09-15 05:34:03 UTC
Created mod_nss tracking bugs for this issue:
Affects: fedora-all [bug 1263070]
Comment 5Fedora Update System
2016-01-08 20:55:12 UTC
mod_nss-1.0.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6Huzaifa S. Sidhpurwala
2016-03-11 08:35:00 UTC