Bug 1272504
| Summary: | Enable TLS 1.2 as the default in nss | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Josh Bressers <bressers> | ||||
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | ||||
| Severity: | unspecified | Docs Contact: | Robert Krátký <rkratky> | ||||
| Priority: | urgent | ||||||
| Version: | 6.8 | CC: | bressers, dpal, emaldona, fkrska, hkario, kdudka, kengert, mkolbas, mmckinst, mparkin, mpoole, mschena, nkinder, rhesse, rkratky, rrelyea, salmy, srandhaw, szidek, tasander, tmraz | ||||
| Target Milestone: | rc | Keywords: | FutureFeature | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | nss-3.19.1-6.el6 | Doc Type: | Enhancement | ||||
| Doc Text: |
NSS now enables the TLS version 1.2 protocol by default
In order to satisfy current best security practices, the Transport Layer Security (TLS) 1.2 protocol has been enabled by default in NSS. This means that it is no longer necessary to explicitly enable it in applications that use NSS library defaults.
If both sides of TLS connection enable TLS 1.2, this protocol version is now used automatically.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1299564 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-05-10 21:08:45 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1253743, 1289134, 1289205, 1299564, 1310222 | ||||||
| Attachments: |
|
||||||
|
Description
Josh Bressers
2015-10-16 15:09:12 UTC
Created attachment 1096374 [details]
Enables TLS 1.2 by default
Comment on attachment 1096374 [details]
Enables TLS 1.2 by default
r+ rrelyea.
If you intend to change the default TLS version for libcurl-based applications too, we need to patch also the curl package as we did in RHEL-7 (bug #1170339). (In reply to Kamil Dudka from comment #5) > If you intend to change the default TLS version for libcurl-based > applications too, we need to patch also the curl package as we did in > RHEL-7 (bug #1170339). I will (re)use bug #1289205 for this. Please vote for it in case you want to increase the chance of having it included in RHEL-7.3. (In reply to Kamil Dudka from comment #6) > I will (re)use bug #1289205 for this. Please vote for it in case you want > to increase the chance of having it included in RHEL-7.3. I meant RHEL-6.8, of course... *** Bug 1289124 has been marked as a duplicate of this bug. *** Hi Elio, This bug was flagged as requiring a Release Note. Could you please fill out the Doc Text field? I'll edit it into a RN and make sure it gets published. Thank you. Done, kept the explanation very concise. PayPal are forcing TLS1.2 support from June 17th 2016. https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US Looking at RHEL release dates it's unclear as to whether or not 2.8 will be released in time. Is there any chance of having this released before then? Also linked are 1289205 and 1255920 Please note that this bug is only about NSS defaults. All versions of NSS package since 3.15.2 support both TLSv1.2 and TLSv1.2-specific AES-GCM ciphersuites. If you require ability to enable TLSv1.2 in PHP (as bug 1255920 would indicate), please contact customer support so that they work with you to provide the best solution available. Sorry - I was not clear with my original post. I can get a 1.2 connection by forcing tls with cURL or PHP, but it won't connect by default. Forcing isn't a very clean option as I'd have to check against a whitelist of endpoints (i.e PayPal) to decide when to force it and when not to. This is because other services don't support 1.2. I do not have a large amount of knowledge regarding the connection between nss/curl/libcurl - so apologies if this is the wrong bug request to file this information. (In reply to Mike Parkin from comment #30) > I can get a 1.2 connection by forcing tls with cURL or PHP, but it won't > connect by default. Forcing isn't a very clean option as I'd have to check > against a whitelist of endpoints (i.e PayPal) to decide when to force it and > when not to. This is because other services don't support 1.2. Then you should use the CURL_SSLVERSION_TLSv1 option of libcurl to negotiate the highest available TLS 1.x version: https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html If I am not mistaken, this is going to be the NSS default in RHEL-6.8 anyway. Thanks Kamil, that works. (In reply to Kamil Dudka from comment #31) > If I am not mistaken, this is going to be the NSS default in RHEL-6.8 anyway. I should have looked first. According to attachment #1096374 [details], NSS will allow SSL 3.0+ whereas CURL_SSLVERSION_TLSv1 means TLS 1.0+. Still I believe that TLS 1.0+ will work for you just fine without maintaining any whitelist. Yes I think that TLS1.0+ should be widely supported enough, thank you. Thanks for the Doc Text, Elio. *** Bug 1320288 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0820.html |