Bug 1297888
| Summary: | Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45. | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Kai Engert (:kaie) (inactive account) <kengert> | ||||||||||||
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> | ||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||
| Priority: | high | ||||||||||||||
| Version: | 6.8 | CC: | hkario, kengert, ksrot, mmckinst, rrelyea, szidek, tlavigne | ||||||||||||
| Target Milestone: | rc | Keywords: | Rebase, ZStream | ||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | Unspecified | ||||||||||||||
| OS: | Unspecified | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | nss-3.21.0-7.el6 | Doc Type: | Rebase: Bug Fixes and Enhancements | ||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | |||||||||||||||
| : | 1300629 (view as bug list) | Environment: | |||||||||||||
| Last Closed: | 2016-05-10 21:09:44 UTC | Type: | Bug | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Bug Depends On: | 1297890 | ||||||||||||||
| Bug Blocks: | 1297948, 1300629 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Kai Engert (:kaie) (inactive account)
2016-01-12 17:22:29 UTC
Karel asked for a list of changes in the newer NSS, here's a summary: Previously, we used NSS 3.19.x. The relevant changes that were added in version until 3.21 are: - CA certificates (list was updated twice, in 3.19.3 and 3.21) - Added support for DHE server side ciphersuites, disabled by default. (This was already included in RHEL 7 with local patches.) - disabled support for very old C compilers (pre C89) - support TLS extended master secret extension (RFC 7627), off by default - several other new APIs (that new application code could use) - upstream changed to build with ECC enabled by default - stricter build options, that cause most warnings to be treated as errors More details here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes (In reply to Kai Engert (:kaie) from comment #2) > - support TLS extended master secret extension (RFC 7627), off by default Note that upstream agreed to change this default, it's just that the patches haven't landed yet. We will want to enable it by default. Created attachment 1116177 [details]
Patch NSS 3.21 CA-certificates 2.6 to keep 1024bit RSA legacy CAs enabled
Please remove the patch nss-ca-2.4-enable-legacy.patch
Instead, please apply this patch nss-ca-2.6-enable-legacy.patch, it should apply cleanly on top of NSS 3.21 (if it doesn't apply, please tell me).
Created attachment 1118083 [details]
prevents enabling extended master key derive by default
It was reported that with NSS 3.21 an attempt to enable the TLS-extended-master-secret is failing. There is a new mechanism in recent NSS softokn that the TLS code is using: CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE. This mechanism is missing in the older version of softokn, 3.16.2.3, that we use on 6.8 due to FIPS. In order to prevent applications failing badly because they try to set it, this patch effectively makes such an attempt a noop.
Created attachment 1118106 [details]
alternative patch to more thoroughly disable the use of extended-master-secret
Comment on attachment 1118106 [details]
alternative patch to more thoroughly disable the use of extended-master-secret
r+ yes, this is the better patch.
Comment on attachment 1118083 [details]
prevents enabling extended master key derive by default
r- Kai has already explained why this is insufficient.
(In reply to Kai Engert (:kaie) from comment #1) > - support TLS extended master secret extension (RFC 7627), off by default We cannot support this feature because of the older softokn that we're shipping with RHEL. We will force this feature to remain disabled. Created attachment 1128520 [details]
nss-prevent-abi-issue.patch
Elio, please apply this patch from Bob, as a workaround to the issue that Hubert had identified.
Created attachment 1128549 [details]
nss-prevent-abi-issue.patch
fixed patch
Mark, could you explain why did you set the flag? I'm not sure what you're referring to, I just added myself to the CC list. I didn't set any flags when I did that or at least didn't mean to. The changes for the ticket don't show anything being changed other than the CC. Mark, look at this page, which can be accessed by clicking on the "history" link in the upper right. https://bugzilla.redhat.com/show_activity.cgi?id=1297888 It shows that the verified: flag was set to FailedQA. Either you changed that, or there is a bug in bugzilla. Apparently these flags can only be seen when the bugzilla account has additional permissions, I don't see it when not logged into my account. I must not have permissions to see it because when I look at https://bugzilla.redhat.com/show_activity.cgi?id=1297888 I don't see the FailedQA being set. Regardless, any change to flags was accidental, I only meant to add myself to the CC list. yes, it does look like it's a bug in our instance of bugzilla Sorry to involve you! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0820.html |