Bug 1335920
Summary: | NSS: Disable TLS connections with less than 1023-bit DH parameters | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | |
Component: | nss | Assignee: | Daiki Ueno <dueno> | |
Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> | |
Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | unspecified | |||
Version: | 7.4 | CC: | dmoessne, hkario, kengert, mgrepl, mjahoda, nss-nspr-maint, qe-baseos-security, rrelyea, sdordevi, szidek, tmraz | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | nss-3.28.4-4.el7 | Doc Type: | Deprecated Functionality | |
Doc Text: |
*NSS* clients using *TLS* with less than 1024-bit DH are not allowed
This change prevents *NSS* clients from connecting to servers with Diffie-Hellman (DH) parameters less than 1024 bits. This ensures that allowed clients using *NSS* are not vulnerable to attacks such as the LOGJAM attack.
A system administrator can enable shorter DH parameter support by modifying the `/etc/pki/nss-legacy/nss-rhel7.config` policy configuration file to:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"
Note that an empty line is required at the end of the file.
|
Story Points: | --- | |
Clone Of: | 1335915 | |||
: | 1335921 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 16:47:42 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1335929, 1377248 |
Description
Nikos Mavrogiannopoulos
2016-05-13 14:27:19 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1977 cannot find this in release docs, could someone please point me to where this is stated in the official docs? Other wise I am inclined to reopen this bug until docs text is included in release notes Should be in the Deprecated Functionality chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/chap-Red_Hat_Enterprise_Linux-7.4_Release_Notes-Deprecated_Functionality.html |