Bug 1432889
| Summary: | Enable support for TLS 1.3 in Fedora NSS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kai Engert (:kaie) (inactive account) <kengert> |
| Component: | nss | Assignee: | Daiki Ueno <dueno> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | cheimes, dueno, emaldona, hkario, kdudka, kengert, mhonek, samuel-rhbugs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-19 07:56:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1415140 | ||
| Bug Blocks: | 1431316 | ||
|
Description
Kai Engert (:kaie) (inactive account)
2017-03-16 10:33:14 UTC
Here is a COPR repo with NSS builds that enable TLS 1.3. https://copr.fedorainfracloud.org/coprs/kengert/nss-with-tls-1.3/ The builds are based on the most recently released builds for Fedora, and only flip the switch to enable support for TLS 1.3, no other changes. The builds will always append something like .1.with_tls1_3 at the end of the regular release version, so it's easy to distinguish them. Because of that numbering, any later official build should always override these experimental packages. It would be good if Fedora packagers tried to use these NSS packages, and check if they cause any problems for their own package. I have successfully deployed and tested FreeIPA with the TLS 1.3-enabled NSS from Kai's COPR. All components work as expected. The test covers 389-DS, libldap, Dogtag (JSS, TomcatJSS), mod_nss, libcurl and python-nss. mod_nss is configured with TLS 1.0 to 1.2 support. $ rpm -qa nss freeipa-server nss-3.29.3-1.3.0.1.with_tls1_3.fc26.x86_64 freeipa-server-4.4.3-8.fc26.x86_64 Installation on Fedora 25 was successful, too. # rpm -qa freeipa-server nss nss-3.29.3-1.1.0.1.with_tls1_3.fc25.x86_64 freeipa-server-4.4.4-1.fc25.x86_64 nss-3.30.2-1.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e504c7cb8f nss-3.30.2-1.1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b2bcf2658d nss-3.30.2-1.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e504c7cb8f nss-3.30.2-1.1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b2bcf2658d These updates have been in updates-testing for 10 days. I suggest to push them to stable. nss-3.30.2-1.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. nss-3.30.2-1.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. Closing this, as the update has been in release branches for a while (except f24, which is on purpose). |