Bug 1019244 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: nss-softokn (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Elio Maldonado Batiz
Fedora Extras Quality Assurance
:
: 1019216 (view as bug list)
Depends On:
Blocks: ecc
  Show dependency treegraph
 
Reported: 2013-10-15 07:11 EDT by Harald Reindl
Modified: 2013-11-23 20:41 EST (History)
7 users (show)

See Also:
Fixed In Version: nss-softokn-3.15.2-2.fc21 nss-softokn-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc19 nss-softokn-3.15.2-2.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-31 23:55:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harald Reindl 2013-10-15 07:11:43 EDT
that is the state of OpenSSL in Fedora after this morining
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

please coordinate with FF/TB maintainers

http://lwn.net/Articles/556731/
Comment 1 Harald Reindl 2013-10-15 07:31:42 EDT
since OpenSSL in Fedora from now on supports ECDHE
depending software needs to be rebuilt to make use
of it as well as libraries like NSS/GNUTLS should
do the same and depending packages like Firefox
needs a rebuild against refreshed NSS to support 
it also on the client side

i made some triage today
_____________________________________________________

openssl:
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

nss-softokn
https://bugzilla.redhat.com/show_bug.cgi?id=1019244

nss
https://bugzilla.redhat.com/show_bug.cgi?id=1019245

firefox
https://bugzilla.redhat.com/show_bug.cgi?id=1019247

thunderbird:
https://bugzilla.redhat.com/show_bug.cgi?id=1019249

httpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1019251

dovecot:
https://bugzilla.redhat.com/show_bug.cgi?id=1019253

postfix:
https://bugzilla.redhat.com/show_bug.cgi?id=1019254

openssh:
https://bugzilla.redhat.com/show_bug.cgi?id=1019256

dbmail:
https://bugzilla.redhat.com/show_bug.cgi?id=1019259
Comment 2 Harald Reindl 2013-10-24 18:59:32 EDT
it would be more than nice to have builds for F18/F19/F20 and not only for F21 because these are the versions users are in contect in reality and if there would be a koji/testing-build for F19 you even would have valid karma at least from me
Comment 3 Harald Reindl 2013-10-27 13:59:33 EDT
ping, i rebuilt the F21-src.rpm recently for F19 and the first time in the history of Fedora Firefox now supports "Forward Secrecy" to Google, Facebook and whatever domains with ECDHE because major site do *not* support DHE-ciphers

Oct 27 18:48:04 Updated: nss-softokn-freebl-3.15.2-2.fc19.20131027.rh.x86_64
Oct 27 18:48:05 Updated: nss-softokn-3.15.2-2.fc19.20131027.rh.x86_64
Comment 4 Fedora Update System 2013-10-27 16:41:43 EDT
nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20
Comment 5 Fedora Update System 2013-10-27 16:46:03 EDT
nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19
Comment 6 Harald Reindl 2013-10-27 17:09:16 EDT
confirmed as fixed for Thunderbird/Firefox on F19

Oct 27 18:48:04 Updated: nss-softokn-freebl-3.15.2-2.fc19.20131027.rh.x86_64
Oct 27 18:48:05 Updated: nss-softokn-3.15.2-2.fc19.20131027.rh.x86_64
Oct 27 21:58:31 Installed: nss-softokn-freebl-3.15.2-2.fc19.x86_64
Oct 27 21:58:31 Installed: nss-softokn-3.15.2-2.fc19.x86_64
Oct 27 21:58:47 Updated: nss-util-3.15.2-2.fc19.x86_64
Oct 27 21:58:47 Updated: nss-sysinit-3.15.2-2.fc19.x86_64
Oct 27 21:58:48 Updated: nss-3.15.2-2.fc19.x86_64
Oct 27 21:58:48 Updated: nss-tools-3.15.2-2.fc19.x86_6
Comment 7 Fedora Update System 2013-10-27 18:46:37 EDT
nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18
Comment 8 Fedora Update System 2013-10-28 15:20:07 EDT
Package nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-util-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc20 nss-3.15.2-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20126/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-10-31 23:55:11 EDT
nss-util-3.15.2-2.fc19, nss-softokn-3.15.2-2.fc19, nss-3.15.2-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Harald Reindl 2013-11-01 19:49:30 EDT
BTW - any reason why we do not support GCM ciphers here?
CBC get more and more unsafe over the last months
is Fedora's NSS missing some patches or needs Firefox 25+ extra support?

https://bugzilla.mozilla.org/show_bug.cgi?id=880543
Status: RESOLVED FIXED
Target Milestone: 3.15.2

* httpd is configured to do so, verified by "ab"-benchmark
* TLS1.2 in FF25 is explicit enabled here
* Calomel says Ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Output of APache-Becnhmark:
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Document Path:          /
Document Length:        510 bytes
Concurrency Level:      50
Time taken for tests:   40.716 seconds
Complete requests:      20000
Requests per second:    491.20 [#/sec] (mean)

Apache-Config:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

https://www.ssllabs.com/ssltest/:
Cipher Suites (SSL 3+ suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)
TLS_RSA_WITH_RC4_128_SHA (0x5)
Comment 11 Fedora Update System 2013-11-10 03:16:18 EST
nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-11-13 22:34:16 EST
nss-util-3.15.2-2.fc18, nss-softokn-3.15.2-2.fc18, nss-3.15.2-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Elio Maldonado Batiz 2013-11-23 20:41:21 EST
*** Bug 1019216 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.