Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Elio Maldonado Batiz
Fedora Extras Quality Assurance
:
Depends On:
Blocks: ecc
  Show dependency treegraph
 
Reported: 2013-10-15 07:14 EDT by Harald Reindl
Modified: 2013-11-13 22:34 EST (History)
7 users (show)

See Also:
Fixed In Version: nss-util-3.15.2-2.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-31 23:55:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
calomel screenshot (187.75 KB, image/png)
2013-10-31 16:00 EDT, Harald Reindl
no flags Details

  None (edit)
Description Harald Reindl 2013-10-15 07:14:47 EDT
that is the state of OpenSSL in Fedora after this morining
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

please coordinate with FF/TB maintainers

http://lwn.net/Articles/556731/
Comment 1 Harald Reindl 2013-10-15 07:31:40 EDT
since OpenSSL in Fedora from now on supports ECDHE
depending software needs to be rebuilt to make use
of it as well as libraries like NSS/GNUTLS should
do the same and depending packages like Firefox
needs a rebuild against refreshed NSS to support 
it also on the client side

i made some triage today
_____________________________________________________

openssl:
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

nss-softokn
https://bugzilla.redhat.com/show_bug.cgi?id=1019244

nss
https://bugzilla.redhat.com/show_bug.cgi?id=1019245

firefox
https://bugzilla.redhat.com/show_bug.cgi?id=1019247

thunderbird:
https://bugzilla.redhat.com/show_bug.cgi?id=1019249

httpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1019251

dovecot:
https://bugzilla.redhat.com/show_bug.cgi?id=1019253

postfix:
https://bugzilla.redhat.com/show_bug.cgi?id=1019254

openssh:
https://bugzilla.redhat.com/show_bug.cgi?id=1019256

dbmail:
https://bugzilla.redhat.com/show_bug.cgi?id=1019259
Comment 2 Scott Schmit 2013-10-17 08:14:03 EDT
The NSS package does not implement ECC -- that's isolated to nss-softokn. Also, once nss-softokn is rebuilt, NSS will use it without requiring a rebuild, so I think this bug can be closed.
Comment 3 Fedora Update System 2013-10-27 16:41:50 EDT
nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20
Comment 4 Fedora Update System 2013-10-27 16:46:09 EDT
nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc19,nss-softokn-3.15.2-2.fc19,nss-3.15.2-2.fc19
Comment 5 Fedora Update System 2013-10-27 18:46:43 EDT
nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/nss-util-3.15.2-2.fc18,nss-softokn-3.15.2-2.fc18,nss-3.15.2-2.fc18
Comment 6 Fedora Update System 2013-10-28 15:20:14 EDT
Package nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-util-3.15.2-2.fc20 nss-softokn-3.15.2-2.fc20 nss-3.15.2-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20126/nss-util-3.15.2-2.fc20,nss-softokn-3.15.2-2.fc20,nss-3.15.2-3.fc20
then log in and leave karma (feedback).
Comment 7 Andy Lutomirski 2013-10-31 14:57:49 EDT
This does not appear to work.  I'm running:

openssl-devel-1.0.1e-30.fc19.x86_64
openssl-libs-1.0.1e-30.fc19.x86_64
nss-softokn-freebl-3.15.2-1.fc19.i686
openssl-1.0.1e-30.fc19.x86_64
nss-util-3.15.2-1.fc19.i686
nss-3.15.2-2.fc19.x86_64
openssl-debuginfo-1.0.1e-30.fc19.x86_64
openssl-libs-1.0.1e-30.fc19.i686
nss-util-3.15.2-1.fc19.x86_64
nss-softokn-freebl-3.15.2-1.fc19.x86_64
nss-sysinit-3.15.2-2.fc19.x86_64
nss-3.15.2-2.fc19.i686
nss-softokn-3.15.2-1.fc19.i686
nss-mdns-0.10-12.fc19.x86_64
nss-mdns-0.10-12.fc19.i686
nss-tools-3.15.2-2.fc19.x86_64
nss-softokn-3.15.2-1.fc19.x86_64

and ssllabs.com doesn't show any ECDHE cipher suites.
Comment 8 Harald Reindl 2013-10-31 15:02:47 EDT
@Andy Lutomirski: you are on the wrong bugreport, this is for NSS which is *client-library* for TB/Firefox, you belong to https://bugzilla.redhat.com/show_bug.cgi?id=1019251 and there is *no httpd for F18/F19* which was rebuilt agianst the new openssl, that's why i maintain all server packages by myself and after a simple rebuild of httpd against the new openssl for sure ECDHE works
Comment 9 Andy Lutomirski 2013-10-31 15:06:15 EDT
No, I'm pretty sure I'm on the right bug report, but my comment could have been clearer.  I'm looking at:

https://www.ssllabs.com/ssltest/viewMyClient.html

I also used Wireshark to sniff the Client Hello that my Firefox is sending.  None of the ECDHE cipher suites were listed and the supported curves extension wasn't sent.

(My openssl is good -- I can serve up ECDHE successfully using openssl s_client or a patched pyOpenSSL.)
Comment 10 Harald Reindl 2013-10-31 15:12:20 EDT
https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/

my Firefox and Thunderbird for sure are using ECDHE on F19 proven by the addon above and my own dovecot-logfile in case of Thunderbird, maybe the default settings of Firefox 24 are crap, Firefox 25 should enable TLS > 1.0

set "security.tls.version.max" to 3 in about:config for FF24 for sure supports ECDHE too because i verfied this before the FF25 builds on koji, so the latest nss builds are fine!

firefox-25.0-3.fc19.x86_64
thunderbird-24.1.0-1.fc18.x86_64
nss-tools-3.15.2-2.fc19.x86_64
nss-sysinit-3.15.2-2.fc19.x86_64
nss-3.15.2-2.fc19.x86_64
nss-softokn-freebl-3.15.2-2.fc19.x86_64
nss-softokn-3.15.2-2.fc19.x86_64
nss-util-3.15.2-2.fc19.x86_64
Comment 11 Harald Reindl 2013-10-31 15:19:41 EDT
https://www.ssllabs.com/ssltest/viewMyClient.html

TLS 1.2 Yes
TLS 1.1 Yes	
TLS 1.0 Yes	
SSL 3 	Yes

TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff)		-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 	256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   Forward Secrecy 	256
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x87)   Forward Secrecy* 	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy 	256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy* 	256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) 	256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) 	256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 	128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   Forward Secrecy 	128
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x44)   Forward Secrecy* 	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy 	128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy* 	128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) 	128
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) 	128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 	128
Comment 12 Andy Lutomirski 2013-10-31 15:24:39 EDT
This should have nothing to do with TLS version.  TLS 1.0 has supported ECC for a long time.  And I don't see how Calomel is useful -- I just installed it (on a completely fresh Firefox profile, but still FF24) and it does not show the key exchange algorithm used.

Note that PFS is possible on Firefox even without ECC -- a fair number of sites support DHE-RSA key exchange.

Changing security.tls.version.max to 3 indeed enables TLS 1.2 (but is mostly pointless, at least on my current configuration, because it doesn't seem to enable GCM cipher suites).

Finally, Calomel is crap.  It seems to consider 128-bit encryption to be weak.  That's a bit odd, given that there are no 256-bit secure ciphers available in any TLS version.  (AES-256 is *not* 256-bit secure [1].)  The strongest symmetric cipher available is probably 3DES.  If Calomel is going to pontificate on TLS security, it should know what it's talking about.

[1] https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
Comment 13 Andy Lutomirski 2013-10-31 15:35:34 EDT
OK, figured it out.  I had mismatched nss versions.  Now that I've upgraded everything, I have ECDHE.

FWIW, upgrading nss-softokn without upgrading nss-softokn-freebl breaks www.google.com (and probably everything else).  It may be worth adding some dependencies there.

I'll go and cast my bodhi votes.
Comment 14 Harald Reindl 2013-10-31 15:41:21 EDT
> And I don't see how Calomel is useful and it does not 
> show the key exchange algorithm used

because you still use FF24 which doe snot provide the needed API
what about *read* what provided links are saying?
https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/

UPDATE 2: Firefox 25 now allows the add on to query the full cipher suite. We have added the ability to grade the connection on each part of the cipher including key exchange, signature, bulk cipher and message authentication code. We also check and grade the cipher if it supports Perfect Forward Secrecy (PFS). "Calomel SSL Validation" version 0.64 for Firefox 25 and above is now available.

> Finally, Calomel is crap.  It seems to consider 128-bit 
> encryption to be weak.  That's a bit odd, given that there 
> are no 256-bit secure ciphers available in any TLS version

it does not if the 128bit is ECDHE, your current problem is FF < 25
that is one of the extensions which is really maintained and not
staying months behind the firefox development
Comment 15 Andy Lutomirski 2013-10-31 15:52:42 EDT
Calomel 0.64 is a considerable improvement, but this is now thoroughly off-topic...
Comment 16 Harald Reindl 2013-10-31 16:00:59 EDT
Created attachment 818047 [details]
calomel screenshot

it may be off-topic, but some last words with a screenshot
it's completly irrelevant what the extensions considers weak/strong/whatever
the relevant information are the encryption parameters 

there are also descriptions on https://calomel.org/firefox_ssl_validation.html why some things are not get full points, and many of them will take years if you won't break TLS1.0 only clients
Comment 17 Andy Lutomirski 2013-10-31 17:04:12 EDT
FWIW, on Firefox 25, you can test this with no extensions at all.  Just go to, say, www.google.com, click the lock icon, and click "More Information...".  The cipher suite (as opposed to just the cipher) will be shown.
Comment 18 Harald Reindl 2013-10-31 17:26:55 EDT
correct, but only the full cipher and not the RSA lenght 1024/2048/4096 and other details like MAC which may be interesting in get things more secure in the future and test with https://www.ssllabs.com/ssltest/ and the handshake-simulation to make sure not break relevant clients

maybe someone will soon kill us both because we shoudl switch to the mailing-list, but on the other hand if someone finds this bugreport he may be grateful for additional infos
Comment 19 Fedora Update System 2013-10-31 23:55:30 EDT
nss-util-3.15.2-2.fc19, nss-softokn-3.15.2-2.fc19, nss-3.15.2-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-11-10 03:16:25 EST
nss-util-3.15.2-2.fc20, nss-softokn-3.15.2-2.fc20, nss-3.15.2-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2013-11-13 22:34:24 EST
nss-util-3.15.2-2.fc18, nss-softokn-3.15.2-2.fc18, nss-3.15.2-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.