Bug 1059670 - Default cipher ordering doesn't include ECDSA ciphers
Summary: Default cipher ordering doesn't include ECDSA ciphers
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: Hubert Kario
Bara Ancincova
URL:
Whiteboard:
Keywords:
Depends On: 1058767 1058776 1156426
Blocks: 1057566 1059682 1246125
TreeView+ depends on / blocked
 
Reported: 2014-01-30 10:36 UTC by Hubert Kario
Modified: 2016-01-23 15:27 UTC (History)
7 users (show)

(edit)
ECDSA certificates are now supported

Applications that use the default NSS cipher list now support connections to servers that use Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.
Clone Of:
: 1059682 (view as bug list)
(edit)
Last Closed: 2015-11-19 12:24:32 UTC


Attachments (Terms of Use)
enable ecdsa ciphers suites by default - partial fix (2.95 KB, patch)
2015-08-20 15:35 UTC, Elio Maldonado Batiz
no flags Details | Diff
core dump failues on s390 (3.03 KB, text/plain)
2015-08-20 15:38 UTC, Elio Maldonado Batiz
no flags Details
reorders the cipher suites and enables some by default (8.88 KB, patch)
2015-08-29 15:41 UTC, Elio Maldonado Batiz
hkario: review-
Details | Diff
patch 1 of 2 to solve test failures that were breaking the build - sni part (2.42 KB, patch)
2015-08-29 15:48 UTC, Elio Maldonado Batiz
no flags Details | Diff
patch 2 of 2 to solve test failures that were breaking the build - ocsp stapling part (821 bytes, patch)
2015-08-29 15:50 UTC, Elio Maldonado Batiz
no flags Details | Diff
Fix test failures observer in ocsp stapling and some sni tests (3.24 KB, patch)
2015-08-30 22:42 UTC, Elio Maldonado Batiz
rrelyea: review+
Details | Diff
reorders the cipher suites and enable some new ones by default (10.85 KB, patch)
2015-08-31 20:55 UTC, Elio Maldonado Batiz
rrelyea: review+
hkario: review+
Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2121 normal SHIPPED_LIVE nss bug fix and enhancement update 2015-11-19 11:01:16 UTC
Red Hat Bugzilla 1185708 None None None Never
Red Hat Bugzilla 1245279 None None None Never

Internal Trackers: 1185708 1245279

Description Hubert Kario 2014-01-30 10:36:48 UTC
Description of problem:
When curl connects to server using ECDSA certificate, the connection is refused with "no shared ciphers" SSL error.

Version-Release number of selected component (if applicable):
nss-3.15.1-15.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup ftps or https server with ECDSA certificates
2. Try to download a file from it using `curl'

Actual results:
Connection refused, no shared cipher.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to localhost port 21 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 21 (#0)
< 220 (vsFTPd 3.0.2)
> AUTH SSL
< 234 Proceed with negotiation.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/CA/certs/ca_cert.pem
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3...
> USER anonymous
< 500 OOPS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
* Access denied: 500
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (67) Cannot communicate securely with peer: no common encryption algorithm(s).

Expected results:
File downloaded, certificate verified successfully.

Additional info:
Looking at ClientHello sent by curl, the only ciphers advertised are:

Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

All ECDHE and ECDSA suites are missing. GCM and SHA-2 suites should also be present if the client requests support for TLSv1.2 (this will require bug 1036789 fixed in case of curl).

Comment 1 Hubert Kario 2014-01-30 10:52:25 UTC
Sorry, mixed up consoles, the bug is in nss-3.15.4-4.el7.x86_64, not the rhel-6 version of the package.

Comment 12 Elio Maldonado Batiz 2015-08-20 15:35:18 UTC
Created attachment 1065313 [details]
enable ecdsa ciphers suites by default - partial fix

Partial because the first two entries in
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
   /*      cipher_suite                     policy       enabled   isPresent */

 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},

haven't been enabled yet pending investigation on some etst failures that causes.

With this incomplete patch I got good build on all platforms except on s390 were it failed with core dumps.

Comment 13 Elio Maldonado Batiz 2015-08-20 15:38:29 UTC
Created attachment 1065314 [details]
core dump failues on s390

Comment 14 Hubert Kario 2015-08-20 15:55:50 UTC
Could it be related to bug 1200772?

Comment 15 Elio Maldonado Batiz 2015-08-20 16:16:12 UTC
It does look like it, i notice that some of tests failing are the same in both cases. I have asked the folks in release engineering to send us the core dump files so we can examine the stack traces.

Comment 16 Elio Maldonado Batiz 2015-08-20 16:37:28 UTC
Stress TLS  RC4 128 with MD5 is common to both.

Comment 18 Elio Maldonado Batiz 2015-08-27 14:11:13 UTC
(In reply to Elio Maldonado Batiz from comment #12)
> Created attachment 1065313 [details]
> enable ecdsa ciphers suites by default - partial fix
> 
> Partial because the first two entries in
> static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
>    /*      cipher_suite                     policy       enabled   isPresent
> */
> 
>  { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
>  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
> 
> haven't been enabled yet pending investigation on some etst failures that
> causes.
> 
> With this incomplete patch I got good build on all platforms except on s390
> were it failed with core dumps.

New information, I made a new build with this incomplete patch removed and instead used a one line patch intended for fixing Bug 1171318 
https://bugzilla.redhat.com/attachment.cgi?id=1067460

and that one generates core dumps on s390 systems only and on certain stress tests. Most of them related to stress test on TLS RC4 128 with MD5.


grep FAILED ~/Downloads/build.log
ssl.sh: #2088: Stress TLS RC4 128 with MD5 (no reuse, client auth) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #2094: Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA (no reuse) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #2321: Stress TLS  RC4 128 with MD5 (session ticket, compression, false start) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #2539: Stress TLS  RC4 128 with MD5 (compression) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #2540: Stress TLS  RC4 128 with MD5 (session ticket, compression) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #2995: Stress SSL3 RC4 128 with MD5 (no reuse, client auth) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #3000: Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #3206: Stress TLS RC4 128 with MD5 (compression, client auth, false start) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #3375: Stress TLS RC4 128 with MD5 (compression, client auth, false start) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #6910: Stress OCSP stapling, server uses random status produced a returncode of 139, expected is 0. - Core file is detected - FAILED
ssl.sh: #6915: Stress TLS  RC4 128 with MD5 (compression) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #6934: Stress TLS  ECDHE-RSA   AES 128 CBC with SHA256 produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #7136: Stress TLS  RC4 128 with MD5 (session ticket, compression) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED
ssl.sh: #7142: Stress TLS RC4 128 with MD5 (compression, client auth, false start) produced a returncode of 139, expected is 0.  - Core file is detected - FAILED

Comment 19 Elio Maldonado Batiz 2015-08-28 03:23:24 UTC
Build nss-3.19.1-12.el7 is only a partial fix so I'm leaving it as assigned.

Comment 20 Elio Maldonado Batiz 2015-08-29 15:41:53 UTC
Created attachment 1068293 [details]
reorders the cipher suites and enables some by default

This patch is to meet the requirements that I explain below. Here is an extract from an email where Hubert summarized the consensus the team and others reached as to the proper cipher order and what ciphers should now be enabled by default. I have edited it for the sake of clarity.

So I think we have consensus.

Elio, please change the default order to:
new:   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
new:   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) 
(you can add a comment that the above two are "out of place" because of SuiteB)
new:   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    (0xc00a)
new:   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    (0xc009)
new:   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   (0xc030)
new:   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      (0xc014)
new:   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   (0xc02f)
new:   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      (0xc013)
new:   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     (0x009f)
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA        (0x0039)
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA        (0x0038)
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     (0x006b)
       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     (0x009e)
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA        (0x0033)
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA        (0x0032)
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     (0x0067)
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       (0x0016)
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       (0x0013)
       TLS_RSA_WITH_AES_256_GCM_SHA384         (0x009d)
new:   TLS_RSA_WITH_AES_256_CBC_SHA            (0x0035)
       TLS_RSA_WITH_AES_256_CBC_SHA256         (0x003d)
       TLS_RSA_WITH_AES_128_GCM_SHA256         (0x009c)
       TLS_RSA_WITH_AES_128_CBC_SHA            (0x002f)
       TLS_RSA_WITH_AES_128_CBC_SHA256         (0x003c)
       TLS_RSA_WITH_3DES_EDE_CBC_SHA           (0x000a)
       TLS_RSA_WITH_RC4_128_SHA                (0x0005)
       TLS_RSA_WITH_RC4_128_MD5                (0x0004)

note that few AES256 ciphers changed positions.
note: the tag "new:" means that the cipher is newly enabled by default.
The above is the basis of this patch

Comment 21 Elio Maldonado Batiz 2015-08-29 15:48:20 UTC
Created attachment 1068294 [details]
patch 1 of 2 to solve test failures that were breaking the build - sni part

Comment 22 Elio Maldonado Batiz 2015-08-29 15:50:16 UTC
Created attachment 1068295 [details]
patch 2 of 2 to solve test failures that were breaking the build - ocsp stapling part

Comment 24 Elio Maldonado Batiz 2015-08-30 22:42:26 UTC
Created attachment 1068497 [details]
Fix test failures observer in ocsp stapling and some sni tests

Expansion and reordering of ciphers caused test failures suuch "TLS Server hello response with SNI produced a return code of 1" and various OCSP test failures. The client sent the name of the virtual domain as part of the TLS negotiation and what the server sent back was rejected by the client. We now have the TLS_ECDHE_ECDSA_xxx ciphers, which are preferred over the RSA ones which is what the tests in question were written for before ECDSA was supprted. The patch modifies the client side to be specific about the cipher suite by adding "-c v" to the tstclnt invocation to restrict the ciphers, here v stands for SSL3 RSA WITH AES 128 CBC SHA.

Comment 25 Elio Maldonado Batiz 2015-08-30 22:58:56 UTC
Comment on attachment 1068293 [details]
reorders the cipher suites and enables some by default

This patch is in response Hubert's email where he summarized the consensus that was reached regarding the set of cipher suites. Slightly edited for clarity.

I think we have consensus. Elio, please change the default order to:
new:   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
new:   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) 
(above two are swapped because of Suite B)
new:   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    (0xc00a)
new:   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    (0xc009)
new:   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   (0xc030)
new:   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      (0xc014)
new:   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   (0xc02f)
new:   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      (0xc013)
new:   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     (0x009f)
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA        (0x0039)
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA        (0x0038)
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     (0x006b)
       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     (0x009e)
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA        (0x0033)
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA        (0x0032)
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     (0x0067)
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       (0x0016)
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       (0x0013)
       TLS_RSA_WITH_AES_256_GCM_SHA384         (0x009d)
new:   TLS_RSA_WITH_AES_256_CBC_SHA            (0x0035)
       TLS_RSA_WITH_AES_256_CBC_SHA256         (0x003d)
       TLS_RSA_WITH_AES_128_GCM_SHA256         (0x009c)
       TLS_RSA_WITH_AES_128_CBC_SHA            (0x002f)
       TLS_RSA_WITH_AES_128_CBC_SHA256         (0x003c)
       TLS_RSA_WITH_3DES_EDE_CBC_SHA           (0x000a)
       TLS_RSA_WITH_RC4_128_SHA                (0x0005)
       TLS_RSA_WITH_RC4_128_MD5                (0x0004)

note that few AES256 ciphers changed positions. 

In the above the tag "new:" means that the cipher is now enabled by default.

Comment 26 Elio Maldonado Batiz 2015-08-31 03:13:25 UTC
Comment on attachment 1068293 [details]
reorders the cipher suites and enables some by default

Oops, I just realized I had made those very same comments on 
https://bugzilla.redhat.com/show_bug.cgi?id=1059670#c20

Comment 27 Hubert Kario 2015-08-31 10:49:55 UTC
Comment on attachment 1068294 [details]
patch 1 of 2 to solve test failures that were breaking the build - sni part

-  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert

SNI should not be affected by the ciphersuite selected for connection... Is it because the server is configured with both RSA and ECDSA certificates?

Comment 28 Hubert Kario 2015-08-31 10:57:13 UTC
Comment on attachment 1068293 [details]
reorders the cipher suites and enables some by default

We don't want to place all the default ciphers before all other ciphers

if the user enables all ciphersuites, no RC4 cipher should be placed before AES cipher!

Comment 29 Hubert Kario 2015-08-31 12:40:22 UTC
The ciphersuites should still be sorted (approximately) according to their strength. Secondly, nss-3.19.1-14.el7.x86_64 enables some ciphers we didn't agree to have enabled, e.g. TLS_ECDH_* - FailQA.

cipherSuites[] should look like this:

static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
   /*      cipher_suite                     policy       enabled   isPresent */

#ifndef NSS_DISABLE_ECC

 /* Ephemeral ECDH */
 { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
 /* Switched order of two previous to meet Suite B requirements
  * but implemented by default yet.
  */
 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must be before TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  * to workaround bug 946147.
  */
 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_DISABLE_ECC */

 /* Ephemeral Finite Field DH */
 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
 { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},

#ifndef NSS_DISABLE_ECC
 /* Non ephemeral ECDH */
 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_DISABLE_ECC */

 /* RSA */
 { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_WITH_SEED_CBC_SHA,               SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_WITH_3DES_EDE_CBC_SHA,           SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_RC4_128_SHA,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { TLS_RSA_WITH_RC4_128_MD5,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},

 /* 56-bit DES "domestic" cipher suites */
 { TLS_DHE_RSA_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_DHE_DSS_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { SSL_RSA_FIPS_WITH_DES_CBC_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_WITH_DES_CBC_SHA,                SSL_ALLOWED, PR_FALSE, PR_FALSE},

 /* export ciphersuites with 1024-bit public key exchange keys */
 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},

 /* export ciphersuites with 512-bit public key exchange keys */
 { TLS_RSA_EXPORT_WITH_RC4_40_MD5,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,      SSL_ALLOWED, PR_FALSE, PR_FALSE},

 /* ciphersuites with no encryption */
#ifndef NSS_DISABLE_ECC
 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDHE_RSA_WITH_NULL_SHA,             SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_RSA_WITH_NULL_SHA,              SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_ECDH_ECDSA_WITH_NULL_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_DISABLE_ECC */
 { TLS_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_WITH_NULL_SHA256,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
 { TLS_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
};

Comment 30 Elio Maldonado Batiz 2015-08-31 20:55:40 UTC
Created attachment 1068777 [details]
reorders the cipher suites and enable some new ones by default

Comment 31 Bob Relyea 2015-08-31 23:19:57 UTC
Comment on attachment 1068497 [details]
Fix test failures observer in ocsp stapling and some sni tests

r+ rrelyea

Comment 32 Bob Relyea 2015-08-31 23:28:46 UTC
Comment on attachment 1068777 [details]
reorders the cipher suites and enable some new ones by default

r+ but move the ECDHE_ECDSA_AES_128_GCM_SHA384 below the ECDHE_ECDSA_AES_256_XXX ciphers.

Comment 33 Hubert Kario 2015-09-01 10:29:43 UTC
Comment on attachment 1068777 [details]
reorders the cipher suites and enable some new ones by default

this one looks good, but I will still need to run tests on actual code

Comment 34 Hubert Kario 2015-09-01 10:35:38 UTC
(In reply to Bob Relyea from comment #32)
> Comment on attachment 1068777 [details]
> reorders the cipher suites and enable some new ones by default
> 
> r+ but move the ECDHE_ECDSA_AES_128_GCM_SHA384 below the
> ECDHE_ECDSA_AES_256_XXX ciphers.

for suite B compatibility ECDHE_ECDSA_AES_256_GCM_SHA384 and ECDHE_ECDSA_AES_128_GCM_SHA256 MUST be the very first two ciphers, or the very first cipher if only one of them is present.

This placement shouldn't also cause any issues with bug 1195766 (the reason for placing AES256 before AES128 ciphers) as if you do enable GCM ciphers you have no reason not to enable both (especially if you want ssf=256) and current openldap doesn't allow you to enable them anyway.

Comment 36 errata-xmlrpc 2015-11-19 12:24:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2121.html


Note You need to log in before you can comment on or make changes to this bug.