Created attachment 936872 [details] patch to use ECC cipher suite by default I understand support for crypto-policies is coming to NSS, but in the meantime, perhaps NSS should use the ECC-enabled cipher suite from nss.conf by default? Fedora's nss and mod_nss are both compiled with ECC support. Flipping from one to the other in my FreeIPA web server bumped the Calomel score from 47% (0/20 for PFS) to 88%. Attaching a patch against current package git master which should implement this.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Per discussion with rcritten, will try to fix this upstream as time permits for inclusion in some future release. (set new default ciphers)
master: 81908fd375160f26b46af4decfe198d41b0115a7
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This was addressed upstream in 1.0.13.