Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where the client allows for a ECDHE_ECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDSA certificate. This violates the TLS protocol and also has some security implications for forward secrecy. In this situation, the browser thinks it is engaged in an ECDHE exchange, but has been silently downgraded to a non-forward secret mixed-ECDH exchange instead. As a result, if False Start is enabled, the browser will start sending data encrypted under these non-forward-secret connection keys. This issue was fixed in NSS version 3.19.1. External Reference: http://www.mozilla.org/security/announce/2015/mfsa2015-71.html Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Karthikeyan Bhargavan as the original reporter.
Upstream commits: https://hg.mozilla.org/projects/nss/rev/6b4770c76bc8 Test case at: https://hg.mozilla.org/projects/nss/rev/1865635f5df5 This issue was fixed in NSS version 3.19.1.
This issue was fixed in Red Hat Enterprise Linux 6 and 7 via the following advisory: https://rhn.redhat.com/errata/RHSA-2015-1185.html
Statement: (none)
Created attachment 1057422 [details] all changes required for rebasing to nss-3.19.1 For informational purpose ostly. To apply, in a convenient location do: rhpkhg clone nss; cd nss; rhpkg switch-branch patch -p1 < a-to/allchanges4rebase.patch It's not easy on the eyes so I'll attach the nss.spec portion next.
Created attachment 1057423 [details] spec file changes - in patch format deleted: expired-cert.patch, nss-3.18.1-ca-2.3-to-2.4.patch, and syntaxfix.patch which were rendered obsolete with the rebase. modified: nss-revert-tls-version-defaults.patch on account of the rebase, same patch but was generated with gendiff, same as previously done on rhel 6 and.
Comment on attachment 1057423 [details] spec file changes - in patch format This patch is not yet complete as it missed picking up a post release fix to a 3.19.1 caused regression which is a main driver for this. Upstream bug is: https://bugzilla.mozilla.org/show_bug.cgi?id=1173413. Thanks to Bob for that and other reminders. Doing other checks for upstream changes to default behavior that need to be reversed.
Created attachment 1057769 [details] all changes for rebase
Created attachment 1057770 [details] nss.spec changes - in patch format Extracted from the other patch, easier to read and review.
Comment on attachment 1057769 [details] all changes for rebase r- Please explain why the keep tls default patch changed from a -R (revert) to no -R as in the comment. Do you have a different keep tls defaults patch? Also, include the min_key_sizes patch for review.
(In reply to Bob Relyea from comment #16) > Comment on attachment 1057769 [details] > all changes for rebase > > r- > > Please explain why the keep tls default patch changed from a -R (revert) to > no -R as in the comment. Do you have a different keep tls defaults patch? The reason is that originally it was excactly the same patch as the one upstream this we needed the -R (revert) to tell the tool the intention is to revert. The patch no longer applies due to code changes since then. This patch was manually generated using gendiff and -R. can't be used. This the same as change I had to for RHEl-6, actually I copied it from there. I should have added add a brief version of this explanation to the nss.spc. > > Also, include the min_key_sizes patch for review. Yes, coming next.
Created attachment 1058106 [details] Reverts upstream changes that bumped the minimum key sizes This patch reverts the upstream change but there I have meaning to ask you, should we instead change them but choose our minimum values values?
Comment on attachment 1058106 [details] Reverts upstream changes that bumped the minimum key sizes r+
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:1664 https://rhn.redhat.com/errata/RHSA-2015-1664.html