It was discovered that the global SSL_ImplementedCiphers variable increased its size as a result of nss package updates, an ABI incompatibility. Due to the way ELF dynamic linking works, if the main program was linke dagainst an older version of nss, then too little space for the SSL_ImplementedCiphers variable is allocated, and its contents is truncated. As a result, applications using the SSL_ImplementedCiphers variables may not enable the intended set of a TLS cipher suites.
External references: https://lists.fedoraproject.org/pipermail/devel/2015-September/214132.html https://sourceware.org/bugzilla/show_bug.cgi?id=18924 https://bugzilla.mozilla.org/show_bug.cgi?id=1201900
(In reply to Huzaifa S. Sidhpurwala from comment #4) > Florian, > > Looking at: > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/ > sslfnc.html it seems that "Using the external array SSL_ImplementedCiphers[] > directly is deprecated...." > > Based on the above, i think this should be closed as NOTABUG This was added *after* we made the ABI promise for RHEL 7. It was deprecated in response to this report, before it was more or less a supported interface (lack of documentation for NSS as a whole makes such things difficult to determine, though).
I am going to defer this flaw to upstream. We will pull in the upstream fixes when they are committed. Closing this as wontfix for now, will re-open when required.