Bug 1297888 - Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.
Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
6.8
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Elio Maldonado Batiz
Hubert Kario
: Rebase, ZStream
Depends On: 1297890
Blocks: 1297948 1300629
  Show dependency treegraph
 
Reported: 2016-01-12 12:22 EST by Kai Engert (:kaie)
Modified: 2016-11-07 08:12 EST (History)
7 users (show)

See Also:
Fixed In Version: nss-3.21.0-7.el6
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of:
: 1300629 (view as bug list)
Environment:
Last Closed: 2016-05-10 17:09:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch NSS 3.21 CA-certificates 2.6 to keep 1024bit RSA legacy CAs enabled (117.40 KB, patch)
2016-01-19 09:00 EST, Kai Engert (:kaie)
no flags Details | Diff
prevents enabling extended master key derive by default (514 bytes, patch)
2016-01-25 10:56 EST, Elio Maldonado Batiz
rrelyea: review-
Details | Diff
alternative patch to more thoroughly disable the use of extended-master-secret (1.01 KB, patch)
2016-01-25 11:53 EST, Kai Engert (:kaie)
rrelyea: review+
Details | Diff
nss-prevent-abi-issue.patch (1.68 KB, patch)
2016-02-19 06:48 EST, Kai Engert (:kaie)
hkario: review-
Details | Diff
nss-prevent-abi-issue.patch (1.67 KB, patch)
2016-02-19 07:20 EST, Kai Engert (:kaie)
no flags Details | Diff

  None (edit)
Description Kai Engert (:kaie) 2016-01-12 12:22:29 EST
Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.
Comment 2 Kai Engert (:kaie) 2016-01-15 09:41:35 EST
Karel asked for a list of changes in the newer NSS, here's a summary:

Previously, we used NSS 3.19.x.
The relevant changes that were added in version until 3.21 are:

- CA certificates
  (list was updated twice, in 3.19.3 and 3.21)

- Added support for DHE server side ciphersuites, disabled by default.
  (This was already included in RHEL 7 with local patches.)

- disabled support for very old C compilers (pre C89)

- support TLS extended master secret extension (RFC 7627), off by default

- several other new APIs (that new application code could use)

- upstream changed to build with ECC enabled by default

- stricter build options, that cause most warnings to be treated as errors

More details here:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes
Comment 3 Hubert Kario 2016-01-18 06:28:52 EST
(In reply to Kai Engert (:kaie) from comment #2)
> - support TLS extended master secret extension (RFC 7627), off by default

Note that upstream agreed to change this default, it's just that the patches haven't landed yet.

We will want to enable it by default.
Comment 4 Kai Engert (:kaie) 2016-01-19 09:00 EST
Created attachment 1116177 [details]
Patch NSS 3.21 CA-certificates 2.6 to keep 1024bit RSA legacy CAs enabled

Please remove the patch nss-ca-2.4-enable-legacy.patch

Instead, please apply this patch nss-ca-2.6-enable-legacy.patch, it should apply cleanly on top of NSS 3.21 (if it doesn't apply, please tell me).
Comment 9 Elio Maldonado Batiz 2016-01-25 10:56 EST
Created attachment 1118083 [details]
prevents enabling extended master key derive by default

It was reported that with NSS 3.21 an attempt to enable the TLS-extended-master-secret is failing. There is a new mechanism in recent NSS softokn that the TLS code is using: CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE. This mechanism is missing in the older version of softokn, 3.16.2.3, that we use on 6.8 due to FIPS. In order to prevent applications failing badly because they try to set it, this patch effectively makes such an attempt a noop.
Comment 11 Kai Engert (:kaie) 2016-01-25 11:53 EST
Created attachment 1118106 [details]
alternative patch to more thoroughly disable the use of extended-master-secret
Comment 12 Bob Relyea 2016-01-25 17:13:56 EST
Comment on attachment 1118106 [details]
alternative patch to more thoroughly disable the use of extended-master-secret

r+ yes, this is the better patch.
Comment 13 Bob Relyea 2016-01-25 17:14:34 EST
Comment on attachment 1118083 [details]
prevents enabling extended master key derive by default

r- Kai has already explained why this is insufficient.
Comment 14 Kai Engert (:kaie) 2016-01-27 16:31:40 EST
(In reply to Kai Engert (:kaie) from comment #1)
> - support TLS extended master secret extension (RFC 7627), off by default

We cannot support this feature because of the older softokn that we're shipping with RHEL.

We will force this feature to remain disabled.
Comment 16 Kai Engert (:kaie) 2016-02-19 06:48 EST
Created attachment 1128520 [details]
nss-prevent-abi-issue.patch

Elio, please apply this patch from Bob, as a workaround to the issue that Hubert had identified.
Comment 17 Kai Engert (:kaie) 2016-02-19 07:20 EST
Created attachment 1128549 [details]
nss-prevent-abi-issue.patch

fixed patch
Comment 25 Hubert Kario 2016-03-29 06:46:44 EDT
Mark, could you explain why did you set the flag?
Comment 26 Mark McKinstry 2016-03-29 08:48:13 EDT
I'm not sure what you're referring to, I just added myself to the CC list. I didn't set any flags when I did that or at least didn't mean to. The changes for the ticket don't show anything being changed other than the CC.
Comment 27 Kai Engert (:kaie) 2016-03-29 09:08:22 EDT
Mark, look at this page, which can be accessed by clicking on the "history" link in the upper right.
https://bugzilla.redhat.com/show_activity.cgi?id=1297888

It shows that the verified: flag was set to FailedQA.

Either you changed that, or there is a bug in bugzilla.
Comment 28 Kai Engert (:kaie) 2016-03-29 09:10:03 EDT
Apparently these flags can only be seen when the bugzilla account has additional permissions, I don't see it when not logged into my account.
Comment 29 Mark McKinstry 2016-03-29 09:23:31 EDT
I must not have permissions to see it because when I look at https://bugzilla.redhat.com/show_activity.cgi?id=1297888 I don't see the FailedQA being set.

Regardless, any change to flags was accidental, I only meant to add myself to the CC list.
Comment 30 Hubert Kario 2016-03-29 09:43:38 EDT
yes, it does look like it's a bug in our instance of bugzilla

Sorry to involve you!
Comment 33 errata-xmlrpc 2016-05-10 17:09:44 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0820.html

Note You need to log in before you can comment on or make changes to this bug.