1297888 – Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1297888 - Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.

Summary: Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Alicja Kario
Docs Contact:
URL:
Whiteboard:
Depends On:	1297890
Blocks:	1297948 1300629
TreeView+	depends on / blocked

Reported:	2016-01-12 17:22 UTC by Kai Engert (:kaie) (inactive account)
Modified:	2016-11-07 13:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:	nss-3.21.0-7.el6
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Clones:	1300629 (view as bug list)
Environment:
Last Closed:	2016-05-10 21:09:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch NSS 3.21 CA-certificates 2.6 to keep 1024bit RSA legacy CAs enabled (117.40 KB, patch) 2016-01-19 14:00 UTC, Kai Engert (:kaie) (inactive account)	no flags	Details \| Diff
prevents enabling extended master key derive by default (514 bytes, patch) 2016-01-25 15:56 UTC, Elio Maldonado Batiz	rrelyea: review-	Details \| Diff
alternative patch to more thoroughly disable the use of extended-master-secret (1.01 KB, patch) 2016-01-25 16:53 UTC, Kai Engert (:kaie) (inactive account)	rrelyea: review+	Details \| Diff
nss-prevent-abi-issue.patch (1.68 KB, patch) 2016-02-19 11:48 UTC, Kai Engert (:kaie) (inactive account)	hkario: review-	Details \| Diff
nss-prevent-abi-issue.patch (1.67 KB, patch) 2016-02-19 12:20 UTC, Kai Engert (:kaie) (inactive account)	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0820	0	normal	SHIPPED_LIVE	nss bug fix and enhancement update	2016-05-10 22:40:02 UTC

Description Kai Engert (:kaie) (inactive account) 2016-01-12 17:22:29 UTC

Rebase RHEL 6.8 to NSS 3.21 in preparation for Firefox 45.

Comment 2 Kai Engert (:kaie) (inactive account) 2016-01-15 14:41:35 UTC

Karel asked for a list of changes in the newer NSS, here's a summary:

Previously, we used NSS 3.19.x.
The relevant changes that were added in version until 3.21 are:

- CA certificates
  (list was updated twice, in 3.19.3 and 3.21)

- Added support for DHE server side ciphersuites, disabled by default.
  (This was already included in RHEL 7 with local patches.)

- disabled support for very old C compilers (pre C89)

- support TLS extended master secret extension (RFC 7627), off by default

- several other new APIs (that new application code could use)

- upstream changed to build with ECC enabled by default

- stricter build options, that cause most warnings to be treated as errors

More details here:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes

Comment 3 Alicja Kario 2016-01-18 11:28:52 UTC

(In reply to Kai Engert (:kaie) from comment #2)
> - support TLS extended master secret extension (RFC 7627), off by default

Note that upstream agreed to change this default, it's just that the patches haven't landed yet.

We will want to enable it by default.

Comment 4 Kai Engert (:kaie) (inactive account) 2016-01-19 14:00:07 UTC

Created attachment 1116177 [details]
Patch NSS 3.21 CA-certificates 2.6 to keep 1024bit RSA legacy CAs enabled

Please remove the patch nss-ca-2.4-enable-legacy.patch

Instead, please apply this patch nss-ca-2.6-enable-legacy.patch, it should apply cleanly on top of NSS 3.21 (if it doesn't apply, please tell me).

Comment 9 Elio Maldonado Batiz 2016-01-25 15:56:10 UTC

Created attachment 1118083 [details]
prevents enabling extended master key derive by default

It was reported that with NSS 3.21 an attempt to enable the TLS-extended-master-secret is failing. There is a new mechanism in recent NSS softokn that the TLS code is using: CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE. This mechanism is missing in the older version of softokn, 3.16.2.3, that we use on 6.8 due to FIPS. In order to prevent applications failing badly because they try to set it, this patch effectively makes such an attempt a noop.

Comment 11 Kai Engert (:kaie) (inactive account) 2016-01-25 16:53:27 UTC

Created attachment 1118106 [details]
alternative patch to more thoroughly disable the use of extended-master-secret

Comment 12 Bob Relyea 2016-01-25 22:13:56 UTC

Comment on attachment 1118106 [details]
alternative patch to more thoroughly disable the use of extended-master-secret

r+ yes, this is the better patch.

Comment 13 Bob Relyea 2016-01-25 22:14:34 UTC

Comment on attachment 1118083 [details]
prevents enabling extended master key derive by default

r- Kai has already explained why this is insufficient.

Comment 14 Kai Engert (:kaie) (inactive account) 2016-01-27 21:31:40 UTC

(In reply to Kai Engert (:kaie) from comment #1)
> - support TLS extended master secret extension (RFC 7627), off by default

We cannot support this feature because of the older softokn that we're shipping with RHEL.

We will force this feature to remain disabled.

Comment 16 Kai Engert (:kaie) (inactive account) 2016-02-19 11:48:42 UTC

Created attachment 1128520 [details]
nss-prevent-abi-issue.patch

Elio, please apply this patch from Bob, as a workaround to the issue that Hubert had identified.

Comment 17 Kai Engert (:kaie) (inactive account) 2016-02-19 12:20:40 UTC

Created attachment 1128549 [details]
nss-prevent-abi-issue.patch

fixed patch

Comment 25 Alicja Kario 2016-03-29 10:46:44 UTC

Mark, could you explain why did you set the flag?

Comment 26 Mark McKinstry 2016-03-29 12:48:13 UTC

I'm not sure what you're referring to, I just added myself to the CC list. I didn't set any flags when I did that or at least didn't mean to. The changes for the ticket don't show anything being changed other than the CC.

Comment 27 Kai Engert (:kaie) (inactive account) 2016-03-29 13:08:22 UTC

Mark, look at this page, which can be accessed by clicking on the "history" link in the upper right.
https://bugzilla.redhat.com/show_activity.cgi?id=1297888

It shows that the verified: flag was set to FailedQA.

Either you changed that, or there is a bug in bugzilla.

Comment 28 Kai Engert (:kaie) (inactive account) 2016-03-29 13:10:03 UTC

Apparently these flags can only be seen when the bugzilla account has additional permissions, I don't see it when not logged into my account.

Comment 29 Mark McKinstry 2016-03-29 13:23:31 UTC

I must not have permissions to see it because when I look at https://bugzilla.redhat.com/show_activity.cgi?id=1297888 I don't see the FailedQA being set.

Regardless, any change to flags was accidental, I only meant to add myself to the CC list.

Comment 30 Alicja Kario 2016-03-29 13:43:38 UTC

yes, it does look like it's a bug in our instance of bugzilla

Sorry to involve you!

Comment 33 errata-xmlrpc 2016-05-10 21:09:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0820.html

Note You need to log in before you can comment on or make changes to this bug.