A flaw was found in the way mod_nss parsed certain OpenSSL-style cipher strings. As a result, mod_nss could potentially use ciphers that were not intended to be enabled.
It was reported that +CIPHER operator in OpenSSL changes the order of a cipher. Since cipher ordering isn't supported in NSS, the mod_nss code was supposed to return an error. Instead it returned the result of processing up to that point. Default OpenSSL cipher string:
Would not properly exclude anything because only the first 5 elements would be examined.
Name: Rob Crittenden (Red Hat)
Created mod_nss tracking bugs for this issue:
Affects: fedora-all [bug 1323914]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2602 https://rhn.redhat.com/errata/RHSA-2016-2602.html