Bug 1432889 - Enable support for TLS 1.3 in Fedora NSS
Enable support for TLS 1.3 in Fedora NSS
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daiki Ueno
Fedora Extras Quality Assurance
:
Depends On: 1415140
Blocks: 1431316
  Show dependency treegraph
 
Reported: 2017-03-16 06:33 EDT by Kai Engert (:kaie)
Modified: 2017-06-19 03:56 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-19 03:56:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kai Engert (:kaie) 2017-03-16 06:33:14 EDT
We should attempt to enable the TLS 1.3 code contained in NSS, as soon as possible.

(This isn't about enabling the protocol by default; rather, it's about building the code, so application could enable it, if they want to.)
Comment 1 Kai Engert (:kaie) 2017-03-16 08:44:01 EDT
Here is a COPR repo with NSS builds that enable TLS 1.3.
https://copr.fedorainfracloud.org/coprs/kengert/nss-with-tls-1.3/

The builds are based on the most recently released builds for Fedora, and only flip the switch to enable support for TLS 1.3, no other changes.

The builds will always append something like .1.with_tls1_3 at the end of the regular release version, so it's easy to distinguish them.

Because of that numbering, any later official build should always override these experimental packages.

It would be good if Fedora packagers tried to use these NSS packages, and check if they cause any problems for their own package.
Comment 2 Christian Heimes 2017-04-19 08:47:09 EDT
I have successfully deployed and tested FreeIPA with the TLS 1.3-enabled NSS from Kai's COPR. All components work as expected. The test covers 389-DS, libldap, Dogtag (JSS, TomcatJSS), mod_nss, libcurl and python-nss. mod_nss is configured with TLS 1.0 to 1.2 support.

$ rpm -qa nss freeipa-server
nss-3.29.3-1.3.0.1.with_tls1_3.fc26.x86_64
freeipa-server-4.4.3-8.fc26.x86_64
Comment 3 Christian Heimes 2017-04-20 05:13:22 EDT
Installation on Fedora 25 was successful, too.

# rpm -qa freeipa-server nss
nss-3.29.3-1.1.0.1.with_tls1_3.fc25.x86_64
freeipa-server-4.4.4-1.fc25.x86_64
Comment 4 Fedora Update System 2017-05-11 03:47:23 EDT
nss-3.30.2-1.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e504c7cb8f
Comment 5 Fedora Update System 2017-05-11 03:47:35 EDT
nss-3.30.2-1.1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b2bcf2658d
Comment 6 Fedora Update System 2017-05-12 09:36:18 EDT
nss-3.30.2-1.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e504c7cb8f
Comment 7 Fedora Update System 2017-05-12 21:10:24 EDT
nss-3.30.2-1.1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b2bcf2658d
Comment 8 Kai Engert (:kaie) 2017-05-22 09:57:19 EDT
These updates have been in updates-testing for 10 days.

I suggest to push them to stable.
Comment 9 Fedora Update System 2017-05-22 20:39:07 EDT
nss-3.30.2-1.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2017-06-09 14:53:52 EDT
nss-3.30.2-1.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Daiki Ueno 2017-06-19 03:56:06 EDT
Closing this, as the update has been in release branches for a while (except f24, which is on purpose).

Note You need to log in before you can comment on or make changes to this bug.