A flaw was found with NSS library when compiled with a server application. A man-in-the-middle attacker could use this flaw in a passive replay attack. The most severe issue for confidentiality is for stream ciphers (and AES-GCM), as the server may encrypt different data with the exact same key stream and idempotency, the server may perform same action multiple times without proper authentication
External References: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes
Created nss tracking bugs for this issue: Affects: fedora-all [bug 1624704]
Acknowledgments: Name: the Mozilla project
Upstream bug (currently non-public): https://bugzilla.mozilla.org/show_bug.cgi?id=1483128 Upstream fix in 3.36 branch (including test): https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d https://hg.mozilla.org/projects/nss/rev/f182a11fbe53 It seems a different fix was used in 3.39 that disables processing of SSLv2 compatible Client Hellos: https://hg.mozilla.org/projects/nss/rev/2ed9f6afd84e
> It seems a different fix was used in 3.39 that disables processing of SSLv2 compatible Client Hellos yes, but NSS packages distributed in Red Hat Enterprise Linux fix the issue, not disable support for SSLv2 compatible Client Hellos
Right. The nss packages currently in Red Hat Enterprise Linux are based on upstream 3.36. I assume we will eventually update to 3.39 or newer, so I assume we have to consider how we're going to deal with this at that time.
Support for SSLv2 Client Hello protocol is technically part of API/ABI compatibility so it needs to remain in Red Hat Enterprise Linux 6 and 7.
(In reply to Tomas Hoger from comment #14) > It seems a different fix was used in 3.39 that disables processing of SSLv2 > compatible Client Hellos: To be clear, the fixes are actually identical in 3.36 and 3.39. The only difference is that the latter fix was obfuscated as part of a large change: https://hg.mozilla.org/projects/nss/rev/ee357b00f2e6#l8.272
Thank you for the correction Daiki, I had previously failed to find the matching change in 3.39.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2768 https://access.redhat.com/errata/RHSA-2018:2768
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2898 https://access.redhat.com/errata/RHSA-2018:2898