Description of problem: The environment variable SSLBYPASS when set allows NSS SSL/TLS to bypass the PKCS #11 layer. The user is advised to not set this variable if FIPS is enabled. We do not support the SSLBYPASS, neither in Fedora nor in RHEL, and so we should disable the feature at build time. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 572564 [details] Disables ssl bypass at build time
Comment on attachment 572564 [details] Disables ssl bypass at build time My own comment: NSS_ALLOW_SSLBYPASS is too long, no need for the NSS_ in front to disambiguate as this is not a runtime environment variable but a build time variable.
Created attachment 574100 [details] Disable ssl pkcs11 layer bypass at build time
Comment on attachment 574100 [details] Disable ssl pkcs11 layer bypass at build time One must add export NSS_NOSSLBYPASS=1 to the %build section of nss.spec to trigger CFLAGS +=NOSSLBYPASS
Created attachment 577475 [details] Disable sslbypass at build time
Elio, I reviewed the patch in the upstream bug, is that sufficient?
Kai, I don't think so. That's because this patch for Fedora disables SSLBYPASS unconditionally whereas the upstream patch requires the package maintainer to setting the build time environment variable to activate the disabling. Thanks for the prompt review on the upstream one.
On second thought, for the sake of consistency I should rely on the upstream patch instead. I should submit the upstream one suitably one adapted for 3.13.4 and with the modifications that Kai suggested upstream. It makes life easier.
Comment on attachment 577475 [details] Disable sslbypass at build time (In reply to comment #8) > for the sake of consistency I should rely on the upstream patch instead I understand this patch is now obsolete.
Created attachment 584430 [details] Disable ssl pkcs11 bypass at build time and preserve ABI Submitting for upstream review as well.
Comment on attachment 584430 [details] Disable ssl pkcs11 bypass at build time and preserve ABI Cancelling the request for review due to upstream feedback.
After modifications and expansion the patch has been approved and committed upstream for nss-3.14.
Created attachment 594623 [details] Disable ssl pkcs #11 bypass at buitime This is a backport to nss-3.13.5 of the changes committed upstream for nss-3.14. Requires adding 'export NSS_NO_PKCS11_BYPASS=1' to the %build section of nss.spec for it to take effect as the default is to allow bypass to occur as before.
Created attachment 594787 [details] Disable ssl pkcs #11 bypass at buildtime Follows the upstream one a bit more closely.
Comment on attachment 594787 [details] Disable ssl pkcs #11 bypass at buildtime r- Well this would work, sort of, but rather than if (bypass) { #ifndef NO_BYPASS code #endif } else { I'd like to see #ifdef NO_BYPASS if (bypass) { code } else #endif {
Bob, please make those comments also in the bug https://bugzilla.mozilla.org/show_bug.cgi?id=745281 The multicolor explanation on a whiteboard of the three styles was very clear and to the point.
The upstram bug https://bugzilla.mozilla.org/show_bug.cgi?id=745281 was fixed in nss-3.14 to which we have rebased nss in fedora. That is the bulck of the work but a small part remains. The upstream fix was to provide the option of disabling SSL PKCS #11 bypass at build time. What remains is mostly for the downstream nss packager maintainer exersize his option. Add to the %build section of the nss.spc file: NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS
Created attachment 641885 [details] Return failure if caller mistakenly requests bypass at runtime Besides disabling bypass at buildtime, also protect user from mistajenly trying to enable it via the environment variable. Fedora has never supported bypass so compatibility is not an issue
nss-softokn-3.14-1.fc18, nss-util-3.14-1.fc18, nss-3.14-6.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-6.fc18,nss-softokn-3.14-1.fc18,nss-util-3.14-1.fc18
Package nss-softokn-3.14-1.fc18, nss-util-3.14-1.fc18, nss-3.14-6.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-softokn-3.14-1.fc18 nss-util-3.14-1.fc18 nss-3.14-6.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-6.fc18,nss-softokn-3.14-1.fc18,nss-util-3.14-1.fc18 then log in and leave karma (feedback).
Package nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-util-3.14-1.fc18 nss-3.14-7.fc18 nss-softokn-3.14-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-7.fc18,nss-softokn-3.14-5.fc18,nss-util-3.14-1.fc18 then log in and leave karma (feedback).
nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17
nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
nss-util-3.14-1.fc17, nss-softokn-3.14-5.fc17, nss-3.14-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
nss-util-3.14-1.fc16,nss-softokn-3.14-5.fc16,nss-3.14-7.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc16,nss-softokn-3.14-5.fc16,nss-3.14-7.fc16