With nss-3.15.1-2.fc19.x86_64 and curl-7.29.0-7.fc19.x86_64, I get this: $ curl https://cc.dcsec.uni-hannover.de/ | grep -o 'Version.*</div>' Version: </div><div class='span8'>3.1 </div></div><div class='row'><div class='span2'>Ciphers: </div><div class='span8'>ff,39,6b,38,35,3d,33,67,32,05,04,2f,3c,16,13,0a </div></div><div class='row'><div class='span2'>Extensions: </div><div class='span8'>0000 </div></div><div class='row'><div class='span2'>Remote Time: </div><div class='span8'>Wed, 07 Aug 2013 16:57:47</div></div> $ That is, the connection uses TLS 1.0 ("SSL 3.1"). Also verified with Wireshark. Curl doesn't know anything about TLS 1.2, and shouldn't have to. If we don't change the default in NSS, we will have to patch all NSS-using applications and libraries, which is quite a big task.
curl provides an option to enable TLS 1.2 since curl-7.33.0-2.fc21
Any update on this? Mozilla's recommended server side SSL/TLS configuration (https://wiki.mozilla.org/Security/Server_Side_TLS) for servers that only care about compatibility with modern clients is to disable TLSv1.0. It would be nice if curl and programs using libcurl on Fedora would be able to be counted among those modern clients.
(In reply to Frederik Holden from comment #2) > Any update on this? I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.
(In reply to Kamil Dudka from comment #3) > (In reply to Frederik Holden from comment #2) > > Any update on this? > > I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default. Confirmed. More things than cURL use NSS though, so this is still a relevant bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one has to update outside the repos to get this fix in F20.
(In reply to Frederik Holden from comment #4) > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one > has to update outside the repos to get this fix in F20. You will get the fix (or rather an enhancement?) once you update to Fedora 21 because I prefer not to change the default behavior during the lifetime of a stable Fedora release.
(In reply to Kamil Dudka from comment #5) > (In reply to Frederik Holden from comment #4) > > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one > > has to update outside the repos to get this fix in F20. > > You will get the fix (or rather an enhancement?) once you update to Fedora > 21 because I prefer not to change the default behavior during the lifetime > of a stable Fedora release. Fair enough. Can the default be changed in NSS as well, so other programs using NSS can use TLSv1.1 and TLSv1.2 without having to explicitly enable it?
I think this can be done in Fedora. We can't do it in RHEL because there are still a boatload of devices out there that are TLS intolerant.
(In reply to Frederik Holden from comment #4) > Confirmed. More things than cURL use NSS though, so this is still a relevant > bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one > has to update outside the repos to get this fix in F20. F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment #3
(In reply to Kamil Dudka from comment #8) > F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment > #3 Just tested it now. Confirmed that TLS 1.2 support is enabled by default in cURL on F20. Very nice, thanks.
nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21
nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20
nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19
Package nss-3.17.3-1.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-3.17.3-1.fc20 nss-util-3.17.3-1.fc20 nss-softokn-3.17.3-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-16530/nss-util-3.17.3-1.fc20,nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 then log in and leave karma (feedback).
nss-util-3.17.3-1.fc21, nss-3.17.3-1.fc21, nss-softokn-3.17.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
nss-3.17.3-2.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.