Bug 994599 - nss: should enable TLS 1.2 by default
Summary: nss: should enable TLS 1.2 by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-07 15:03 UTC by Florian Weimer
Modified: 2015-01-07 23:54 UTC (History)
9 users (show)

Fixed In Version: nss-3.17.3-2.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-15 04:30:36 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1012136 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 1161894 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 1162746 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1012136 1161894 1162746

Description Florian Weimer 2013-08-07 15:03:32 UTC
With nss-3.15.1-2.fc19.x86_64 and curl-7.29.0-7.fc19.x86_64, I get this:

$ curl https://cc.dcsec.uni-hannover.de/ | grep -o 'Version.*</div>'
Version: </div><div class='span8'>3.1 </div></div><div class='row'><div class='span2'>Ciphers: </div><div class='span8'>ff,39,6b,38,35,3d,33,67,32,05,04,2f,3c,16,13,0a </div></div><div class='row'><div class='span2'>Extensions: </div><div class='span8'>0000 </div></div><div class='row'><div class='span2'>Remote Time: </div><div class='span8'>Wed, 07 Aug 2013 16:57:47</div></div>
$

That is, the connection uses TLS 1.0 ("SSL 3.1").  Also verified with Wireshark.

Curl doesn't know anything about TLS 1.2, and shouldn't have to.  If we don't change the default in NSS, we will have to patch all NSS-using applications and libraries, which is quite a big task.

Comment 1 Kamil Dudka 2013-12-02 15:35:59 UTC
curl provides an option to enable TLS 1.2 since curl-7.33.0-2.fc21

Comment 2 Frederik Holden 2014-10-14 19:24:02 UTC
Any update on this? Mozilla's recommended server side SSL/TLS configuration (https://wiki.mozilla.org/Security/Server_Side_TLS) for servers that only care about compatibility with modern clients is to disable TLSv1.0. It would be nice if curl and programs using libcurl on Fedora would be able to be counted among those modern clients.

Comment 3 Kamil Dudka 2014-10-14 20:22:05 UTC
(In reply to Frederik Holden from comment #2)
> Any update on this?

I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.

Comment 4 Frederik Holden 2014-10-15 06:20:28 UTC
(In reply to Kamil Dudka from comment #3)
> (In reply to Frederik Holden from comment #2)
> > Any update on this?
> 
> I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.

Confirmed. More things than cURL use NSS though, so this is still a relevant bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one has to update outside the repos to get this fix in F20.

Comment 5 Kamil Dudka 2014-10-15 07:03:15 UTC
(In reply to Frederik Holden from comment #4)
> Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> has to update outside the repos to get this fix in F20.

You will get the fix (or rather an enhancement?) once you update to Fedora 21 because I prefer not to change the default behavior during the lifetime of a stable Fedora release.

Comment 6 Frederik Holden 2014-10-15 07:11:54 UTC
(In reply to Kamil Dudka from comment #5)
> (In reply to Frederik Holden from comment #4)
> > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> > has to update outside the repos to get this fix in F20.
> 
> You will get the fix (or rather an enhancement?) once you update to Fedora
> 21 because I prefer not to change the default behavior during the lifetime
> of a stable Fedora release.

Fair enough. Can the default be changed in NSS as well, so other programs using NSS can use TLSv1.1 and TLSv1.2 without having to explicitly enable it?

Comment 7 Bob Relyea 2014-10-15 18:56:35 UTC
I think this can be done in Fedora. We can't do it in RHEL because there are still a boatload of devices out there that are TLS intolerant.

Comment 8 Kamil Dudka 2014-12-04 13:07:47 UTC
(In reply to Frederik Holden from comment #4)
> Confirmed. More things than cURL use NSS though, so this is still a relevant
> bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> has to update outside the repos to get this fix in F20.

F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment #3

Comment 9 Frederik Holden 2014-12-04 14:16:49 UTC
(In reply to Kamil Dudka from comment #8)
> F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment
> #3

Just tested it now. Confirmed that TLS 1.2 support is enabled by default in cURL on F20. Very nice, thanks.

Comment 10 Fedora Update System 2014-12-08 00:37:50 UTC
nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21

Comment 11 Fedora Update System 2014-12-08 23:07:40 UTC
nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20

Comment 12 Fedora Update System 2014-12-11 20:18:57 UTC
nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19

Comment 13 Fedora Update System 2014-12-12 04:05:36 UTC
Package nss-3.17.3-1.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-3.17.3-1.fc20 nss-util-3.17.3-1.fc20 nss-softokn-3.17.3-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16530/nss-util-3.17.3-1.fc20,nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2014-12-15 04:30:36 UTC
nss-util-3.17.3-1.fc21, nss-3.17.3-1.fc21, nss-softokn-3.17.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-01-07 23:54:41 UTC
nss-3.17.3-2.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.