Bug 994599 - nss: should enable TLS 1.2 by default
nss: should enable TLS 1.2 by default
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Elio Maldonado Batiz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-07 11:03 EDT by Florian Weimer
Modified: 2015-01-07 18:54 EST (History)
9 users (show)

See Also:
Fixed In Version: nss-3.17.3-2.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-14 23:30:36 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2013-08-07 11:03:32 EDT
With nss-3.15.1-2.fc19.x86_64 and curl-7.29.0-7.fc19.x86_64, I get this:

$ curl https://cc.dcsec.uni-hannover.de/ | grep -o 'Version.*</div>'
Version: </div><div class='span8'>3.1 </div></div><div class='row'><div class='span2'>Ciphers: </div><div class='span8'>ff,39,6b,38,35,3d,33,67,32,05,04,2f,3c,16,13,0a </div></div><div class='row'><div class='span2'>Extensions: </div><div class='span8'>0000 </div></div><div class='row'><div class='span2'>Remote Time: </div><div class='span8'>Wed, 07 Aug 2013 16:57:47</div></div>
$

That is, the connection uses TLS 1.0 ("SSL 3.1").  Also verified with Wireshark.

Curl doesn't know anything about TLS 1.2, and shouldn't have to.  If we don't change the default in NSS, we will have to patch all NSS-using applications and libraries, which is quite a big task.
Comment 1 Kamil Dudka 2013-12-02 10:35:59 EST
curl provides an option to enable TLS 1.2 since curl-7.33.0-2.fc21
Comment 2 Frederik Holden 2014-10-14 15:24:02 EDT
Any update on this? Mozilla's recommended server side SSL/TLS configuration (https://wiki.mozilla.org/Security/Server_Side_TLS) for servers that only care about compatibility with modern clients is to disable TLSv1.0. It would be nice if curl and programs using libcurl on Fedora would be able to be counted among those modern clients.
Comment 3 Kamil Dudka 2014-10-14 16:22:05 EDT
(In reply to Frederik Holden from comment #2)
> Any update on this?

I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.
Comment 4 Frederik Holden 2014-10-15 02:20:28 EDT
(In reply to Kamil Dudka from comment #3)
> (In reply to Frederik Holden from comment #2)
> > Any update on this?
> 
> I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.

Confirmed. More things than cURL use NSS though, so this is still a relevant bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one has to update outside the repos to get this fix in F20.
Comment 5 Kamil Dudka 2014-10-15 03:03:15 EDT
(In reply to Frederik Holden from comment #4)
> Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> has to update outside the repos to get this fix in F20.

You will get the fix (or rather an enhancement?) once you update to Fedora 21 because I prefer not to change the default behavior during the lifetime of a stable Fedora release.
Comment 6 Frederik Holden 2014-10-15 03:11:54 EDT
(In reply to Kamil Dudka from comment #5)
> (In reply to Frederik Holden from comment #4)
> > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> > has to update outside the repos to get this fix in F20.
> 
> You will get the fix (or rather an enhancement?) once you update to Fedora
> 21 because I prefer not to change the default behavior during the lifetime
> of a stable Fedora release.

Fair enough. Can the default be changed in NSS as well, so other programs using NSS can use TLSv1.1 and TLSv1.2 without having to explicitly enable it?
Comment 7 Bob Relyea 2014-10-15 14:56:35 EDT
I think this can be done in Fedora. We can't do it in RHEL because there are still a boatload of devices out there that are TLS intolerant.
Comment 8 Kamil Dudka 2014-12-04 08:07:47 EST
(In reply to Frederik Holden from comment #4)
> Confirmed. More things than cURL use NSS though, so this is still a relevant
> bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> has to update outside the repos to get this fix in F20.

F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment #3
Comment 9 Frederik Holden 2014-12-04 09:16:49 EST
(In reply to Kamil Dudka from comment #8)
> F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment
> #3

Just tested it now. Confirmed that TLS 1.2 support is enabled by default in cURL on F20. Very nice, thanks.
Comment 10 Fedora Update System 2014-12-07 19:37:50 EST
nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21
Comment 11 Fedora Update System 2014-12-08 18:07:40 EST
nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20
Comment 12 Fedora Update System 2014-12-11 15:18:57 EST
nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19
Comment 13 Fedora Update System 2014-12-11 23:05:36 EST
Package nss-3.17.3-1.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-3.17.3-1.fc20 nss-util-3.17.3-1.fc20 nss-softokn-3.17.3-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16530/nss-util-3.17.3-1.fc20,nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2014-12-14 23:30:36 EST
nss-util-3.17.3-1.fc21, nss-3.17.3-1.fc21, nss-softokn-3.17.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-01-07 18:54:41 EST
nss-3.17.3-2.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.