Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 994599
Summary: | nss: should enable TLS 1.2 by default | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | cloos, emaldona, frh+fedora, hannsj_uhl, kdudka, kengert, knweiss, michael.monreal+bugs, rrelyea |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nss-3.17.3-2.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-15 04:30:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Florian Weimer
2013-08-07 15:03:32 UTC
curl provides an option to enable TLS 1.2 since curl-7.33.0-2.fc21 Any update on this? Mozilla's recommended server side SSL/TLS configuration (https://wiki.mozilla.org/Security/Server_Side_TLS) for servers that only care about compatibility with modern clients is to disable TLSv1.0. It would be nice if curl and programs using libcurl on Fedora would be able to be counted among those modern clients. (In reply to Frederik Holden from comment #2) > Any update on this? I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default. (In reply to Kamil Dudka from comment #3) > (In reply to Frederik Holden from comment #2) > > Any update on this? > > I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default. Confirmed. More things than cURL use NSS though, so this is still a relevant bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one has to update outside the repos to get this fix in F20. (In reply to Frederik Holden from comment #4) > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one > has to update outside the repos to get this fix in F20. You will get the fix (or rather an enhancement?) once you update to Fedora 21 because I prefer not to change the default behavior during the lifetime of a stable Fedora release. (In reply to Kamil Dudka from comment #5) > (In reply to Frederik Holden from comment #4) > > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one > > has to update outside the repos to get this fix in F20. > > You will get the fix (or rather an enhancement?) once you update to Fedora > 21 because I prefer not to change the default behavior during the lifetime > of a stable Fedora release. Fair enough. Can the default be changed in NSS as well, so other programs using NSS can use TLSv1.1 and TLSv1.2 without having to explicitly enable it? I think this can be done in Fedora. We can't do it in RHEL because there are still a boatload of devices out there that are TLS intolerant. (In reply to Frederik Holden from comment #4) > Confirmed. More things than cURL use NSS though, so this is still a relevant > bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one > has to update outside the repos to get this fix in F20. F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment #3 (In reply to Kamil Dudka from comment #8) > F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment > #3 Just tested it now. Confirmed that TLS 1.2 support is enabled by default in cURL on F20. Very nice, thanks. nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21 nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19 Package nss-3.17.3-1.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-3.17.3-1.fc20 nss-util-3.17.3-1.fc20 nss-softokn-3.17.3-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-16530/nss-util-3.17.3-1.fc20,nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 then log in and leave karma (feedback). nss-util-3.17.3-1.fc21, nss-3.17.3-1.fc21, nss-softokn-3.17.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. nss-3.17.3-2.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |