994599 – nss: should enable TLS 1.2 by default

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 994599 - nss: should enable TLS 1.2 by default

Summary: nss: should enable TLS 1.2 by default

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-07 15:03 UTC by Florian Weimer
Modified:	2015-01-07 23:54 UTC (History)
CC List:	9 users (show)
Fixed In Version:	nss-3.17.3-2.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-15 04:30:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1012136	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Bugzilla	1161894	1	None	None	None	2022-05-16 11:32:56 UTC
Red Hat Bugzilla	1162746	1	None	None	None	2022-05-16 11:32:56 UTC

Internal Links: 1161894 1162746

Description Florian Weimer 2013-08-07 15:03:32 UTC

With nss-3.15.1-2.fc19.x86_64 and curl-7.29.0-7.fc19.x86_64, I get this:

$ curl https://cc.dcsec.uni-hannover.de/ | grep -o 'Version.*</div>'
Version: </div><div class='span8'>3.1 </div></div><div class='row'><div class='span2'>Ciphers: </div><div class='span8'>ff,39,6b,38,35,3d,33,67,32,05,04,2f,3c,16,13,0a </div></div><div class='row'><div class='span2'>Extensions: </div><div class='span8'>0000 </div></div><div class='row'><div class='span2'>Remote Time: </div><div class='span8'>Wed, 07 Aug 2013 16:57:47</div></div>
$

That is, the connection uses TLS 1.0 ("SSL 3.1").  Also verified with Wireshark.

Curl doesn't know anything about TLS 1.2, and shouldn't have to.  If we don't change the default in NSS, we will have to patch all NSS-using applications and libraries, which is quite a big task.

Comment 1 Kamil Dudka 2013-12-02 15:35:59 UTC

curl provides an option to enable TLS 1.2 since curl-7.33.0-2.fc21

Comment 2 Frederik Holden 2014-10-14 19:24:02 UTC

Any update on this? Mozilla's recommended server side SSL/TLS configuration (https://wiki.mozilla.org/Security/Server_Side_TLS) for servers that only care about compatibility with modern clients is to disable TLSv1.0. It would be nice if curl and programs using libcurl on Fedora would be able to be counted among those modern clients.

Comment 3 Kamil Dudka 2014-10-14 20:22:05 UTC

(In reply to Frederik Holden from comment #2)
> Any update on this?

I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.

Comment 4 Frederik Holden 2014-10-15 06:20:28 UTC

(In reply to Kamil Dudka from comment #3)
> (In reply to Frederik Holden from comment #2)
> > Any update on this?
> 
> I believe that curl-7.37.0-7.fc21 uses TLS 1.2 by default.

Confirmed. More things than cURL use NSS though, so this is still a relevant bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one has to update outside the repos to get this fix in F20.

Comment 5 Kamil Dudka 2014-10-15 07:03:15 UTC

(In reply to Frederik Holden from comment #4)
> Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> has to update outside the repos to get this fix in F20.

You will get the fix (or rather an enhancement?) once you update to Fedora 21 because I prefer not to change the default behavior during the lifetime of a stable Fedora release.

Comment 6 Frederik Holden 2014-10-15 07:11:54 UTC

(In reply to Kamil Dudka from comment #5)
> (In reply to Frederik Holden from comment #4)
> > Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> > has to update outside the repos to get this fix in F20.
> 
> You will get the fix (or rather an enhancement?) once you update to Fedora
> 21 because I prefer not to change the default behavior during the lifetime
> of a stable Fedora release.

Fair enough. Can the default be changed in NSS as well, so other programs using NSS can use TLSv1.1 and TLSv1.2 without having to explicitly enable it?

Comment 7 Bob Relyea 2014-10-15 18:56:35 UTC

I think this can be done in Fedora. We can't do it in RHEL because there are still a boatload of devices out there that are TLS intolerant.

Comment 8 Kamil Dudka 2014-12-04 13:07:47 UTC

(In reply to Frederik Holden from comment #4)
> Confirmed. More things than cURL use NSS though, so this is still a relevant
> bug. Also, this was fixed in cURL 7.34.0, and F20 only has 7.32.0, so one
> has to update outside the repos to get this fix in F20.

F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment #3

Comment 9 Frederik Holden 2014-12-04 14:16:49 UTC

(In reply to Kamil Dudka from comment #8)
> F20 libcurl now enables TLS 1.2 by default, too -- see bug #1153814 comment
> #3

Just tested it now. Confirmed that TLS 1.2 support is enabled by default in cURL on F20. Very nice, thanks.

Comment 10 Fedora Update System 2014-12-08 00:37:50 UTC

nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc21,nss-softokn-3.17.3-1.fc21

Comment 11 Fedora Update System 2014-12-08 23:07:40 UTC

nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20

Comment 12 Fedora Update System 2014-12-11 20:18:57 UTC

nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-3.17.3-1.fc19,nss-softokn-3.17.3-1.fc19

Comment 13 Fedora Update System 2014-12-12 04:05:36 UTC

Package nss-3.17.3-1.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-3.17.3-1.fc20 nss-util-3.17.3-1.fc20 nss-softokn-3.17.3-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16530/nss-util-3.17.3-1.fc20,nss-3.17.3-1.fc20,nss-softokn-3.17.3-1.fc20
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2014-12-15 04:30:36 UTC

nss-util-3.17.3-1.fc21, nss-3.17.3-1.fc21, nss-softokn-3.17.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-01-07 23:54:41 UTC

nss-3.17.3-2.fc20, nss-util-3.17.3-1.fc20, nss-softokn-3.17.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.