Bug 6174 - [UPDATE REQUEST] nss 3.20
: [UPDATE REQUEST] nss 3.20
Status: RESOLVED DUPLICATE of bug 6202
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-14 18:02 MSD by Zombie Ryushu
Modified: 2015-09-28 17:29 MSD (History)
2 users (show)

See Also:
RPM Package: nss
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2015-09-14 18:02:24 MSD
The TLS library has been extended to support DHE ciphersuites in server applications.
    For backwards compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API.
    The server side implementation of the TLS implementation does not support session tickets when using a DHE ciphersuite (see bug 1174677).
    Support for the following ciphersuites has been added:
        TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    By default, the server side TLS implementation will use DHE parameters with a size of 2048 bits when using DHE ciphersuites.
    NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied from version 08 of the Internet-Draft "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS", Appendix A.
    A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a server application to select one or multiple of the embedded DHE parameters as the preferred parameters. The current implementation of NSS will always use the first entry in the array that is passed as a parameter to the SSL_DHEGroupPrefSet API. In future versions of the TLS implementation, a TLS client might signal a preference for certain DHE parameters, and the NSS TLS server side implementation might select a matching entry from the set of parameters that have been configured as preferred on the server side.
    NSS optionally supports the use of weak DHE parameters with DHE ciphersuites to support legacy clients. In order to enable this support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each time this API is called for the first time in a process, a fresh set of weak DHE parameters will be randomly created, which may take a long amount of time. Please refer to the comments in the header file that declares the SSL_EnableWeakDHEPrimeGroup API for additional details.
    The size of the default PQG parameters used by certutil when creating DSA keys has been increased to use 2048 bit parameters.
    The selfserv utility has been enhanced to support the new DHE features.
    NSS no longer supports C compilers that predate the ANSI C standard (C89).

A Number of Bugs have been resolved since 3.19.
Comment 1 Denis Silakov 2015-09-28 17:29:12 MSD

*** This bug has been marked as a duplicate of bug 6202 ***