Open Bug 1083767 Opened 10 years ago Updated 5 months ago

Disable SSL versions using environment variables

Categories

(NSS :: Libraries, enhancement, P5)

3.17.2
enhancement

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned)

Details

Many applications use hardcoded calls to configure the enabled SSL/TLS versions.

In emergency situations like POODLE, it might be helpful to have the ability to override the behaviour of legacy applications that cannot be changed immediately.

This suggests to implement support for a new environment variable, which could be used to disable given SSL protocol versions, regardless of application calls.

(E.g. NSS_SSL_DISABLE_PROTOCOLS="SSL3:TLS1.0")
(In reply to Kai Engert (:kaie) from comment #0)
> Many applications use hardcoded calls to configure the enabled SSL/TLS
> versions.
> 
> In emergency situations like POODLE, it might be helpful to have the ability
> to override the behaviour of legacy applications that cannot be changed
> immediately.
> 
> This suggests to implement support for a new environment variable, which
> could be used to disable given SSL protocol versions, regardless of
> application calls.
> 
> (E.g. NSS_SSL_DISABLE_PROTOCOLS="SSL3:TLS1.0")

Might there be a way to coordinate this with other TLS libraries (most notably OpenSSL), so that users of clients of multiple libraries won't have to waste their environment space on environment-based configurations for every library their software installations use?

This happens to be a global emergency across all library vendors, not limited solely to NSS.
Kai, is this now superceded by the work that Nikos did on implementing system-wide policies?
Flags: needinfo?(kaie)
(In reply to Martin Thomson [:mt:] from comment #2)
> Kai, is this now superceded by the work that Nikos did on implementing
> system-wide policies?

On Fedora Linux, the answer is yes, because I can see that the policy rules include a rule to define the minimum version of TLS allowed.

The remaining question is, is anyone interested in a more general solution, that would work in all environments where NSS might be used?
Flags: needinfo?(kaie)
Severity: normal → S3
Severity: S3 → S4
Type: defect → enhancement
Priority: -- → P5

As I understand it, we don't have a general solution for this yet.
I don't mind a wontfix, if it's unlikely that someone of the NSS team will work on it.

You need to log in before you can comment on or make changes to this bug.