Should versions_defaults_stream change to disable older TLS versions by default?
Categories
(NSS :: Libraries, enhancement)
Tracking
(Not tracked)
People
(Reporter: glandium, Assigned: mt)
Details
(Whiteboard: [nss-nofx])
Attachments
(1 file)
Ubuntu is patching it to change the default range of TLS versions. https://bugs.launchpad.net/bugs/1856428
Should this be done to NSS itself?
|
Assignee | |
Comment 1•4 years ago
|
||
I would be supportive of that change (see also RFC8996), but we generally try to coordinate with RedHat on this sort of thing. We don't have the same sorts of constraints. Firefox doesn't use defaults, we explicitly set these.
So...Bob, I'm supportive of this, what about you?
I assume that you need some warning (this current release is due to go out Friday, so that is almost certainly "no"). How long would you need to make the necessary arrangements for RHEL backports and so forth? Would NSS 3.70 be unreasonable?
|
||
Comment 2•4 years ago
|
||
3.69 would be fine. We just rebased for ESV, so we won't be picking up a rhel version of nss anytime soon.
We now set those defaults by policy anyway, so we probably only need backports for rhel-7.x (which we already have because rhel-7 still has ssl3 on by default).
RHEL-8 policy is already tls 1.2 min in our default policy (which actually surprises me, I thought it was tls 1.0). So I'm sure we are tls 1.2 min in fedora, where sha1 is also turned off by policy for signatures and ssl.
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
|
Assignee | |
Comment 4•4 years ago
|
||
Well then. We should catch up then.
I've put up a patch for just that. I've included DTLS 1.0 as well, following IETF advice.
I'm running all.sh locally and then there is also https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=876925f6a0da Assuming that goes well, I'll make sure that this is in the Beta release planned for tomorrow.
|
|
Assignee | |
Comment 5•4 years ago
|
||
Description
•