316640 - binary compatibility regression - fortezza cipher suites

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Nelson Bolyard (seldom reads bugmail)]

We removed fortezza cipher suites from libSSL in NSS 3.11.  ( bug 239960 )

Before doing that, we attempted to survey all NSS-based server products to 
see if any still used the fortezza cipher suites, and we got only negative 
responses (that is, all responses received said "no, we don't use them."). 
 
But it turned out that some JSS-based server products do enable the fortezza 
suites, and stop running if the attempts to enable those suites fail.  
The developers of those products didn't respond to our survey because they
didn't think of themselves as being NSS users.  :-(  When those servers try
to use NSS 3.11, they fail.  Their position is that this is a binary 
compatibility regression, and must be fixed.

So, it appears that NSS 3.11 must continue to appear to succeed when it 
is asked to enable the fortezza cipher suites, even if it does nothing 
(does not actually enable them).

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

P1 for 3.11

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Attachment: patch v1

Glen, can we get the affected server team to test a build with this patch?

Comment 3

[glen beasley]

Comment on attachment 203341 [details] [diff] [review]
patch v1

I tested your patch now 
when JSS for:
SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA        
SSL3_FORTEZZA_DMS_WITH_NULL_SHA        
SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA                


SSL_CipherPrefSet
SSL_CipherPrefSetDefault
SSL_CipherPrefGet
SSL_CipherPrefSetDefault

all return SECSuccess

JSS does not call SSL_EnableCipher 
SSL_CipherPolicyGet
SSL_CipherPolicySet

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Checking in sslsock.c;
/cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v  <--  sslsock.c
new revision: 1.44; previous revision: 1.43
done

Marking fixed, but may reopen if servers are not satisfied.