We removed fortezza cipher suites from libSSL in NSS 3.11. ( bug 239960 ) Before doing that, we attempted to survey all NSS-based server products to see if any still used the fortezza cipher suites, and we got only negative responses (that is, all responses received said "no, we don't use them."). But it turned out that some JSS-based server products do enable the fortezza suites, and stop running if the attempts to enable those suites fail. The developers of those products didn't respond to our survey because they didn't think of themselves as being NSS users. :-( When those servers try to use NSS 3.11, they fail. Their position is that this is a binary compatibility regression, and must be fixed. So, it appears that NSS 3.11 must continue to appear to succeed when it is asked to enable the fortezza cipher suites, even if it does nothing (does not actually enable them).
P1 for 3.11
Status: NEW → ASSIGNED
Priority: -- → P1
Created attachment 203341 [details] [diff] [review] patch v1 Glen, can we get the affected server team to test a build with this patch?
Attachment #203341 - Flags: review?(glen.beasley)
Comment on attachment 203341 [details] [diff] [review] patch v1 I tested your patch now when JSS for: SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA SSL3_FORTEZZA_DMS_WITH_NULL_SHA SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA SSL_CipherPrefSet SSL_CipherPrefSetDefault SSL_CipherPrefGet SSL_CipherPrefSetDefault all return SECSuccess JSS does not call SSL_EnableCipher SSL_CipherPolicyGet SSL_CipherPolicySet
Attachment #203341 - Flags: review?(glen.beasley) → review+
Checking in sslsock.c; /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v <-- sslsock.c new revision: 1.44; previous revision: 1.43 done Marking fixed, but may reopen if servers are not satisfied.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.