aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-09-18 16:28:35 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2015-09-21 08:48:41 +0200
commit96a0e131c0656c99dc687d701f239c8d4c03108a (patch)
tree2a911ab207dd5eadc2fcb318be9d66a793716ad0
parentb0305487eec1d11beb7351a04e97fb16421ff807 (diff)
downloadaports-96a0e131c0656c99dc687d701f239c8d4c03108a.tar.bz2
aports-96a0e131c0656c99dc687d701f239c8d4c03108a.tar.xz
main/nss: enable ECC cipher-suites by default
-rw-r--r--main/nss/APKBUILD12
-rw-r--r--main/nss/rhbz1185708-enable-ecc-ciphers-by-default.patch43
2 files changed, 51 insertions, 4 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD
index 05bdc30748..77e7246be5 100644
--- a/main/nss/APKBUILD
+++ b/main/nss/APKBUILD
@@ -3,7 +3,7 @@
pkgname=nss
pkgver=3.19.2
_ver=${pkgver//./_}
-pkgrel=0
+pkgrel=1
pkgdesc="Mozilla Network Security Services"
url="http://www.mozilla.org/projects/security/pki/nss/"
arch="all"
@@ -17,6 +17,7 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src
add_spi+cacert_ca_certs.patch
ssl-renegotiate-transitional.patch
fix-cdefs_h.patch
+ rhbz1185708-enable-ecc-ciphers-by-default.patch
"
depends_dev="nspr-dev"
@@ -145,16 +146,19 @@ c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in
46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in
981e0df9e9cb7a9426b316f68911fb17 add_spi+cacert_ca_certs.patch
2412ff2e97b3ec452cb016f2506a0e08 ssl-renegotiate-transitional.patch
-1f83bc41ffe34190bcc27d146c479772 fix-cdefs_h.patch"
+1f83bc41ffe34190bcc27d146c479772 fix-cdefs_h.patch
+582b4b93aa8eacc7755b0b87ebf8515f rhbz1185708-enable-ecc-ciphers-by-default.patch"
sha256sums="1306663e8f61d8449ad8cbcffab743a604dcd9f6f34232c210847c51dce2c9ae nss-3.19.2.tar.gz
b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd nss.pc.in
e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9 nss-config.in
592aa85184c5edb076c3355f85e50373a59dfcd06a4f4a79621f43df19404c1e add_spi+cacert_ca_certs.patch
1a49be9d7f835be737825252f50e4ee2869228eb303a087dde7fb81794b92ebd ssl-renegotiate-transitional.patch
-41866089e3d085f05bc4a7e337f2f5740da4eef9021366a450a8fd111f24975c fix-cdefs_h.patch"
+41866089e3d085f05bc4a7e337f2f5740da4eef9021366a450a8fd111f24975c fix-cdefs_h.patch
+655bacc53516469b64b8378aad0e21d91f71340872be610fe685df87cd0c9a89 rhbz1185708-enable-ecc-ciphers-by-default.patch"
sha512sums="d3c45010f8dace58f9da9efe0f9792f8b8a69384e100663f33c949685cdd1ce70e5131f279bc82336622841c41dbc0a4d70a7cc6839a1782dbe8b3c3fd8bc59d nss-3.19.2.tar.gz
75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531 nss.pc.in
2971669e128f06a9af40a5ba88218fa7c9eecfeeae8b0cf42e14f31ed12bf6fa4c5ce60289e078f50e2669a9376b56b45d7c29d726a7eac69ebe1d1e22dc710b nss-config.in
6e04556858499aec465d6670818465327ba2cb099061c2afee4b5cac8aa61938e0095906acfb38df6a1b70a6bde6dd69f08bb4c00a9d188e4cb3131b26c1bc16 add_spi+cacert_ca_certs.patch
c21a82247d87d74cb27575efc517a6771476320ce412cd444e83d0782e29f82552676247da093518b07d3eb7dc67c53cd1901ee8d6f59b342d02e47784c39192 ssl-renegotiate-transitional.patch
-54080ed5e66185bfb9fae6518b8f898213a00a2803900ee13a958664a7e60aee60b51f0c27176344ebf49e9c671f1f62f56280ab9e8c7f206c5df143c3a7d24c fix-cdefs_h.patch"
+54080ed5e66185bfb9fae6518b8f898213a00a2803900ee13a958664a7e60aee60b51f0c27176344ebf49e9c671f1f62f56280ab9e8c7f206c5df143c3a7d24c fix-cdefs_h.patch
+01c4cf2bf55c9415648aa1b09686bd98c1c61095b48c25047afaf9fe3e00a814fd77a80266da758accc2bfaf3f47db3c0f3e0a268af0ac8500f0809c9f386840 rhbz1185708-enable-ecc-ciphers-by-default.patch"
diff --git a/main/nss/rhbz1185708-enable-ecc-ciphers-by-default.patch b/main/nss/rhbz1185708-enable-ecc-ciphers-by-default.patch
new file mode 100644
index 0000000000..aaa524ddaf
--- /dev/null
+++ b/main/nss/rhbz1185708-enable-ecc-ciphers-by-default.patch
@@ -0,0 +1,43 @@
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -85,29 +85,29 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
+ *
+ * Important: See bug 946147 before enabling, reordering, or adding any cipher
+ * suites to this list.
+ */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+ * bug 946147.
+ */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},