guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites

From: Mark H. Weaver
Subject: 01/01: gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites.
Date: Sat, 06 Feb 2016 13:48:30 +0000 
mhw pushed a commit to branch master
in repository guix.

commit 08cb746f08c679a95047f1ee0d1fb70915b10f96
Author: Mark H Weaver <address@hidden>
Date:   Sat Feb 6 01:33:16 2016 -0500

    gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites.
    
    * gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file.
    * gnu-system.am (dist_patch_DATA): Add it.
    * gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.
---
 gnu-system.am                                      |    1 +
 gnu/packages/gnuzilla.scm                          |    3 +-
 .../icecat-re-enable-DHE-cipher-suites.patch       |   24 ++++++++++++++++++++
 3 files changed, 27 insertions(+), 1 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index 749814d..f13ba05 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -521,6 +521,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/hydra-automake-1.15.patch               \
   gnu/packages/patches/hydra-disable-darcs-test.patch          \
   gnu/packages/patches/icecat-avoid-bundled-includes.patch     \
+  gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch        \
   gnu/packages/patches/icu4c-CVE-2014-6585.patch               \
   gnu/packages/patches/icu4c-CVE-2015-1270.patch               \
   gnu/packages/patches/icu4c-CVE-2015-4760.patch               \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 7978ca6..2ddad9a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -288,7 +288,8 @@ standards.")
        (base32
         "0bd4k5cwr8ynscaxffvj2x3kgky3dmjq0qhpcb931l98bh0103lx"))
       (patches (map search-patch
-                    '("icecat-avoid-bundled-includes.patch")))
+                    '("icecat-avoid-bundled-includes.patch"
+                      "icecat-re-enable-DHE-cipher-suites.patch")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch 
b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
new file mode 100644
index 0000000..5c869bf
--- /dev/null
+++ b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
@@ -0,0 +1,24 @@
+Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
+38.6.0 disabled by default to avoid the Logjam attack.  This issue was
+fixed in NSS version 3.19.1 by limiting the lower strength of supported
+DHE keys to use 1023 bit primes, so we can enable these cipher suites
+safely.  The DHE cipher suites are needed to allow IceCat to connect to
+many sites, including https://gnupg.org/.
+
+Patch by Mark H Weaver <address@hidden>
+
+--- icecat-38.6.0/browser/app/profile/icecat.js.orig   1969-12-31 
19:00:00.000000000 -0500
++++ icecat-38.6.0/browser/app/profile/icecat.js        2016-02-06 
00:48:23.826170154 -0500
+@@ -2061,12 +2061,6 @@
+ pref("security.ssl3.rsa_des_ede3_sha", false);
+ pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
+ pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
+-// https://directory.fsf.org/wiki/Disable_DHE
+-// Avoid logjam attack
+-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+-pref("security.ssl3.dhe_dss_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+ //Optional
+ //Perfect forward secrecy
+ // pref("security.ssl3.rsa_aes_256_sha", false);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]