rpms / nss

Clone
Source Code
GIT

Blame SOURCES/nss-fips-disable-tls13.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta c8-sig-altarch-armhfp c8s c9 c9-beta
  1.   ddf7d0eb0c2ba66762571193d2e0380e48511887
  2.   SOURCES
  3.   nss-fips-disable-tls13.patch
Blob History Raw
ddf7d0 
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
ddf7d0 
--- a/lib/ssl/sslsock.c
ddf7d0 
+++ b/lib/ssl/sslsock.c
ddf7d0 
@@ -2382,16 +2382,26 @@ ssl3_CreateOverlapWithPolicy(SSLProtocol
ddf7d0 
     rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
ddf7d0 
                                         &effectivePolicyBoundary);
ddf7d0 
     if (rv == SECFailure) {
ddf7d0 
         /* SECFailure means internal failure or invalid configuration. */
ddf7d0 
         overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
ddf7d0 
         return SECFailure;
ddf7d0 
     }
ddf7d0
ddf7d0 
+    /* TODO: TLSv1.3 doesn't work yet under FIPS mode */
ddf7d0 
+    if (PK11_IsFIPS()) {
ddf7d0 
+        if (effectivePolicyBoundary.min >= SSL_LIBRARY_VERSION_TLS_1_3) {
ddf7d0 
+            effectivePolicyBoundary.min = SSL_LIBRARY_VERSION_TLS_1_2;
ddf7d0 
+        }
ddf7d0 
+        if (effectivePolicyBoundary.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
ddf7d0 
+            effectivePolicyBoundary.max = SSL_LIBRARY_VERSION_TLS_1_2;
ddf7d0 
+        }
ddf7d0 
+    }
ddf7d0 
+
ddf7d0 
     vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min);
ddf7d0 
     vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max);
ddf7d0
ddf7d0 
     if (vrange.max < vrange.min) {
ddf7d0 
         /* there was no overlap, turn off range altogether */
ddf7d0 
         overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
ddf7d0 
         return SECFailure;
ddf7d0 
     }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation