me
/
guix
Archived
1
0
Fork 0
Code

gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites. 

* gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.
master
Mark H Weaver 2016-02-06 01:33:16 -05:00
parent e7ad0d5862
commit 08cb746f08
3 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu-system.am
View File

@ -521,6 +521,7 @@ dist_patch_DATA = \
gnu/packages/patches/hydra-automake-1.15.patch \
gnu/packages/patches/hydra-disable-darcs-test.patch \
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
gnu/packages/patches/icu4c-CVE-2015-4760.patch \

3
gnu/packages/gnuzilla.scm
View File

@ -288,7 +288,8 @@ standards.")
(base32
"0bd4k5cwr8ynscaxffvj2x3kgky3dmjq0qhpcb931l98bh0103lx"))
(patches (map search-patch
'("icecat-avoid-bundled-includes.patch")))
'("icecat-avoid-bundled-includes.patch"
"icecat-re-enable-DHE-cipher-suites.patch")))
(modules '((guix build utils)))
(snippet
'(begin

24
gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch 100644
View File

@ -0,0 +1,24 @@
Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
38.6.0 disabled by default to avoid the Logjam attack. This issue was
fixed in NSS version 3.19.1 by limiting the lower strength of supported
DHE keys to use 1023 bit primes, so we can enable these cipher suites
safely. The DHE cipher suites are needed to allow IceCat to connect to
many sites, including https://gnupg.org/.
Patch by Mark H Weaver <mhw@netris.org>
--- icecat-38.6.0/browser/app/profile/icecat.js.orig 1969-12-31 19:00:00.000000000 -0500
+++ icecat-38.6.0/browser/app/profile/icecat.js 2016-02-06 00:48:23.826170154 -0500
@@ -2061,12 +2061,6 @@
pref("security.ssl3.rsa_des_ede3_sha", false);
pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
-// https://directory.fsf.org/wiki/Disable_DHE
-// Avoid logjam attack
-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
-pref("security.ssl3.dhe_dss_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
//Optional
//Perfect forward secrecy
// pref("security.ssl3.rsa_aes_256_sha", false);