From e87238be07c583ee45edc28bba1692942116e85bbe0064f2c0eae703535db7a3 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 24 Sep 2015 09:37:13 +0000 Subject: [PATCH 1/3] Accepting request 333436 from Java:Factory Add blapi.h and algmac.h, in order to be able to build sunec.jar in java 7 OBS-URL: https://build.opensuse.org/request/show/333436 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=189 --- mozilla-nss.changes | 6 ++++++ mozilla-nss.spec | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 204398c..cc1ab5c 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 24 09:31:11 UTC 2015 - fstrba@suse.com + +- Install blapi.h and algmac.h that are needed in order to build + Sun elliptical curves provider in Java 7 + ------------------------------------------------------------------- Wed Jun 24 12:45:09 UTC 2015 - meissner@suse.com diff --git a/mozilla-nss.spec b/mozilla-nss.spec index a6a5ec4..9c043fd 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -227,6 +227,11 @@ mkdir -p $RPM_BUILD_ROOT%{nssdbdir} pushd ../dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 +# copy some freebl include files we also want +for file in blapi.h alghmac.h +do + cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done # copy dynamic libs cp -L lib/libnss3.so \ lib/libnssdbm3.so \ From 371f571e08881b0b2dcbef1401014727adc270a0a198d007ce4a7fde4c5edf54 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 24 Sep 2015 10:20:12 +0000 Subject: [PATCH 2/3] - update to NSS 3.20 New functionality: * The TLS library has been extended to support DHE ciphersuites in server applications. New Functions: * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group parameters that can be used by NSS for a server socket. * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group parameters that are smaller than the library default's minimum size. New Types: * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in NSS that can be used with function SSL_DHEGroupPrefSet. New Macros: * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable DHE ciphersuites for a server socket. Notable Changes: * For backwards compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. * The server side implementation of the TLS implementation does not support session tickets when using a DHE ciphersuite (see bmo#1174677). * Support for the following ciphersuites has been added: - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * By default, the server side TLS implementation will use DHE parameters with a size of 2048 bits when using DHE ciphersuites. * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied from version 08 of the Internet-Draft OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=190 --- mozilla-nss.changes | 75 +++++++++++++++++++++++++++++++++++++++++++++ mozilla-nss.spec | 6 ++-- nss-3.19.2.tar.gz | 3 -- nss-3.20.tar.gz | 3 ++ 4 files changed, 81 insertions(+), 6 deletions(-) delete mode 100644 nss-3.19.2.tar.gz create mode 100644 nss-3.20.tar.gz diff --git a/mozilla-nss.changes b/mozilla-nss.changes index cc1ab5c..11c3179 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,78 @@ +------------------------------------------------------------------- +Thu Sep 24 09:39:17 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.20 + New functionality: + * The TLS library has been extended to support DHE ciphersuites in + server applications. + New Functions: + * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group + parameters that can be used by NSS for a server socket. + * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group + parameters that are smaller than the library default's minimum size. + New Types: + * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in + NSS that can be used with function SSL_DHEGroupPrefSet. + New Macros: + * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable + DHE ciphersuites for a server socket. + Notable Changes: + * For backwards compatibility reasons, the server side implementation + of the TLS library keeps all DHE ciphersuites disabled by default. + They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE + and the SSL_OptionSet or the SSL_OptionSetDefault API. + * The server side implementation of the TLS implementation does not + support session tickets when using a DHE ciphersuite (see bmo#1174677). + * Support for the following ciphersuites has been added: + - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 + * By default, the server side TLS implementation will use DHE + parameters with a size of 2048 bits when using DHE ciphersuites. + * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and + 8192 bits, which were copied from version 08 of the Internet-Draft + "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for + TLS", Appendix A. + * A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a + server application to select one or multiple of the embedded DHE + parameters as the preferred parameters. The current implementation of + NSS will always use the first entry in the array that is passed as a + parameter to the SSL_DHEGroupPrefSet API. In future versions of the + TLS implementation, a TLS client might signal a preference for + certain DHE parameters, and the NSS TLS server side implementation + might select a matching entry from the set of parameters that have + been configured as preferred on the server side. + * NSS optionally supports the use of weak DHE parameters with DHE + ciphersuites to support legacy clients. In order to enable this + support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each + time this API is called for the first time in a process, a fresh set + of weak DHE parameters will be randomly created, which may take a + long amount of time. Please refer to the comments in the header file + that declares the SSL_EnableWeakDHEPrimeGroup API for additional + details. + * The size of the default PQG parameters used by certutil when + creating DSA keys has been increased to use 2048 bit parameters. + * The selfserv utility has been enhanced to support the new DHE features. + * NSS no longer supports C compilers that predate the ANSI C standard (C89). + +------------------------------------------------------------------- +Thu Sep 24 09:38:17 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.19.3; certstore updates only + * The following CA certificates were removed + - Buypass Class 3 CA 1 + - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı + - SG TRUST SERVICES RACINE + - TC TrustCenter Universal CA I + - TC TrustCenter Class 2 CA II + * The following CA certificate had the Websites trust bit turned off + - ComSign Secured CA + * The following CA certificates were added + - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 + - Certinomis - Root CA + * The version number of the updated root CA list has been set to 2.5 + ------------------------------------------------------------------- Thu Sep 24 09:31:11 UTC 2015 - fstrba@suse.com diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 9c043fd..15253e6 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.10.8 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.19.2 +Version: 3.20 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.19.2/nss ; cd nss-3.19.2/nss ; hg up NSS_3_19_2_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.20/nss ; cd nss-3.20/nss ; hg up NSS_3_20_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in diff --git a/nss-3.19.2.tar.gz b/nss-3.19.2.tar.gz deleted file mode 100644 index 5a60d73..0000000 --- a/nss-3.19.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1306663e8f61d8449ad8cbcffab743a604dcd9f6f34232c210847c51dce2c9ae -size 6953657 diff --git a/nss-3.20.tar.gz b/nss-3.20.tar.gz new file mode 100644 index 0000000..62a9959 --- /dev/null +++ b/nss-3.20.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c +size 6955552 From 4453cedcca1aafbe064de2c15e43204ca25918cdb6651fb7aa71477ddfecb659 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 24 Sep 2015 17:37:48 +0000 Subject: [PATCH 3/3] Accepting request 333502 from Java:Factory Distribute libfreebl.a along other static libraries. It is needed for java 7 Sun Elliptical Curve Crypto provider OBS-URL: https://build.opensuse.org/request/show/333502 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=191 --- mozilla-nss.changes | 6 ++++++ mozilla-nss.spec | 1 + 2 files changed, 7 insertions(+) diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 11c3179..709e999 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 24 15:41:09 UTC 2015 - fstrba@suse.com + +- Install the static libfreebl.a that is needed in order to link + Sun elliptical curves provider in Java 7. + ------------------------------------------------------------------- Thu Sep 24 09:39:17 UTC 2015 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 15253e6..7107996 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -251,6 +251,7 @@ cp -L lib/libfreebl3.so \ # $RPM_BUILD_ROOT%{_libdir} # copy static libs cp -L lib/libcrmf.a \ + lib/libfreebl.a \ lib/libnssb.a \ lib/libnssckfw.a \ $RPM_BUILD_ROOT%{_libdir}