diff --git a/bug-834091.patch b/bug-834091.patch deleted file mode 100644 index 9243829..0000000 --- a/bug-834091.patch +++ /dev/null @@ -1,216 +0,0 @@ -Index: security/nss/lib/pkcs7/p7decode.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v -retrieving revision 1.31 -diff -u -8 -p -r1.31 p7decode.c ---- security/nss/lib/pkcs7/p7decode.c 12 Dec 2012 19:25:36 -0000 1.31 -+++ security/nss/lib/pkcs7/p7decode.c 25 Jan 2013 23:22:54 -0000 -@@ -1276,17 +1276,18 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten - * there should be NO authenticatedAttributes (signerinfo->authAttr should - * be NULL). - */ - static PRBool - sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, - SECCertUsage certusage, - const SECItem *detached_digest, - HASH_HashType digest_type, -- PRBool keepcerts) -+ PRBool keepcerts, -+ PRTime atTime) - { - SECAlgorithmID **digestalgs, *bulkid; - const SECItem *digest; - SECItem **digests; - SECItem **rawcerts; - CERTSignedCrl **crls; - SEC_PKCS7SignerInfo **signerinfos, *signerinfo; - CERTCertificate *cert, **certs; -@@ -1294,17 +1295,18 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont - CERTCertDBHandle *certdb, *defaultdb; - SECOidTag encTag,digestTag; - HASH_HashType found_type; - int i, certcount; - SECKEYPublicKey *publickey; - SECItem *content_type; - PK11SymKey *sigkey; - SECItem *encoded_stime; -- int64 stime; -+ PRTime stime; -+ PRTime verificationTime; - SECStatus rv; - - /* - * Everything needed in order to "goto done" safely. - */ - goodsig = PR_FALSE; - certcount = 0; - cert = NULL; -@@ -1431,18 +1433,20 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont - /* - * XXX This uses the signing time, if available. Additionally, we - * might want to, if there is no signing time, get the message time - * from the mail header itself, and use that. That would require - * a change to our interface though, and for S/MIME callers to pass - * in a time (and for non-S/MIME callers to pass in nothing, or - * maybe make them pass in the current time, always?). - */ -+ verificationTime = atTime ? atTime -+ : (encoded_stime ? stime : PR_Now()); - if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, -- encoded_stime != NULL ? stime : PR_Now(), -+ verificationTime, - cinfo->pwfn_arg, NULL) != SECSuccess) - { - /* - * XXX Give the user an option to check the signature anyway? - * If we want to do this, need to give a way to leave and display - * some dialog and get the answer and come back through (or do - * the rest of what we do below elsewhere, maybe by putting it - * in a function that we call below and could call from a dialog -@@ -1752,17 +1756,17 @@ done: - * into our local database. - */ - PRBool - SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo, - SECCertUsage certusage, - PRBool keepcerts) - { - return sec_pkcs7_verify_signature (cinfo, certusage, -- NULL, HASH_AlgNULL, keepcerts); -+ NULL, HASH_AlgNULL, keepcerts, 0); - } - - /* - * SEC_PKCS7VerifyDetachedSignature - * Look at a PKCS7 contentInfo and check if the signature matches - * a passed-in digest (calculated, supposedly, from detached contents). - * The verification checks that the signing cert is valid and trusted - * for the purpose specified by "certusage". -@@ -1774,19 +1778,44 @@ PRBool - SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, - SECCertUsage certusage, - const SECItem *detached_digest, - HASH_HashType digest_type, - PRBool keepcerts) - { - return sec_pkcs7_verify_signature (cinfo, certusage, - detached_digest, digest_type, -- keepcerts); -+ keepcerts, 0); - } - -+/* -+ * SEC_PKCS7VerifyDetachedSignatureAtTime -+ * Look at a PKCS7 contentInfo and check if the signature matches -+ * a passed-in digest (calculated, supposedly, from detached contents). -+ * The verification checks that the signing cert is valid and trusted -+ * for the purpose specified by "certusage" at time "atTime" -+ * if "atTime" is non-zero, or at the current time (as returned by -+ * PR_Now) otherwise. -+ */ -+PRBool -+SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, -+ SECCertUsage certusage, -+ const SECItem *detached_digest, -+ HASH_HashType digest_type, -+ PRBool keepcerts, -+ PRTime atTime) -+{ -+ if (!atTime) { -+ atTime = PR_Now(); -+ } -+ -+ return sec_pkcs7_verify_signature (cinfo, certusage, -+ detached_digest, digest_type, -+ keepcerts, atTime); -+} - - /* - * Return the asked-for portion of the name of the signer of a PKCS7 - * signed object. - * - * Returns a pointer to allocated memory, which must be freed. - * A NULL return value is an error. - */ -@@ -1839,17 +1868,17 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7 - */ - if (signercert == NULL) { - /* - * The cert usage does not matter in this case, because we do not - * actually care about the verification itself, but we have to pick - * some valid usage to pass in. - */ - (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner, -- NULL, HASH_AlgNULL, PR_FALSE); -+ NULL, HASH_AlgNULL, PR_FALSE, 0); - signercert = signerinfos[0]->cert; - if (signercert == NULL) - return NULL; - } - - switch (selector) { - case sec_common_name: - container = CERT_GetCommonName (&signercert->subject); -Index: security/nss/lib/pkcs7/secpkcs7.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v -retrieving revision 1.10 -diff -u -8 -p -r1.10 secpkcs7.h ---- security/nss/lib/pkcs7/secpkcs7.h 27 Nov 2012 22:48:08 -0000 1.10 -+++ security/nss/lib/pkcs7/secpkcs7.h 25 Jan 2013 23:22:54 -0000 -@@ -128,16 +128,33 @@ extern PRBool SEC_PKCS7VerifySignature(S - * into our local database. - */ - extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, - SECCertUsage certusage, - const SECItem *detached_digest, - HASH_HashType digest_type, - PRBool keepcerts); - -+ -+/* -+ * SEC_PKCS7VerifyDetachedSignatureAtTime -+ * Look at a PKCS7 contentInfo and check if the signature matches -+ * a passed-in digest (calculated, supposedly, from detached contents). -+ * The verification checks that the signing cert is valid and trusted -+ * for the purpose specified by "certusage" at time "atTime" -+ * if "atTime" is non-zero, or at the current time (as returned by -+ * PR_Now) otherwise. -+ */ -+extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, -+ SECCertUsage certusage, -+ const SECItem *detached_digest, -+ HASH_HashType digest_type, -+ PRBool keepcerts, -+ PRTime atTime); -+ - /* - * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress - * The passed-in contentInfo is espected to be Signed, and these - * functions return the specified portion of the full signer name. - * - * Returns a pointer to allocated memory, which must be freed. - * A NULL return value is an error. - */ -Index: security/nss/lib/smime/smime.def -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/smime/smime.def,v -retrieving revision 1.39 -diff -u -8 -p -r1.39 smime.def ---- security/nss/lib/smime/smime.def 25 Apr 2012 14:50:09 -0000 1.39 -+++ security/nss/lib/smime/smime.def 25 Jan 2013 23:22:54 -0000 -@@ -262,8 +262,14 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDa - ;+ *; - ;+}; - ;+NSS_3.13 { # NSS 3.13 release - ;+ global: - NSSSMIME_GetVersion; - ;+ local: - ;+ *; - ;+}; -+;+NSS_3.14.3 { # NSS 3.14.3 release -+;+ global: -+SEC_PKCS7VerifyDetachedSignatureAtTime; -+;+ local: -+;+ *; -+;+}; diff --git a/char.patch b/char.patch index 8d4e0b5..5d52f3d 100644 --- a/char.patch +++ b/char.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/cmd/modutil/install-ds.c,v retrieving revision 1.2 diff -u -p -6 -r1.2 install-ds.c --- security/nss/cmd/modutil/install-ds.c 25 Apr 2004 15:02:47 -0000 1.2 -+++ security/nss/cmd/modutil/install-ds.c 5 Feb 2007 06:57:38 -0000 ++++ nss/cmd/modutil/install-ds.c 5 Feb 2007 06:57:38 -0000 @@ -249,13 +249,13 @@ Pk11Install_File_Generate(Pk11Install_Fi if(!subval || (subval->type != STRING_VALUE)){ errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS], diff --git a/malloc.patch b/malloc.patch index bf6eaf6..83bf8af 100644 --- a/malloc.patch +++ b/malloc.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v retrieving revision 1.100 diff -u -r1.100 ssl.sh --- security/nss/tests/ssl/ssl.sh 26 Mar 2009 23:14:34 -0000 1.100 -+++ security/nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000 ++++ nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000 @@ -974,6 +974,7 @@ ################################# main ################################# diff --git a/mozilla-nss.changes b/mozilla-nss.changes index e9ba2b8..213e754 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,73 @@ +------------------------------------------------------------------- +Tue Jun 11 04:58:56 UTC 2013 - wr@rosenauer.org + +- update to 3.15 + * Packaging + + removed obsolete patches + * nss-disable-expired-testcerts.patch + * bug-834091.patch + * New Functionality + + Support for OCSP Stapling (RFC 6066, Certificate Status + Request) has been added for both client and server sockets. + TLS client applications may enable this via a call to + SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + + Added function SECITEM_ReallocItemV2. It replaces function + SECITEM_ReallocItem, which is now declared as obsolete. + + Support for single-operation (eg: not multi-part) symmetric + key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + + certutil has been updated to support creating name constraints + extensions. + * New Functions + in ssl.h + SSL_PeerStapledOCSPResponse - Returns the server's stapled + OCSP response, when used with a TLS client socket that + negotiated the status_request extension. + SSL_SetStapledOCSPResponses - Set's a stapled OCSP response + for a TLS server socket to return when clients send the + status_request extension. + in ocsp.h + CERT_PostOCSPRequest - Primarily intended for testing, permits + the sending and receiving of raw OCSP request/responses. + in secpkcs7.h + SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 + signature at a specific time other than the present time. + in xconst.h + CERT_EncodeNameConstraintsExtension - Matching function for + CERT_DecodeNameConstraintsExtension, added in NSS 3.10. + in secitem.h + SECITEM_AllocArray + SECITEM_DupArray + SECITEM_FreeArray + SECITEM_ZfreeArray - Utility functions to handle the + allocation and deallocation of SECItemArrays + SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is + now obsolete. SECITEM_ReallocItemV2 better matches caller + expectations, in that it updates item->len on allocation. + For more details of the issues with SECITEM_ReallocItem, + see Bug 298649 and Bug 298938. + in pk11pub.h + PK11_Decrypt - Performs decryption as a single PKCS#11 + operation (eg: not multi-part). This is necessary for AES-GCM. + PK11_Encrypt - Performs encryption as a single PKCS#11 + operation (eg: not multi-part). This is necessary for AES-GCM. + * New Types + in secitem.h + SECItemArray - Represents a variable-length array of SECItems. + * New Macros + in ssl.h + SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure + TLS client sockets to request the certificate_status extension + (eg: OCSP stapling) when set to PR_TRUE + * Notable changes + + SECITEM_ReallocItem is now deprecated. Please consider using + SECITEM_ReallocItemV2 in all future code. + + The list of root CA certificates in the nssckbi module has + been updated. + + The default implementation of SSL_AuthCertificate has been + updated to add certificate status responses stapled by the TLS + server to the OCSP cache. + * a lot of bugfixes + ------------------------------------------------------------------- Tue Apr 16 10:27:04 UTC 2013 - idonmez@suse.com diff --git a/mozilla-nss.spec b/mozilla-nss.spec index c25ca98..997c3aa 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.14.3 +Version: 3.15 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r NSS -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss; hg up NSS_3_15_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in Source4: %{name}-rpmlintrc @@ -55,8 +55,6 @@ Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch -Patch9: nss-disable-expired-testcerts.patch -Patch10: bug-834091.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -161,31 +159,29 @@ Mozilla project. %prep %setup -n nss-%{version} -q -cd mozilla -%patch1 -%patch2 -%patch3 -%patch4 -%patch5 +cd nss +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %if %suse_version > 1110 -%patch6 +%patch6 -p1 %endif -%patch7 -%patch8 -%patch9 -%patch10 +%patch7 -p1 +%patch8 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt #make generate %build +cd nss modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + -cd mozilla/security/nss export FREEBL_NO_DEPEND=1 export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_LIB_DIR=`nspr-config --libdir` @@ -214,6 +210,7 @@ fi %endif %install +cd nss mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 @@ -221,7 +218,7 @@ mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{nssdbdir} -pushd mozilla/dist/Linux* +pushd ../dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 # copy dynamic libs @@ -278,9 +275,9 @@ s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc # prepare nss-config file popd -NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` -NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` -NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` +NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` +NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` +NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ diff --git a/nss-3.14.3.tar.gz b/nss-3.14.3.tar.gz deleted file mode 100644 index 6c3c532..0000000 --- a/nss-3.14.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d9d366be94d33395597ebf82363fcdedfa693a6d627cf7f6bec025f609d54cc0 -size 6189790 diff --git a/nss-3.15.tar.gz b/nss-3.15.tar.gz new file mode 100644 index 0000000..9bf3cf2 --- /dev/null +++ b/nss-3.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c139f331ddcff4d5485590ee1b4489d3731aa520d4f5d942e2e40bba1e23a3cd +size 6276213 diff --git a/nss-disable-expired-testcerts.patch b/nss-disable-expired-testcerts.patch deleted file mode 100644 index 3c5e999..0000000 --- a/nss-disable-expired-testcerts.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: security/nss/tests/chains/scenarios/realcerts.cfg -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg,v -retrieving revision 1.4 -diff -u -r1.4 realcerts.cfg ---- security/nss/tests/chains/scenarios/realcerts.cfg 20 Mar 2012 14:47:29 -0000 1.4 -+++ security/nss/tests/chains/scenarios/realcerts.cfg 3 Apr 2013 07:39:49 -0000 -@@ -14,15 +14,15 @@ - import PayPalEE:x: - import BrAirWaysBadSig:x: - --verify TestUser50:x -- result pass -+#verify TestUser50:x -+# result pass - --verify TestUser51:x -- result pass -+#verify TestUser51:x -+# result pass - --verify PayPalEE:x -- policy OID.2.16.840.1.113733.1.7.23.6 -- result pass -+#verify PayPalEE:x -+# policy OID.2.16.840.1.113733.1.7.23.6 -+# result pass - - verify BrAirWaysBadSig:x - result fail diff --git a/nss-disable-ocsp-test.patch b/nss-disable-ocsp-test.patch index 9b55c99..84d3a02 100644 --- a/nss-disable-ocsp-test.patch +++ b/nss-disable-ocsp-test.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v retrieving revision 1.10 diff -u -r1.10 scenarios --- security/nss/tests/chains/scenarios/scenarios 7 Jan 2013 03:56:15 -0000 1.10 -+++ security/nss/tests/chains/scenarios/scenarios 28 Jan 2013 18:11:16 -0000 ++++ nss/tests/chains/scenarios/scenarios 28 Jan 2013 18:11:16 -0000 @@ -50,6 +50,5 @@ realcerts.cfg dsa.cfg diff --git a/nss-no-rpath.patch b/nss-no-rpath.patch index a165c98..95100c8 100644 --- a/nss-no-rpath.patch +++ b/nss-no-rpath.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v retrieving revision 1.71 diff -u -p -6 -r1.71 platlibs.mk --- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 -+++ security/nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 ++++ nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 @@ -15,15 +15,15 @@ else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' endif diff --git a/nss-opt.patch b/nss-opt.patch index 38e6136..41fbe0f 100644 --- a/nss-opt.patch +++ b/nss-opt.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v retrieving revision 1.45.2.1 diff -u -r1.45.2.1 Linux.mk --- security/coreconf/Linux.mk 31 Jul 2010 04:23:37 -0000 1.45.2.1 -+++ security/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000 ++++ nss/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000 @@ -112,11 +112,7 @@ endif diff --git a/nss-sqlitename.patch b/nss-sqlitename.patch index c625c34..ecececc 100644 --- a/nss-sqlitename.patch +++ b/nss-sqlitename.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v retrieving revision 1.5 diff -u -r1.5 manifest.mn --- security/nss/lib/sqlite/manifest.mn 25 Apr 2012 14:50:11 -0000 1.5 -+++ security/nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000 ++++ nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000 @@ -6,9 +6,10 @@ MODULE = nss diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch index 5c0288a..625429d 100644 --- a/renegotiate-transitional.patch +++ b/renegotiate-transitional.patch @@ -1,11 +1,9 @@ -Index: security/nss/lib/ssl/sslsock.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v -retrieving revision 1.96 -diff -u -p -6 -r1.96 sslsock.c ---- security/nss/lib/ssl/sslsock.c 24 Sep 2012 23:57:42 -0000 1.96 -+++ security/nss/lib/ssl/sslsock.c 25 Oct 2012 12:08:56 -0000 -@@ -147,13 +147,13 @@ static sslOptions ssl_defaults = { +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -144,17 +144,17 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* fdx */ + PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ PR_TRUE, /* detectRollBack */ PR_FALSE, /* noStepDown */ PR_FALSE, /* bypassPKCS11 */ @@ -16,7 +14,9 @@ diff -u -p -6 -r1.96 sslsock.c + 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ - PR_TRUE /* cbcRandomIV */ + PR_TRUE, /* cbcRandomIV */ + PR_FALSE /* enableOCSPStapling */ }; /* + * default range of enabled SSL/TLS protocols diff --git a/system-nspr.patch b/system-nspr.patch index 31474b5..54459e7 100644 --- a/system-nspr.patch +++ b/system-nspr.patch @@ -1,16 +1,22 @@ -Index: security/nss/Makefile -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/Makefile,v -retrieving revision 1.36 -diff -u -p -r1.36 Makefile ---- security/nss/Makefile 2 Dec 2008 23:24:39 -0000 1.36 -+++ security/nss/Makefile 23 Nov 2009 16:19:04 -0000 -@@ -78,7 +78,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk +diff --git a/Makefile b/Makefile +--- a/Makefile ++++ b/Makefile +@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk + ####################################################################### + + + + ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### --nss_build_all: build_coreconf build_nspr build_dbm all -+nss_build_all: build_coreconf build_dbm all +-nss_build_all: build_nspr all ++nss_build_all: all - nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber + nss_clean_all: clobber_nspr clobber + NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status + NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure + + # + # Translate coreconf build options to NSPR configure options.