From eb3cdf4581100fbe4304cd3e9b2461bdceaee28497b9302fbb2f1fc9e567f1f9 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 25 Oct 2012 14:10:44 +0000 Subject: [PATCH] - update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=105 --- mozilla-nss.changes | 21 +++++++++++++++++++++ mozilla-nss.spec | 6 ++++-- nss-3.13.6.tar.bz2 | 3 --- nss-3.14.tar.bz2 | 3 +++ nss-disable-ocsp-test.patch | 16 ++++++++++++++++ nss-no-rpath.patch | 22 ++++++++++++++-------- renegotiate-transitional.patch | 14 +++++++------- 7 files changed, 65 insertions(+), 20 deletions(-) delete mode 100644 nss-3.13.6.tar.bz2 create mode 100644 nss-3.14.tar.bz2 create mode 100644 nss-disable-ocsp-test.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index d31a2ac..5876e68 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Thu Oct 25 12:02:22 UTC 2012 - wr@rosenauer.org + +- update to 3.14 RTM + * Support for TLS 1.1 (RFC 4346) + * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) + * Support for AES-CTR, AES-CTS, and AES-GCM + * Support for Keying Material Exporters for TLS (RFC 5705) + * Support for certificate signatures using the MD5 hash algorithm + is now disabled by default + * The NSS license has changed to MPL 2.0. Previous releases were + released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more + information about MPL 2.0, please see + http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional + explanation on GPL/LGPL compatibility, see security/nss/COPYING + in the source code. + * Export and DES cipher suites are disabled by default. Non-ECC + AES and Triple DES cipher suites are enabled by default +- disabled OCSP testcases since they need external network + (nss-disable-ocsp-test.patch) + ------------------------------------------------------------------- Wed Aug 15 13:57:42 UTC 2012 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 7862a74..1a4fb72 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel BuildRequires: pkg-config BuildRequires: sqlite3-devel BuildRequires: zlib-devel -Version: 3.13.6 +Version: 3.14 Release: 0 # bug437293 %ifarch ppc64 @@ -33,7 +33,7 @@ Obsoletes: mozilla-nss-64bit %endif # Summary: Network Security Services -License: MPL-1.1 or GPL-2.0+ or LGPL-2.1+ +License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ # cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r NSS @@ -53,6 +53,7 @@ Patch3: char.patch Patch4: nss-no-rpath.patch Patch5: renegotiate-transitional.patch Patch6: malloc.patch +Patch7: nss-disable-ocsp-test.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -166,6 +167,7 @@ cd mozilla %if %suse_version > 1110 %patch6 %endif +%patch7 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt diff --git a/nss-3.13.6.tar.bz2 b/nss-3.13.6.tar.bz2 deleted file mode 100644 index 54df3a9..0000000 --- a/nss-3.13.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1737a01d1bf5bdeda5d03cdcc7b7e12559cbdfc11a8e52196b6452b643939c69 -size 4646121 diff --git a/nss-3.14.tar.bz2 b/nss-3.14.tar.bz2 new file mode 100644 index 0000000..9e09a00 --- /dev/null +++ b/nss-3.14.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:573fe07884f64fe4be3899c6fcd32134b3fcf6258cd8a206143e9a7dfb72a500 +size 4772462 diff --git a/nss-disable-ocsp-test.patch b/nss-disable-ocsp-test.patch new file mode 100644 index 0000000..733eb52 --- /dev/null +++ b/nss-disable-ocsp-test.patch @@ -0,0 +1,16 @@ +Index: security/nss/tests/chains/scenarios/scenarios +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v +retrieving revision 1.9 +diff -u -p -6 -r1.9 scenarios +--- security/nss/tests/chains/scenarios/scenarios 9 Nov 2009 14:18:58 -0000 1.9 ++++ security/nss/tests/chains/scenarios/scenarios 25 Oct 2012 13:40:00 -0000 +@@ -46,8 +46,7 @@ aia.cfg + bridgewithaia.cfg + bridgewithhalfaia.cfg + bridgewithpolicyextensionandmapping.cfg + realcerts.cfg + dsa.cfg + revoc.cfg +-ocsp.cfg + crldp.cfg diff --git a/nss-no-rpath.patch b/nss-no-rpath.patch index 51827e1..a165c98 100644 --- a/nss-no-rpath.patch +++ b/nss-no-rpath.patch @@ -1,13 +1,16 @@ Index: security/nss/cmd/platlibs.mk =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v -retrieving revision 1.64 -diff -u -r1.64 platlibs.mk ---- security/nss/cmd/platlibs.mk 17 Jun 2009 23:01:48 -0000 1.64 -+++ security/nss/cmd/platlibs.mk 31 Jul 2009 08:04:09 -0000 -@@ -53,9 +53,9 @@ +retrieving revision 1.71 +diff -u -p -6 -r1.71 platlibs.mk +--- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 ++++ security/nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 +@@ -15,15 +15,15 @@ else + EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' + endif + endif + ifeq ($(OS_ARCH), Linux) - ifeq ($(BUILD_SUN_PKG), 1) ifeq ($(USE_64), 1) -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' @@ -15,5 +18,8 @@ diff -u -r1.64 platlibs.mk -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' endif - else - ifeq ($(USE_64), 1) + endif + + endif # BUILD_SUN_PKG + + ifdef NSS_DISABLE_DBM diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch index 1f58d51..5c0288a 100644 --- a/renegotiate-transitional.patch +++ b/renegotiate-transitional.patch @@ -1,11 +1,11 @@ Index: security/nss/lib/ssl/sslsock.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v -retrieving revision 1.75 -diff -u -p -6 -r1.75 sslsock.c ---- security/nss/lib/ssl/sslsock.c 22 Oct 2011 16:45:40 -0000 1.75 -+++ security/nss/lib/ssl/sslsock.c 24 Oct 2011 12:52:25 -0000 -@@ -178,13 +178,13 @@ static sslOptions ssl_defaults = { +retrieving revision 1.96 +diff -u -p -6 -r1.96 sslsock.c +--- security/nss/lib/ssl/sslsock.c 24 Sep 2012 23:57:42 -0000 1.96 ++++ security/nss/lib/ssl/sslsock.c 25 Oct 2012 12:08:56 -0000 +@@ -147,13 +147,13 @@ static sslOptions ssl_defaults = { PR_TRUE, /* detectRollBack */ PR_FALSE, /* noStepDown */ PR_FALSE, /* bypassPKCS11 */ @@ -13,10 +13,10 @@ diff -u -p -6 -r1.75 sslsock.c PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ ++ 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE /* cbcRandomIV */ }; - sslSessionIDLookupFunc ssl_sid_lookup; + /*