Re: NSS 3.14 release

Thu, 25 Oct 2012 16:46:31 -0700 

Wan-Teh,

Thanks for your response, comments inline.

On 10/25/2012 11:17, Wan-Teh Chang wrote:


Any client apps that care about the exact cipher suites enabled need
to enable and disable each cipher suite explicitly. This Chromium code
in this file can be used as code example:

http://src.chromium.org/viewvc/chrome/trunk/src/net/socket/nss_ssl_util.cc?revision=151846&view=markup
I know what code changes are necessary. I'm only a developer on a couple of NSS applications at this point, not an NSS maintainer. If this was only about those couple of apps, it wouldn't be an issue. But there are other apps in Oracle that could be affected. I can safely say that tracking and modifying every single app that this binary compatibility change may affect is not going to happen at Oracle at this point. Many other apps may not have the same kind of tests we have for ciphers and won't even catch the issue. As NSS gets distributed as patches to many existing application, binary compatibility is a requirement.
In year 2012, AES cipher suites, rather than (single) DES cipher suites, should be enabled by default. We decided to break this compatibility to improve security.
I agree that they should be, but the decision of the defaults was always up to the application until now.
This is also why we disabled SSL 2.0 by default in NSS 3.13 (https://bugzilla.mozilla.org/show_bug.cgi?id=593080).
SSL 2.0 has been broken for some time, and nobody can argue with changing that default, certainly not me. But adding new ciphers to the default list is a different kind of change. Unless the DES ciphers were broken, I don't see the rationale for this change. 


Q: will unmodified applications that use the deprecated interfaces still
continue to work identically ? This appears to be the case from reading the
above bug, but I want to make sure that is correct.
Yes, I confirm that.

Thanks !



4) SSL PKCS#11 bypass is now conditionally built.
https://bugzilla.mozilla.org/show_bug.cgi?id=745281

...
I would like to know if the bypass feature got tested when the patch was
created, and whether it will still be getting tested at all going forward
other than at Oracle.

Yes. The default NSS build still compiles the SSL PKCS#11 bypass code.

Great !
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to