Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#28147 - [nss] ECDHE-RSA-RC4-SHA support
Attached to Project:
Arch Linux
Opened by Björn Mandelvåg (koltrast) - Saturday, 28 January 2012, 19:59 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 04 May 2012, 10:15 GMT
Opened by Björn Mandelvåg (koltrast) - Saturday, 28 January 2012, 19:59 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 04 May 2012, 10:15 GMT
|
DetailsDescription:
Chromium does not support the ECDHE-RSA-RC4-SHA cipher suite, breaking forward secrecy on e.g. all TLS connections to Google's servers (they instead revert to RSA-RC4-SHA). Additional info: The bug is present in 16.0.912.77-1, I do not know if it has ever worked properly. I have confirmed that ECDHE-RSA-RC4-SHA works in Chromium on Debian systems so this does not appear to be an upstream issue. Some background info: http://www.imperialviolet.org/2011/11/22/forwardsecret.html Steps to reproduce: Open gmail.com in Chromium, click the green lock icon to show information on the TLS connection: The connection is encrypted using RC4_128, with SHA1 for message authentication and RSA as the key exchange mechanism. |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Friday, 04 May 2012, 10:15 GMT
Reason for closing: Fixed
Additional comments about closing: Pushed nss 3.13.4-2, built with NSS_ENABLE_ECC=1.
Friday, 04 May 2012, 10:15 GMT
Reason for closing: Fixed
Additional comments about closing: Pushed nss 3.13.4-2, built with NSS_ENABLE_ECC=1.
Report is at http://code.google.com/p/chromium/issues/detail?id=113410
Our nss package needs to be built with NSS_ENABLE_ECC=1.
@Jan, Ionuț: Can you please implement this? I'm attaching a patch for nss' PKGBUILD. (It should be safe to apply; Debian builds nss with NSS_ENABLE_ECC=1.)
+1