From 08cb746f08c679a95047f1ee0d1fb70915b10f96 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sat, 6 Feb 2016 01:33:16 -0500 Subject: gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites. * gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patch. --- gnu-system.am | 1 + gnu/packages/gnuzilla.scm | 3 ++- .../icecat-re-enable-DHE-cipher-suites.patch | 24 ++++++++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch diff --git a/gnu-system.am b/gnu-system.am index 749814d287..f13ba05a22 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -521,6 +521,7 @@ dist_patch_DATA = \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ + gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ gnu/packages/patches/icu4c-CVE-2015-1270.patch \ gnu/packages/patches/icu4c-CVE-2015-4760.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 7978ca6abe..2ddad9afe2 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -288,7 +288,8 @@ (define-public icecat (base32 "0bd4k5cwr8ynscaxffvj2x3kgky3dmjq0qhpcb931l98bh0103lx")) (patches (map search-patch - '("icecat-avoid-bundled-includes.patch"))) + '("icecat-avoid-bundled-includes.patch" + "icecat-re-enable-DHE-cipher-suites.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch new file mode 100644 index 0000000000..5c869bf510 --- /dev/null +++ b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch @@ -0,0 +1,24 @@ +Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat +38.6.0 disabled by default to avoid the Logjam attack. This issue was +fixed in NSS version 3.19.1 by limiting the lower strength of supported +DHE keys to use 1023 bit primes, so we can enable these cipher suites +safely. The DHE cipher suites are needed to allow IceCat to connect to +many sites, including https://gnupg.org/. + +Patch by Mark H Weaver + +--- icecat-38.6.0/browser/app/profile/icecat.js.orig 1969-12-31 19:00:00.000000000 -0500 ++++ icecat-38.6.0/browser/app/profile/icecat.js 2016-02-06 00:48:23.826170154 -0500 +@@ -2061,12 +2061,6 @@ + pref("security.ssl3.rsa_des_ede3_sha", false); + pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); + pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); +-// https://directory.fsf.org/wiki/Disable_DHE +-// Avoid logjam attack +-pref("security.ssl3.dhe_rsa_aes_128_sha", false); +-pref("security.ssl3.dhe_rsa_aes_256_sha", false); +-pref("security.ssl3.dhe_dss_aes_128_sha", false); +-pref("security.ssl3.dhe_rsa_des_ede3_sha", false); + //Optional + //Perfect forward secrecy + // pref("security.ssl3.rsa_aes_256_sha", false); -- cgit v1.2.3