summary refs log tree commit diff
path: root/gnu/packages
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-02-06 01:33:16 -0500
committerMark H Weaver <mhw@netris.org>2016-02-06 08:48:20 -0500
commit08cb746f08c679a95047f1ee0d1fb70915b10f96 (patch)
tree9f9ccca4e38793f04305f5acab1dfd03be45621b /gnu/packages
parente7ad0d586251383a4c8b00222e8dec61d491f03b (diff)
downloadguix-08cb746f08c679a95047f1ee0d1fb70915b10f96.tar.gz
gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites.
* gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/gnuzilla.scm3
-rw-r--r--gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch24
2 files changed, 26 insertions, 1 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 7978ca6abe..2ddad9afe2 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -288,7 +288,8 @@ standards.")
        (base32
         "0bd4k5cwr8ynscaxffvj2x3kgky3dmjq0qhpcb931l98bh0103lx"))
       (patches (map search-patch
-                    '("icecat-avoid-bundled-includes.patch")))
+                    '("icecat-avoid-bundled-includes.patch"
+                      "icecat-re-enable-DHE-cipher-suites.patch")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
new file mode 100644
index 0000000000..5c869bf510
--- /dev/null
+++ b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
@@ -0,0 +1,24 @@
+Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
+38.6.0 disabled by default to avoid the Logjam attack.  This issue was
+fixed in NSS version 3.19.1 by limiting the lower strength of supported
+DHE keys to use 1023 bit primes, so we can enable these cipher suites
+safely.  The DHE cipher suites are needed to allow IceCat to connect to
+many sites, including https://gnupg.org/.
+
+Patch by Mark H Weaver <mhw@netris.org>
+
+--- icecat-38.6.0/browser/app/profile/icecat.js.orig	1969-12-31 19:00:00.000000000 -0500
++++ icecat-38.6.0/browser/app/profile/icecat.js	2016-02-06 00:48:23.826170154 -0500
+@@ -2061,12 +2061,6 @@
+ pref("security.ssl3.rsa_des_ede3_sha", false);
+ pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
+ pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
+-// https://directory.fsf.org/wiki/Disable_DHE
+-// Avoid logjam attack
+-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+-pref("security.ssl3.dhe_dss_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+ //Optional
+ //Perfect forward secrecy
+ // pref("security.ssl3.rsa_aes_256_sha", false);