Source: nss Version: 2:3.63-1ubuntu1 Severity: normal Tags: patch X-Debbugs-Cc: par...@debian.org
To keep NSS in sync with the current security standards and expectations, and consistent to what OpenSSL now does, I think NSS should disable TLS below 1.2 by default. This is already done in Ubuntu, attached is the patch that implements the change. Thanks! Paride
Description: Set TLSv1.2 as minimum TLS version. LP: #1856428 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428 Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c =================================================================== --- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c +++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c @@ -101,7 +101,7 @@ static sslOptions ssl_defaults = { * default range of enabled SSL/TLS protocols */ static SSLVersionRange versions_defaults_stream = { - SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2, SSL_LIBRARY_VERSION_TLS_1_3 };