Launchpad has imported 6 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1722613.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2021-07-27T21:26:23+00:00 Mh+mozilla wrote: Ubuntu is patching it to change the default range of TLS versions. https://bugs.launchpad.net/bugs/1856428 Should this be done to NSS itself? Reply at: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/comments/3 ------------------------------------------------------------------------ On 2021-07-28T06:36:17+00:00 Mt-l wrote: I would be supportive of that change (see also [RFC8996](https://www.rfc-editor.org/rfc/rfc8996.html)), but we generally try to coordinate with RedHat on this sort of thing. We don't have the same sorts of constraints. Firefox doesn't use defaults, we explicitly set these. So...Bob, I'm supportive of this, what about you? I assume that you need some warning (this current release is due to go out Friday, so that is almost certainly "no"). How long would you need to make the necessary arrangements for RHEL backports and so forth? Would NSS 3.70 be unreasonable? Reply at: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/comments/4 ------------------------------------------------------------------------ On 2021-07-28T16:45:26+00:00 Rrelyea wrote: 3.69 would be fine. We just rebased for ESV, so we won't be picking up a rhel version of nss anytime soon. We now set those defaults by policy anyway, so we probably only need backports for rhel-7.x (which we already have because rhel-7 still has ssl3 on by default). RHEL-8 policy is already tls 1.2 min in our default policy (which actually surprises me, I thought it was tls 1.0). So I'm sure we are tls 1.2 min in fedora, where sha1 is also turned off by policy for signatures and ssl. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/comments/5 ------------------------------------------------------------------------ On 2021-07-29T04:21:38+00:00 Mt-l wrote: Created attachment 9233646 Bug 1722613 - Disable DTLS 1.0 and 1.1 by default, r=rrelyea Reply at: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/comments/6 ------------------------------------------------------------------------ On 2021-07-30T01:11:10+00:00 Mt-l wrote: Well then. We should catch up then. I've put up a patch for just that. I've included DTLS 1.0 as well, following IETF advice. I'm running all.sh locally and then there is also https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=876925f6a0da Assuming that goes well, I'll make sure that this is in the Beta release planned for tomorrow. Reply at: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/comments/7 ------------------------------------------------------------------------ On 2021-07-30T01:12:09+00:00 Mt-l wrote: https://hg.mozilla.org/projects/nss/rev/60211e7f03ee2ade9272a85fd3bf2c4071b6a538 Reply at: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/comments/8 ** Changed in: nss Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856428 Title: Disable TLS below 1.2 by default To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1856428/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
