guix/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch

25 lines
1.1 KiB
Diff
Raw Normal View History

Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
38.6.0 disabled by default to avoid the Logjam attack. This issue was
fixed in NSS version 3.19.1 by limiting the lower strength of supported
DHE keys to use 1023 bit primes, so we can enable these cipher suites
safely. The DHE cipher suites are needed to allow IceCat to connect to
many sites, including https://gnupg.org/.
Patch by Mark H Weaver <mhw@netris.org>
--- icecat-38.6.0/browser/app/profile/icecat.js.orig 1969-12-31 19:00:00.000000000 -0500
+++ icecat-38.6.0/browser/app/profile/icecat.js 2016-02-06 00:48:23.826170154 -0500
@@ -2061,12 +2061,6 @@
pref("security.ssl3.rsa_des_ede3_sha", false);
pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
-// https://directory.fsf.org/wiki/Disable_DHE
-// Avoid logjam attack
-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
-pref("security.ssl3.dhe_dss_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
//Optional
//Perfect forward secrecy
// pref("security.ssl3.rsa_aes_256_sha", false);