08cb746f08
* gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.
24 lines
1.1 KiB
Diff
24 lines
1.1 KiB
Diff
Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
|
|
38.6.0 disabled by default to avoid the Logjam attack. This issue was
|
|
fixed in NSS version 3.19.1 by limiting the lower strength of supported
|
|
DHE keys to use 1023 bit primes, so we can enable these cipher suites
|
|
safely. The DHE cipher suites are needed to allow IceCat to connect to
|
|
many sites, including https://gnupg.org/.
|
|
|
|
Patch by Mark H Weaver <mhw@netris.org>
|
|
|
|
--- icecat-38.6.0/browser/app/profile/icecat.js.orig 1969-12-31 19:00:00.000000000 -0500
|
|
+++ icecat-38.6.0/browser/app/profile/icecat.js 2016-02-06 00:48:23.826170154 -0500
|
|
@@ -2061,12 +2061,6 @@
|
|
pref("security.ssl3.rsa_des_ede3_sha", false);
|
|
pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
|
|
pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
|
|
-// https://directory.fsf.org/wiki/Disable_DHE
|
|
-// Avoid logjam attack
|
|
-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
|
|
-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
|
|
-pref("security.ssl3.dhe_dss_aes_128_sha", false);
|
|
-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
|
|
//Optional
|
|
//Perfect forward secrecy
|
|
// pref("security.ssl3.rsa_aes_256_sha", false);
|