guix/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
Mark H Weaver 08cb746f08 gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites.
* gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.
2016-02-06 08:48:20 -05:00

25 lines
1.1 KiB
Diff

Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
38.6.0 disabled by default to avoid the Logjam attack. This issue was
fixed in NSS version 3.19.1 by limiting the lower strength of supported
DHE keys to use 1023 bit primes, so we can enable these cipher suites
safely. The DHE cipher suites are needed to allow IceCat to connect to
many sites, including https://gnupg.org/.
Patch by Mark H Weaver <mhw@netris.org>
--- icecat-38.6.0/browser/app/profile/icecat.js.orig 1969-12-31 19:00:00.000000000 -0500
+++ icecat-38.6.0/browser/app/profile/icecat.js 2016-02-06 00:48:23.826170154 -0500
@@ -2061,12 +2061,6 @@
pref("security.ssl3.rsa_des_ede3_sha", false);
pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
-// https://directory.fsf.org/wiki/Disable_DHE
-// Avoid logjam attack
-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
-pref("security.ssl3.dhe_dss_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
//Optional
//Perfect forward secrecy
// pref("security.ssl3.rsa_aes_256_sha", false);