Disable TLS below 1.2 by default
Bug #1856428 reported by
Dimitri John Ledkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NSS |
Fix Released
|
Unknown
|
|||
gnutls28 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
nss (Debian) |
Confirmed
|
Unknown
|
|||
nss (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Disable TLS 1.0, TLS1.1, DTLS1.0
As part of focal commitment, we shall disable obsolete protocols by default.
Users can override this behaviour with a config file.
Related branches
~lucaskanashiro/ubuntu/+source/nss:focal-merge-3.49.1-1
- Canonical Server: Pending requested
- Andreas Hasenack: Pending requested
-
Diff: 437 lines (+282/-2)7 files modifieddebian/changelog (+207/-0)
debian/control (+3/-1)
debian/libnss3.links (+3/-0)
debian/patches/disable_fips_enabled_read.patch (+49/-0)
debian/patches/series (+2/-0)
debian/patches/set-tls1.2-as-minimum.patch (+17/-0)
debian/rules (+1/-1)
CVE References
summary: |
- Raise minimum key requirements to 2k and disable TLS 1.0 and 1.1 + Disable TLS1.0, TLS 1.1, DTLS1.0 |
description: | updated |
tags: | added: id-5db1c4c64e98bd59adc18616 |
summary: |
- Disable TLS1.0, TLS 1.1, DTLS1.0 + Disable TLS1.0, TLS 1.1 |
Changed in openssl (Ubuntu): | |
status: | New → In Progress |
Changed in openssl (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in gnutls28 (Ubuntu): | |
status: | New → In Progress |
Changed in nss (Ubuntu): | |
status: | New → Triaged |
Changed in gnutls28 (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in nss (Ubuntu): | |
status: | Triaged → Fix Committed |
summary: |
- Disable TLS1.0, TLS 1.1 + Disable TLS below 1.2 by default |
Changed in gnutls28 (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in openssl (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in nss: | |
status: | Unknown → Fix Released |
Changed in nss (Debian): | |
status: | Unknown → Confirmed |
no longer affects: | golang-1.13 (Ubuntu) |
To post a comment you must log in.
This bug was fixed in the package nss - 2:3.48-1ubuntu1
---------------
nss (2:3.48-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/libnss3.links: make freebl3 available as library (LP #1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
- Disable reading fips_enabled flag in FIPS mode. libnss is
not a FIPS certified library. (LP #1837734)
* Set TLSv1.2 as minimum TLS version. LP: #1856428
nss (2:3.48-1) unstable; urgency=medium
* New upstream release. Closes: #947131. freebl/ Makefile: Disable hardware AES on ARM softfloat to fix
* debian/control: Bump nspr build dependency to 4.24.
* nss/lib/
FTBFS on armel. Closes: #947246.
nss (2:3.47.1-1) unstable; urgency=medium
* New upstream release.
- Fixes CVE-2019-11745.
-- Ubuntu Merge-o-Matic <email address hidden> Sun, 29 Dec 2019 03:43:36 +0000