Mozilla NSS 3.20 recently added server side support for DHE ciphers: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes
I'm attaching a patch that will enable the new DHE ciphers (skipping those using RC4 and DES).
Drawback, the minimal required NSS version has to be bumped to 3.20, unless some additional hooks are implemented.
attachment 0001-Add-server-support-for-DHE-ciphers.patch
Associated Bugs:
In parallel Christian Heimes provided a similar patch which had the backwards compatible changes you referred to. I'm going to start with his patch as a basis but given the two patches are largely the same will credit you both.
You added the DSS ciphers but mod_nss only supports RSA and ECC keys so I dropped those.
I'm in the process of double-checking the cipher definitions, adding test cases, etc. I'll hopefully have a patch upstream soon.
master: 9205812
To test, add +dhe_rsa_aes_128_sha to NSSCipherSuite and restart apache
Run something like:
$ sslscan `hostname`:<port> |grep Accepted |grep DHE Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-SHA
Your specific output will depend on protocol settings.
The full list of supported ciphers is:
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: mod_nss-1.0.13
Login to comment on this ticket.