Cloned from BZ https://bugzilla.redhat.com/show_bug.cgi?id=1141105
I understand support for crypto-policies is coming to NSS, but in the meantime, perhaps NSS should use the ECC-enabled cipher suite from nss.conf by default? Fedora's nss and mod_nss are both compiled with ECC support. Flipping from one to the other in my FreeIPA web server bumped the Calomel score from 47% (0/20 for PFS) to 88%.
Patch was included in BZ
This is the cipher suite set I'm considering:
NSS: +rsa_3des_sha, +rsa_aes_128_sha, +rsa_aes_256_sha, +aes_128_sha_256, +aes_256_sha_256, +camelia_128_sha, +camelia_256_sha, +rsa_aes_128_gcm_sha_256, +ecdhe_ecdsa_3des_sha, +ecdhe_ecdsa_aes_128_sha, +ecdhe_ecdsa_aes_256_sha, +ecdhe_rsa_3des_sha, +ecdhe_rsa_aes_128_sha, +ecdhe_rsa_aes_256_sha, +ecdhe_ecdsa_aes_128_sha_256, +ecdhe_rsa_aes_128_sha_256, +ecdhe_ecdsa_aes_128_gcm_sha_256, +ecdhe_rsa_aes_128_gcm_sha_256
equivalent in OpenSSL: ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
master: 81908fd
Metadata Update from @rcritten: - Issue set to the milestone: mod_nss-1.0.13
Login to comment on this ticket.