gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites.

* gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.

gnu: icecat: Re-enable the Ephemeral Diffie-Hellman cipher suites.
08cb746f · Mark H Weaver · e7ad0d58 · 08cb746f · 08cb746f · 08cb746f
Commit 08cb746f authored 9 years ago by Mark H Weaver
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -521,6 +521,7 @@ dist_patch_DATA =						\
  gnu/packages/patches/hydra-automake-1.15.patch		\
  gnu/packages/patches/hydra-disable-darcs-test.patch		\
  gnu/packages/patches/icecat-avoid-bundled-includes.patch	\
+  gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch	\
  gnu/packages/patches/icu4c-CVE-2014-6585.patch		\
  gnu/packages/patches/icu4c-CVE-2015-1270.patch		\
  gnu/packages/patches/icu4c-CVE-2015-4760.patch		\

--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -288,7 +288,8 @@ (define-public icecat
       (base32
        "0bd4k5cwr8ynscaxffvj2x3kgky3dmjq0qhpcb931l98bh0103lx"))
      (patches (map search-patch
-                    '("icecat-avoid-bundled-includes.patch")))
+                    '("icecat-avoid-bundled-includes.patch"
+                      "icecat-re-enable-DHE-cipher-suites.patch")))
      (modules '((guix build utils)))
      (snippet
       '(begin

--- a/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
+++ b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
+Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
+38.6.0 disabled by default to avoid the Logjam attack.  This issue was
+fixed in NSS version 3.19.1 by limiting the lower strength of supported
+DHE keys to use 1023 bit primes, so we can enable these cipher suites
+safely.  The DHE cipher suites are needed to allow IceCat to connect to
+many sites, including https://gnupg.org/.
+Patch by Mark H Weaver <mhw@netris.org>
+--- icecat-38.6.0/browser/app/profile/icecat.js.orig	1969-12-31 19:00:00.000000000 -0500
+++ icecat-38.6.0/browser/app/profile/icecat.js	2016-02-06 00:48:23.826170154 -0500
+@@ -2061,12 +2061,6 @@
+ pref("security.ssl3.rsa_des_ede3_sha", false);
+ pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
+ pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
+-// https://directory.fsf.org/wiki/Disable_DHE
+-// Avoid logjam attack
+-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+-pref("security.ssl3.dhe_dss_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+ //Optional
+ //Perfect forward secrecy
+ // pref("security.ssl3.rsa_aes_256_sha", false);