summaryrefslogtreecommitdiffstats
path: root/abs/extra/nss
diff options
context:
space:
mode:
Diffstat (limited to 'abs/extra/nss')
-rw-r--r--abs/extra/nss/PKGBUILD30
-rw-r--r--abs/extra/nss/certdata2pem.py1
-rw-r--r--abs/extra/nss/legacy-certs.patch26
-rw-r--r--abs/extra/nss/nss.install13
-rw-r--r--abs/extra/nss/ssl-renegotiate-transitional.patch21
5 files changed, 55 insertions, 36 deletions
diff --git a/abs/extra/nss/PKGBUILD b/abs/extra/nss/PKGBUILD
index 7a06cec..4bf9a60 100644
--- a/abs/extra/nss/PKGBUILD
+++ b/abs/extra/nss/PKGBUILD
@@ -3,36 +3,34 @@
pkgbase=nss
pkgname=(nss ca-certificates-mozilla)
-pkgver=3.17
-pkgrel=4
+pkgver=3.20
+pkgrel=1
pkgdesc="Mozilla Network Security Services"
arch=(i686 x86_64)
url="http://www.mozilla.org/projects/security/pki/nss/"
license=('MPL' 'GPL')
-_nsprver=4.10.7
+_nsprver=4.10.8
depends=("nspr>=${_nsprver}" 'sqlite' 'zlib' 'sh' 'p11-kit')
makedepends=('perl' 'python2')
options=('!strip' '!makeflags' 'staticlibs')
-source=("ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz"
- certdata2pem.py
- bundle.sh
- nss.pc.in
- nss-config.in
- ssl-renegotiate-transitional.patch)
-sha256sums=('3b1abcd8f89211dda2cc739bfa76552d080f7ea80482ef2727b006548a7f0c81'
- 'af13c30801a8a27623948206458432a4cf98061b75ff6e5b5e03912f93c034ee'
+source=("https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz"
+ certdata2pem.py bundle.sh nss.pc.in nss-config.in legacy-certs.patch)
+sha256sums=('5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c'
+ '2a2ff9131c21fa3b23ad7c7a2f069eabc783e56c6eb05419ac5f365f48dea0fc'
'045f520403f715a4cc7f3607b4e2c9bcc88fee5bce58d462fddaa2fdb0e4c180'
'b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd'
'e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9'
- '12df04bccbf674db1eef7a519a28987927b5e9c107b1dc386686f05e64f49a97')
+ '22330fcde2dac5fa4733f7d77bffbbd31d91cbaa338738afdc2a8ebfccb61184')
prepare() {
mkdir certs
cd nss-$pkgver
- # Adds transitional SSL renegotiate support - patch from Debian
- patch -Np3 -i ../ssl-renegotiate-transitional.patch
+ # FS#45479: Reenable two weak Verisign certificates used by login.live.com
+ # Otherwise, accessing this site via Epiphany (GnuTLS) or Skype (OpenSSL) fails
+ # Also see https://gist.github.com/grawity/15eabf67191e17080241
+ patch nss/lib/ckfw/builtins/certdata.txt ../legacy-certs.patch
# Respect LDFLAGS
sed -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/' \
@@ -66,6 +64,8 @@ build() {
}
package_nss() {
+ install=nss.install
+
cd nss-$pkgver
install -d "$pkgdir"/usr/{bin,include/nss,lib/pkgconfig}
@@ -105,7 +105,7 @@ package_nss() {
install -t "$pkgdir/usr/include/nss" -m644 *.h
rm "$pkgdir/usr/lib/libnssckbi.so"
- ln -s pkcs11/p11-kit-trust.so "$pkgdir/usr/lib/libnssckbi.so"
+ ln -s libnssckbi-p11-kit.so "$pkgdir/usr/lib/libnssckbi.so"
}
package_ca-certificates-mozilla() {
diff --git a/abs/extra/nss/certdata2pem.py b/abs/extra/nss/certdata2pem.py
index 175de1a..021772a 100644
--- a/abs/extra/nss/certdata2pem.py
+++ b/abs/extra/nss/certdata2pem.py
@@ -196,4 +196,5 @@ for tobj in objects:
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n")
f.write("\n\n")
+ f.close()
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
diff --git a/abs/extra/nss/legacy-certs.patch b/abs/extra/nss/legacy-certs.patch
new file mode 100644
index 0000000..863cef9
--- /dev/null
+++ b/abs/extra/nss/legacy-certs.patch
@@ -0,0 +1,26 @@
+--- certdata.txt 2015-06-27 23:31:01.419795911 +0200
++++ certdata-legacy-less.txt 2015-06-27 23:57:47.106199639 +0200
+@@ -577,9 +577,9 @@
+ \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
+ \272\277
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+@@ -17186,9 +17186,9 @@
+ \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
+ \022\276
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
diff --git a/abs/extra/nss/nss.install b/abs/extra/nss/nss.install
new file mode 100644
index 0000000..24f9ec6
--- /dev/null
+++ b/abs/extra/nss/nss.install
@@ -0,0 +1,13 @@
+post_upgrade() {
+ if (($(vercmp $2 3.18-3) < 0)); then
+ # This symlink was created by ldconfig because we linked to
+ # pkcs11/p11-kit-trust.so from libnssckbi.so; the chain was:
+ # p11-kit-trust.so -> libnssckbi.so -> pkcs11/p11-kit-trust.so
+ # Now we have:
+ # libnssckbi.so -> libnssckbi-p11-kit.so
+ # which no longer creates an incorrect p11-kit-trust.so symlink
+ if [[ $(readlink usr/lib/p11-kit-trust.so) == libnssckbi.so ]]; then
+ rm usr/lib/p11-kit-trust.so
+ fi
+ fi
+}
diff --git a/abs/extra/nss/ssl-renegotiate-transitional.patch b/abs/extra/nss/ssl-renegotiate-transitional.patch
deleted file mode 100644
index f457c55..0000000
--- a/abs/extra/nss/ssl-renegotiate-transitional.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Enable transitional scheme for ssl renegotiation:
-
-(from mozilla/security/nss/lib/ssl/ssl.h)
-Disallow unsafe renegotiation in server sockets only, but allow clients
-to continue to renegotiate with vulnerable servers.
-This value should only be used during the transition period when few
-servers have been upgraded.
-
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index f1d1921..c074360 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
-@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
- PR_FALSE, /* noLocks */
- PR_FALSE, /* enableSessionTickets */
- PR_FALSE, /* enableDeflate */
-- 2, /* enableRenegotiation (default: requires extension) */
-+ 3, /* enableRenegotiation (default: transitional) */
- PR_FALSE, /* requireSafeNegotiation */
- };
-