CentOS tracks RHEL and there is something I think probably can only be done in a point release but I believe should be done. Update to nss and curl. The problem - the version of curl that ships with CentOS does not support ECC cryptography. A newer version would, but requires manual specification of the ciphers if the TLS/SSL library used (NSS on RHEL/Fedora) does not have the ECC ciphers enabled by default, and the NSS in RHEL/CentOS 7 does not. This causes a problem when using CentOS 7 for something like a CDN that needs to pull content from a server using modern ECC cryptography without support for the older cryptography methods, and some sensitive servers are starting to do just that to avoid being vulnerable to various 0 day exploits that pop up with older cryptography. I think the NSS library should be rebuilt to have ECC ciphers enabled by default (I don't think that requires a version update) and that curl should be updated, with a newer build, that includes a bump to the .so version. Thoughts on this? I'm out of town, I plan to try and file a bugzilla for this when I get back, but if this sounds idiotic to most then I won't. I can solve it on my system with a local build. Thank you for your time. -- -=- Sent my from my laptop, may not be able to respond timely
On 02/04/16 03:38 PM, Alice Wonder wrote:> CentOS tracks RHEL and there is something I think probably can only be > done in a point release but I believe should be done. > > Update to nss and curl. > > The problem - the version of curl that ships with CentOS does not > support ECC cryptography. > > A newer version would, but requires manual specification of the ciphers > if the TLS/SSL library used (NSS on RHEL/Fedora) does not have the ECC > ciphers enabled by default, and the NSS in RHEL/CentOS 7 does not. > > This causes a problem when using CentOS 7 for something like a CDN that > needs to pull content from a server using modern ECC cryptography > without support for the older cryptography methods, and some sensitive > servers are starting to do just that to avoid being vulnerable to > various 0 day exploits that pop up with older cryptography. > > I think the NSS library should be rebuilt to have ECC ciphers enabled by > default (I don't think that requires a version update) and that curl > should be updated, with a newer build, that includes a bump to the .so > version. > > Thoughts on this? > > I'm out of town, I plan to try and file a bugzilla for this when I get > back, but if this sounds idiotic to most then I won't. > > I can solve it on my system with a local build. > > Thank you for your time.You can always ask in bugzilla. If they reject it, you should at least get their reasoning. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
Reasonably Related Threads
- curl ciphers name mapping openssl to curl format?
- using ecc-certificates (ellyptic curve) will not establish connection
- [cryptography] rolling hashes, EDC/ECC vs MAC/MIC, etc.
- Can we disable diffie-hellman-group14-sha1 by default?
- Announce: OpenSSH 7.1 released