NSS on RHEL6

Updated -

Capabilities of NSS (v3.28.4) on RHEL6

This article is part of the Securing Applications Collection

Due to the serious issues with the design of TLS and implementation issues in nss uncovered during the lifetime of RHEL6 you should always use the latest version but at least

nss-3.28.4-4.el6_9

Capabilities

Protocols

  • TLSv1.2
  • TLSv1.1
  • TLSv1
  • SSLv3

Ciphers

In all current versions of NSS there is no centralised mechanism to provide a preferred cipher list. The result of this is that all applications that utilise NSS for their cipher needs provide their own cipher string parsers. This known shortcoming is something that is looking to be addressed in future releases of NSS.

Suite Name Cipher Suite Key Exchange Auth Algo Symmetric Cipher Effective Bits MAC Algo Enabled Class Export/Domestic Note
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b ECDHE ECDSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f ECDHE RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009e DHE RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_RSA_WITH_AES_128_GCM_SHA256 0x009c RSA RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xc00a ECDHE ECDSA AES 256 SHA1 Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014 ECDHE RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 DHE RSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 DHE DSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 DHE RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006b DHE RSA AES 256 SHA256 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 DHE DSA AES 256 SHA1 Enabled FIPS Domestic
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xc00f ECDH RSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xc005 ECDH ECDSA AES 256 SHA1 Disabled FIPS Domestic
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 RSA RSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 RSA RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d RSA RSA AES 256 SHA256 Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xc009 ECDHE ECDSA AES 128 SHA1 Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xc023 ECDHE ECDSA AES 128 SHA256 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xc007 ECDHE ECDSA RC4 128 SHA1 Disabled Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013 ECDHE RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xc027 ECDHE RSA AES 128 SHA256 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xc011 ECDHE RSA RC4 128 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00a2 DHE DSA AES-GCM 128 AEAD Disabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 DHE DSA AES 128 SHA256 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 DHE RSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 DHE DSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006a DHE DSA AES 256 SHA256 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 DHE RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 DHE RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 DHE DSA AES 128 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 DHE DSA RC4 128 SHA1 Disabled Domestic
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xc00e ECDH RSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_RC4_128_SHA 0xc00c ECDH RSA RC4 128 SHA1 Disabled Domestic
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xc004 ECDH ECDSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xc002 ECDH ECDSA RC4 128 SHA1 Disabled Domestic
TLS_RSA_WITH_SEED_CBC_SHA 0x0096 RSA RSA SEED 128 SHA1 Disabled FIPS Domestic
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 RSA RSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_RSA_WITH_AES_128_CBC_SHA 0x002f RSA RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c RSA RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_RSA_WITH_RC4_128_SHA 0x0005 RSA RSA RC4 128 SHA1 Enabled Domestic
TLS_RSA_WITH_RC4_128_MD5 0x0004 RSA RSA RC4 128 MD5 Enabled Domestic
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xc008 ECDHE ECDSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xc012 ECDHE RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 DHE RSA 3DES 112 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 DHE DSA 3DES 112 SHA1 Enabled FIPS Domestic
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xc00d ECDH RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xc003 ECDH ECDSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a RSA RSA 3DES 112 SHA1 Enabled FIPS Domestic
TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 DHE RSA DES 56 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 DHE DSA DES 56 SHA1 Disabled Domestic
TLS_RSA_WITH_DES_CBC_SHA 0x0009 RSA RSA DES 56 SHA1 Disabled Domestic
TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xc006 ECDHE ECDSA NULL 0 SHA1 Disabled Domestic
TLS_ECDHE_RSA_WITH_NULL_SHA 0xc010 ECDHE RSA NULL 0 SHA1 Disabled Domestic
TLS_ECDH_RSA_WITH_NULL_SHA 0xc00b ECDH RSA NULL 0 SHA1 Disabled Domestic
TLS_ECDH_ECDSA_WITH_NULL_SHA 0xc001 ECDH ECDSA NULL 0 SHA1 Disabled Domestic
TLS_RSA_WITH_NULL_SHA 0x0002 RSA RSA NULL 0 SHA1 Disabled Domestic
TLS_RSA_WITH_NULL_SHA256 0x003b RSA RSA NULL 0 SHA256 Disabled Domestic
TLS_RSA_WITH_NULL_MD5 0x0001 RSA RSA NULL 0 MD5 Disabled Domestic
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xcca9 ECDHE ECDSA CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xcca8 ECDHE RSA CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xc02c ECDHE ECDSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030 ECDHE RSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xc024 ECDHE ECDSA AES 256 SHA384 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xc028 ECDHE RSA AES 256 SHA384 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xccaa DHE RSA CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009f DHE RSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00a3 DHE DSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_RSA_WITH_AES_256_GCM_SHA384 0x009d RSA RSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_AES_128_GCM_SHA256 0x1301 TLS 1.3 TLS 1.3 AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_CHACHA20_POLY1305_SHA256 0x1303 TLS 1.3 TLS 1.3 CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_AES_256_GCM_SHA384 0x1302 TLS 1.3 TLS 1.3 AES-GCM 256 AEAD Enabled Domestic

Certificates

  • certificates with RSA keys and SHA-1 or SHA-256 signatures.
  • certificates with EC keys and DSA or SHA-256 signatures

Hashes

  • md5 message digest algorithm
  • sha1 message digest algorithm
  • sha message digest algorithm
  • sha224 message digest algorithm
  • sha256 message digest algorithm
  • sha384 message digest algorithm
  • sha512 message digest algorithm

Additional Notes

The upgrade to nss-3.28.4 included some deprecations.
RHEL6.9 Deprecated Functionality

  • SSLv2 support was removed
  • MD5 can no longer be used as a signing algorithm
  • NSS clients using TLS no longer allow connections to servers with DH shorter than 1024 bits
  • EXPORT cipher suites in NSS are deprecated
  • Component
  • nss

Comments