NSS on RHEL5

Updated -

Capabilities of NSS (v3.21.3) on RHEL5

This article is part of the Securing Applications Collection

Due to the serious issues with the design of TLS and implementation issues in nss uncovered during the lifetime of RHEL5 you should always use the latest version but at least

nss-3.21.3-2.el5_11

Capabilities

Protocols

  • TLSv1.2
  • TLSv1.1
  • TLSv1
  • SSLv3
  • SSLv2

Ciphers

In all current versions of NSS there is no centralised mechanism to provide a preferred cipher list. The result of this is that all applications that utilise NSS for their cipher needs provide their own cipher string parsers. This known shortcoming is something that is looking to be addressed in future releases of NSS.

Suite Name Cipher Suite Key Exchange Auth Algo Symmetric Cipher Effective Bits MAC Algo Enabled Class Export/Domestic Note
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b ECDHE ECDSA AES-GCM 128 AEAD Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f ECDHE RSA AES-GCM 128 AEAD Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xc00a ECDHE ECDSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xc009 ECDHE ECDSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013 ECDHE RSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xc023 ECDHE ECDSA AES 128 SHA256 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xc027 ECDHE RSA AES 128 SHA256 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014 ECDHE RSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xc008 ECDHE ECDSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xc012 ECDHE RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xc007 ECDHE ECDSA RC4 128 SHA1 Disabled Domestic
TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xc011 ECDHE RSA RC4 128 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009e DHE RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00a2 DHE DSA AES-GCM 128 AEAD Disabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 DHE RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 DHE DSA AES 128 SHA1 Enabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 DHE RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 DHE DSA AES 128 SHA256 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 DHE RSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 DHE DSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 DHE RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 DHE DSA AES 256 SHA1 Enabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006b DHE RSA AES 256 SHA256 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006a DHE DSA AES 256 SHA256 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 DHE RSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 DHE DSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 DHE RSA 3DES 112 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 DHE DSA 3DES 112 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 DHE DSA RC4 128 SHA1 Disabled Domestic
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xc004 ECDH ECDSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xc00e ECDH RSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xc005 ECDH ECDSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xc00f ECDH RSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xc003 ECDH ECDSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xc00d ECDH RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xc002 ECDH ECDSA RC4 128 SHA1 Disabled Domestic
TLS_ECDH_RSA_WITH_RC4_128_SHA 0xc00c ECDH RSA RC4 128 SHA1 Disabled Domestic
TLS_RSA_WITH_AES_128_GCM_SHA256 0x009c RSA RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_RSA_WITH_AES_128_CBC_SHA 0x002f RSA RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c RSA RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 RSA RSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 RSA RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d RSA RSA AES 256 SHA256 Enabled FIPS Domestic
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 RSA RSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_RSA_WITH_SEED_CBC_SHA 0x0096 RSA RSA SEED 128 SHA1 Disabled FIPS Domestic
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff RSA RSA 3DES 112 SHA1 Disabled FIPS Domestic nonStandard
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a RSA RSA 3DES 112 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_RC4_128_SHA 0x0005 RSA RSA RC4 128 SHA1 Enabled Domestic
TLS_RSA_WITH_RC4_128_MD5 0x0004 RSA RSA RC4 128 MD5 Enabled Domestic
TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 DHE RSA DES 56 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 DHE DSA DES 56 SHA1 Disabled Domestic
SSL_RSA_FIPS_WITH_DES_CBC_SHA 0xfefe RSA RSA DES 56 SHA1 Disabled Domestic nonStandard
TLS_RSA_WITH_DES_CBC_SHA 0x0009 RSA RSA DES 56 SHA1 Disabled Domestic
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064 RSA RSA RC4 56 SHA1 Disabled Export
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062 RSA RSA DES 56 SHA1 Disabled Export
TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 RSA RSA RC4 40 MD5 Disabled Export
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 RSA RSA RC2 40 MD5 Disabled Export
TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xc006 ECDHE ECDSA NULL 0 SHA1 Disabled Domestic
TLS_ECDHE_RSA_WITH_NULL_SHA 0xc010 ECDHE RSA NULL 0 SHA1 Disabled Domestic
TLS_ECDH_RSA_WITH_NULL_SHA 0xc00b ECDH RSA NULL 0 SHA1 Disabled Domestic
TLS_ECDH_ECDSA_WITH_NULL_SHA 0xc001 ECDH ECDSA NULL 0 SHA1 Disabled Domestic
TLS_RSA_WITH_NULL_SHA 0x0002 RSA RSA NULL 0 SHA1 Disabled Export
TLS_RSA_WITH_NULL_SHA256 0x003b RSA RSA NULL 0 SHA256 Disabled Export
TLS_RSA_WITH_NULL_MD5 0x0001 RSA RSA NULL 0 MD5 Disabled Export
SSL_CK_RC4_128_WITH_MD5 0xff01 RSA RSA RC4 128 MD5 Enabled SSL2 Domestic
SSL_CK_RC2_128_CBC_WITH_MD5 0xff03 RSA RSA RC2 128 MD5 Enabled SSL2 Domestic
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0xff07 RSA RSA 3DES 112 MD5 Enabled SSL2 Domestic
SSL_CK_DES_64_CBC_WITH_MD5 0xff06 RSA RSA DES 56 MD5 Enabled SSL2 Domestic
SSL_CK_RC4_128_EXPORT40_WITH_MD5 0xff02 RSA RSA RC4 40 MD5 Enabled SSL2 Export
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0xff04 RSA RSA RC2 40 MD5 Enabled SSL2 Export

Certificates

  • certificates with RSA keys and SHA-1 or SHA-256 signatures.
  • certificates with EC keys and DSA or SHA-256 signatures

Hashes

  • md5 message digest algorithm
  • sha1 message digest algorithm
  • sha message digest algorithm
  • sha224 message digest algorithm
  • sha256 message digest algorithm
  • sha384 message digest algorithm
  • sha512 message digest algorithm

Additional Notes

  • Component
  • nss

Comments