1 files changed, 24 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
new file mode 100644
index 0000000000..5c869bf510
--- /dev/null
+++ b/gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch
@@ -0,0 +1,24 @@
+Re-enable the DHE (Ephemeral Diffie-Hellman) cipher suites, which IceCat
+38.6.0 disabled by default to avoid the Logjam attack.  This issue was
+fixed in NSS version 3.19.1 by limiting the lower strength of supported
+DHE keys to use 1023 bit primes, so we can enable these cipher suites
+safely.  The DHE cipher suites are needed to allow IceCat to connect to
+many sites, including https://gnupg.org/.
+
+Patch by Mark H Weaver <mhw@netris.org>
+
+--- icecat-38.6.0/browser/app/profile/icecat.js.orig	1969-12-31 19:00:00.000000000 -0500
++++ icecat-38.6.0/browser/app/profile/icecat.js	2016-02-06 00:48:23.826170154 -0500
+@@ -2061,12 +2061,6 @@
+ pref("security.ssl3.rsa_des_ede3_sha", false);
+ pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
+ pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
+-// https://directory.fsf.org/wiki/Disable_DHE
+-// Avoid logjam attack
+-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+-pref("security.ssl3.dhe_dss_aes_128_sha", false);
+-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+ //Optional
+ //Perfect forward secrecy
+ // pref("security.ssl3.rsa_aes_256_sha", false);