NSS on RHEL6

Updated 13 Feb 2018

Capabilities of NSS (v3.28.4) on RHEL6

This article is part of the Securing Applications Collection

Due to the serious issues with the design of TLS and implementation issues in nss uncovered during the lifetime of RHEL6 you should always use the latest version but at least

nss-3.28.4-4.el6_9

Capabilities

Protocols

TLSv1.2
TLSv1.1
TLSv1
SSLv3

Ciphers

In all current versions of NSS there is no centralised mechanism to provide a preferred cipher list. The result of this is that all applications that utilise NSS for their cipher needs provide their own cipher string parsers. This known shortcoming is something that is looking to be addressed in future releases of NSS.

Suite Name	Cipher Suite	Key Exchange	Auth Algo	Symmetric Cipher	Effective Bits	MAC Algo	Enabled	Class	Export/Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	0xc02b	ECDHE	ECDSA	AES-GCM	128	AEAD	Enabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	0xc02f	ECDHE	RSA	AES-GCM	128	AEAD	Enabled	FIPS	Domestic
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	0x009e	DHE	RSA	AES-GCM	128	AEAD	Enabled	FIPS	Domestic
TLS_RSA_WITH_AES_128_GCM_SHA256	0x009c	RSA	RSA	AES-GCM	128	AEAD	Enabled	FIPS	Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	0xc00a	ECDHE	ECDSA	AES	256	SHA1	Enabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	0xc014	ECDHE	RSA	AES	256	SHA1	Enabled	FIPS	Domestic
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	0x0088	DHE	RSA	CAMELLIA	256	SHA1	Disabled		Domestic
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA	0x0087	DHE	DSA	CAMELLIA	256	SHA1	Disabled		Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA	0x0039	DHE	RSA	AES	256	SHA1	Enabled	FIPS	Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256	0x006b	DHE	RSA	AES	256	SHA256	Enabled	FIPS	Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA	0x0038	DHE	DSA	AES	256	SHA1	Enabled	FIPS	Domestic
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA	0xc00f	ECDH	RSA	AES	256	SHA1	Disabled	FIPS	Domestic
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA	0xc005	ECDH	ECDSA	AES	256	SHA1	Disabled	FIPS	Domestic
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA	0x0084	RSA	RSA	CAMELLIA	256	SHA1	Disabled		Domestic
TLS_RSA_WITH_AES_256_CBC_SHA	0x0035	RSA	RSA	AES	256	SHA1	Enabled	FIPS	Domestic
TLS_RSA_WITH_AES_256_CBC_SHA256	0x003d	RSA	RSA	AES	256	SHA256	Enabled	FIPS	Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	0xc009	ECDHE	ECDSA	AES	128	SHA1	Enabled	FIPS	Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	0xc023	ECDHE	ECDSA	AES	128	SHA256	Disabled	FIPS	Domestic
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA	0xc007	ECDHE	ECDSA	RC4	128	SHA1	Disabled		Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	0xc013	ECDHE	RSA	AES	128	SHA1	Enabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	0xc027	ECDHE	RSA	AES	128	SHA256	Disabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_RC4_128_SHA	0xc011	ECDHE	RSA	RC4	128	SHA1	Disabled		Domestic
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256	0x00a2	DHE	DSA	AES-GCM	128	AEAD	Disabled	FIPS	Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256	0x0040	DHE	DSA	AES	128	SHA256	Disabled	FIPS	Domestic
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA	0x0045	DHE	RSA	CAMELLIA	128	SHA1	Disabled		Domestic
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA	0x0044	DHE	DSA	CAMELLIA	128	SHA1	Disabled		Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256	0x006a	DHE	DSA	AES	256	SHA256	Disabled	FIPS	Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA	0x0033	DHE	RSA	AES	128	SHA1	Enabled	FIPS	Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	0x0067	DHE	RSA	AES	128	SHA256	Enabled	FIPS	Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA	0x0032	DHE	DSA	AES	128	SHA1	Enabled	FIPS	Domestic
TLS_DHE_DSS_WITH_RC4_128_SHA	0x0066	DHE	DSA	RC4	128	SHA1	Disabled		Domestic
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA	0xc00e	ECDH	RSA	AES	128	SHA1	Disabled	FIPS	Domestic
TLS_ECDH_RSA_WITH_RC4_128_SHA	0xc00c	ECDH	RSA	RC4	128	SHA1	Disabled		Domestic
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA	0xc004	ECDH	ECDSA	AES	128	SHA1	Disabled	FIPS	Domestic
TLS_ECDH_ECDSA_WITH_RC4_128_SHA	0xc002	ECDH	ECDSA	RC4	128	SHA1	Disabled		Domestic
TLS_RSA_WITH_SEED_CBC_SHA	0x0096	RSA	RSA	SEED	128	SHA1	Disabled	FIPS	Domestic
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA	0x0041	RSA	RSA	CAMELLIA	128	SHA1	Disabled		Domestic
TLS_RSA_WITH_AES_128_CBC_SHA	0x002f	RSA	RSA	AES	128	SHA1	Enabled	FIPS	Domestic
TLS_RSA_WITH_AES_128_CBC_SHA256	0x003c	RSA	RSA	AES	128	SHA256	Enabled	FIPS	Domestic
TLS_RSA_WITH_RC4_128_SHA	0x0005	RSA	RSA	RC4	128	SHA1	Enabled		Domestic
TLS_RSA_WITH_RC4_128_MD5	0x0004	RSA	RSA	RC4	128	MD5	Enabled		Domestic
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA	0xc008	ECDHE	ECDSA	3DES	112	SHA1	Disabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA	0xc012	ECDHE	RSA	3DES	112	SHA1	Disabled	FIPS	Domestic
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016	DHE	RSA	3DES	112	SHA1	Enabled	FIPS	Domestic
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013	DHE	DSA	3DES	112	SHA1	Enabled	FIPS	Domestic
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA	0xc00d	ECDH	RSA	3DES	112	SHA1	Disabled	FIPS	Domestic
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA	0xc003	ECDH	ECDSA	3DES	112	SHA1	Disabled	FIPS	Domestic
TLS_RSA_WITH_3DES_EDE_CBC_SHA	0x000a	RSA	RSA	3DES	112	SHA1	Enabled	FIPS	Domestic
TLS_DHE_RSA_WITH_DES_CBC_SHA	0x0015	DHE	RSA	DES	56	SHA1	Disabled		Domestic
TLS_DHE_DSS_WITH_DES_CBC_SHA	0x0012	DHE	DSA	DES	56	SHA1	Disabled		Domestic
TLS_RSA_WITH_DES_CBC_SHA	0x0009	RSA	RSA	DES	56	SHA1	Disabled		Domestic
TLS_ECDHE_ECDSA_WITH_NULL_SHA	0xc006	ECDHE	ECDSA	NULL	0	SHA1	Disabled		Domestic
TLS_ECDHE_RSA_WITH_NULL_SHA	0xc010	ECDHE	RSA	NULL	0	SHA1	Disabled		Domestic
TLS_ECDH_RSA_WITH_NULL_SHA	0xc00b	ECDH	RSA	NULL	0	SHA1	Disabled		Domestic
TLS_ECDH_ECDSA_WITH_NULL_SHA	0xc001	ECDH	ECDSA	NULL	0	SHA1	Disabled		Domestic
TLS_RSA_WITH_NULL_SHA	0x0002	RSA	RSA	NULL	0	SHA1	Disabled		Domestic
TLS_RSA_WITH_NULL_SHA256	0x003b	RSA	RSA	NULL	0	SHA256	Disabled		Domestic
TLS_RSA_WITH_NULL_MD5	0x0001	RSA	RSA	NULL	0	MD5	Disabled		Domestic
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	0xcca9	ECDHE	ECDSA	CHACHA20POLY1305	256	AEAD	Enabled		Domestic
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	0xcca8	ECDHE	RSA	CHACHA20POLY1305	256	AEAD	Enabled		Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	0xc02c	ECDHE	ECDSA	AES-GCM	256	AEAD	Disabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	0xc030	ECDHE	RSA	AES-GCM	256	AEAD	Disabled	FIPS	Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	0xc024	ECDHE	ECDSA	AES	256	SHA384	Disabled	FIPS	Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	0xc028	ECDHE	RSA	AES	256	SHA384	Disabled	FIPS	Domestic
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	0xccaa	DHE	RSA	CHACHA20POLY1305	256	AEAD	Enabled		Domestic
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	0x009f	DHE	RSA	AES-GCM	256	AEAD	Disabled	FIPS	Domestic
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384	0x00a3	DHE	DSA	AES-GCM	256	AEAD	Disabled	FIPS	Domestic
TLS_RSA_WITH_AES_256_GCM_SHA384	0x009d	RSA	RSA	AES-GCM	256	AEAD	Disabled	FIPS	Domestic
TLS_AES_128_GCM_SHA256	0x1301	TLS 1.3	TLS 1.3	AES-GCM	128	AEAD	Enabled	FIPS	Domestic
TLS_CHACHA20_POLY1305_SHA256	0x1303	TLS 1.3	TLS 1.3	CHACHA20POLY1305	256	AEAD	Enabled		Domestic
TLS_AES_256_GCM_SHA384	0x1302	TLS 1.3	TLS 1.3	AES-GCM	256	AEAD	Enabled		Domestic

Certificates

certificates with RSA keys and SHA-1 or SHA-256 signatures.
certificates with EC keys and DSA or SHA-256 signatures

Hashes

md5 message digest algorithm
sha1 message digest algorithm
sha message digest algorithm
sha224 message digest algorithm
sha256 message digest algorithm
sha384 message digest algorithm
sha512 message digest algorithm

Additional Notes

The upgrade to nss-3.28.4 included some deprecations.
RHEL6.9 Deprecated Functionality

SSLv2 support was removed
MD5 can no longer be used as a signing algorithm
NSS clients using TLS no longer allow connections to servers with DH shorter than 1024 bits
EXPORT cipher suites in NSS are deprecated

Product(s)

Red Hat Enterprise Linux

Category

Secure

Components

Tags

security

Article Type

General