NSS – CentOS 정복 -> Rocky

Remark : Name Service Switch

NSS(Network Security Services) 디지털 인증서를 사용하여 개인 키와 인증서를 저장하는 데이터베이스를 관리합니다
리눅스에서 각종 정보의 검색 순서를 지정하는 데 사용되는 것

NSS 버전확인

# rpm -q nss
nss-3.53.1-7.el7_9.x86_64

# curl -V | grep NSS
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0

# rpm -q nss

nss-3.53.1-7.el7_9.x86_64

# curl -V | grep NSS

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0

curl -v https://www.example.com

About to connect() to www.example.com port 443 (#0)
   Trying 203.0.113.10... * connected
 Connected to www.example.com (203.0.113.10) port 443 (#0)
 Initializing NSS with certpath: sql:/etc/pki/nssdb
   CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
 NSS error -5938 (PR_END_OF_FILE_ERROR)
 Closing connection #0
 SSL connect error

About to connect() to www.example.com port 443 (#0)

Trying 203.0.113.10... * connected

Connected to www.example.com (203.0.113.10) port 443 (#0)

Initializing NSS with certpath: sql:/etc/pki/nssdb

CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

NSS error -5938 (PR_END_OF_FILE_ERROR)

Closing connection #0

SSL connect error

I encountered a similar “NSS error -5938” when using an outdated CentOS 6.x system to connect to an embedded device that stopped accepting TLS 1.0, only allowing TLS 1.1 and higher. The solution for me was to do a yum update.

Changelog NSS 확인

# rpm -q --changelog nss | more
* 수  3월 03 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-7
- Fix HSM load failure because of CKO_Profile
- Allow builds with strict-proto

* 월  2월 22 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-6
- Update to CVE 2020-256423 TLS flood DOS attack patch.

* 목  2월 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-5
- Fix CVE 2020-256423 TLS flood DOS Attack.

* 월  2월 01 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-4
- Fix deadlock issue
- Fix 3 FTBS issues, 2 expired certs, one semantic change in nss-softokn.

* 토  8월 01 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-3
- Disable dh timing test because it's unreliable on s390 (from Bob Relyea)
- Explicitly enable upgradedb/sharedb test cycles

* 목  7월 30 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-2
- Disable TLS 1.3 by default

* 수  7월 22 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-1
- Rebase to NSS 3.53.1

* 금 12월 06 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-8
- Increase timeout on ssl_gtest so that slow platforms can complete when
   running on a busy system.

* 목 12월 05 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-7
- back out out-of-bounds patch (patch for nss-softokn).
- Fix segfault on empty or malformed ecdh keys (#1777712)

* 수 12월 04 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-6
- Fix out-of-bounds write in NSC_EncryptUpdate (#1775911,#1775910)

* 수  8월 14 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-5
- Fix pkix name constraints processing to only process the common name if the
  certusage you are checking is IPSEC or SSL Server.

* 수  6월 05 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-4
- Fix certutil man page
- Fix extracting a public key from a private key for dh, ec, and dsa

* 목  5월 30 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-3
- Disable TLS 1.3 under FIPS mode

# rpm -q --changelog nss | more

* 수 3월 03 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-7

- Fix HSM load failure because of CKO_Profile

- Allow builds with strict-proto

* 월 2월 22 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-6

- Update to CVE 2020-256423 TLS flood DOS attack patch.

* 목 2월 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-5

- Fix CVE 2020-256423 TLS flood DOS Attack.

* 월 2월 01 2021 Bob Relyea <rrelyea@redhat.com> - 3.53.1-4

- Fix deadlock issue

- Fix 3 FTBS issues, 2 expired certs, one semantic change in nss-softokn.

* 토 8월 01 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-3

- Disable dh timing test because it's unreliable on s390 (from Bob Relyea)

- Explicitly enable upgradedb/sharedb test cycles

* 목 7월 30 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-2

- Disable TLS 1.3 by default

* 수 7월 22 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-1

- Rebase to NSS 3.53.1

* 금 12월 06 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-8

- Increase timeout on ssl_gtest so that slow platforms can complete when

running on a busy system.

* 목 12월 05 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-7

- back out out-of-bounds patch (patch for nss-softokn).

- Fix segfault on empty or malformed ecdh keys (#1777712)

* 수 12월 04 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-6

- Fix out-of-bounds write in NSC_EncryptUpdate (#1775911,#1775910)

* 수 8월 14 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-5

- Fix pkix name constraints processing to only process the common name if the

certusage you are checking is IPSEC or SSL Server.

* 수 6월 05 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-4

- Fix certutil man page

- Fix extracting a public key from a private key for dh, ec, and dsa

* 목 5월 30 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-3

- Disable TLS 1.3 under FIPS mode

# nmap --script ssl-enum-ciphers -p 443 daum.net

Starting Nmap 6.40 ( http://nmap.org ) at 2021-11-23 11:43 KST
Nmap scan report for daum.net (203.133.167.81)
Host is up (0.0029s latency).
Other addresses for daum.net (not scanned): 203.133.167.16 211.231.99.17 211.231.99.80
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

# nmap --script ssl-enum-ciphers -p 443 daum.net

Starting Nmap 6.40 ( http://nmap.org ) at 2021-11-23 11:43 KST

Nmap scan report for daum.net (203.133.167.81)

Host is up (0.0029s latency).

Other addresses for daum.net (not scanned): 203.133.167.16 211.231.99.17 211.231.99.80

PORT STATE SERVICE

443/tcp open https

| ssl-enum-ciphers:

| TLSv1.0:

| ciphers:

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.1:

| ciphers:

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

| compressors:

| NULL

|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds