{"id":478,"date":"2021-11-23T10:55:36","date_gmt":"2021-11-23T01:55:36","guid":{"rendered":"https:\/\/centos.ihavenomoney.co.kr\/?page_id=478"},"modified":"2021-11-23T11:45:01","modified_gmt":"2021-11-23T02:45:01","slug":"nss","status":"publish","type":"page","link":"https:\/\/centos.ihavenomoney.co.kr\/?page_id=478","title":{"rendered":"NSS"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Remark : Name Service Switch<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>NSS(Network Security Services) \ub514\uc9c0\ud138 \uc778\uc99d\uc11c\ub97c \uc0ac\uc6a9\ud558\uc5ec \uac1c\uc778 \ud0a4\uc640 \uc778\uc99d\uc11c\ub97c \uc800\uc7a5\ud558\ub294 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uad00\ub9ac\ud569\ub2c8\ub2e4<\/li><li>\ub9ac\ub205\uc2a4\uc5d0\uc11c \uac01\uc885 \uc815\ubcf4\uc758 \uac80\uc0c9 \uc21c\uc11c\ub97c \uc9c0\uc815\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 \uac83<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">NSS \ubc84\uc804\ud655\uc778<\/h3>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:vim decode:true \"># rpm -q nss\nnss-3.53.1-7.el7_9.x86_64\n\n# curl -V | grep NSS\ncurl 7.29.0 (x86_64-redhat-linux-gnu) libcurl\/7.29.0 NSS\/3.53.1 zlib\/1.2.7 libidn\/1.28 libssh2\/1.8.0\n<\/pre><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">curl -v https:\/\/www.example.com<\/h3>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:vim decode:true \" title=\"curl -v https:\/\/www.example.com\">About to connect() to www.example.com port 443 (#0)\n   Trying 203.0.113.10... * connected\n Connected to www.example.com (203.0.113.10) port 443 (#0)\n Initializing NSS with certpath: sql:\/etc\/pki\/nssdb\n   CAfile: \/etc\/pki\/tls\/certs\/ca-bundle.crt\n CApath: none\n NSS error -5938 (PR_END_OF_FILE_ERROR)\n Closing connection #0\n SSL connect error <\/pre><\/div>\n\n\n\n<p>I encountered a similar &#8220;NSS error -5938&#8221; when using an outdated CentOS 6.x system to connect to an embedded device that stopped accepting TLS 1.0, only allowing TLS 1.1 and higher. The solution for me was to do a\u00a0<code>yum update<\/code>. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Changelog NSS \ud655\uc778<\/h3>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:vim decode:true \" title=\"rpm -q --changelog nss\"># rpm -q --changelog nss | more\n* \uc218  3\uc6d4 03 2021 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.53.1-7\n- Fix HSM load failure because of CKO_Profile\n- Allow builds with strict-proto\n\n* \uc6d4  2\uc6d4 22 2021 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.53.1-6\n- Update to CVE 2020-256423 TLS flood DOS attack patch.\n\n* \ubaa9  2\uc6d4 18 2021 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.53.1-5\n- Fix CVE 2020-256423 TLS flood DOS Attack.\n\n* \uc6d4  2\uc6d4 01 2021 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.53.1-4\n- Fix deadlock issue\n- Fix 3 FTBS issues, 2 expired certs, one semantic change in nss-softokn.\n\n* \ud1a0  8\uc6d4 01 2020 Daiki Ueno &lt;dueno@redhat.com&gt; - 3.53.1-3\n- Disable dh timing test because it's unreliable on s390 (from Bob Relyea)\n- Explicitly enable upgradedb\/sharedb test cycles\n\n* \ubaa9  7\uc6d4 30 2020 Daiki Ueno &lt;dueno@redhat.com&gt; - 3.53.1-2\n- Disable TLS 1.3 by default\n\n* \uc218  7\uc6d4 22 2020 Daiki Ueno &lt;dueno@redhat.com&gt; - 3.53.1-1\n- Rebase to NSS 3.53.1\n\n* \uae08 12\uc6d4 06 2019 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.44.0-8\n- Increase timeout on ssl_gtest so that slow platforms can complete when\n   running on a busy system.\n\n* \ubaa9 12\uc6d4 05 2019 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.44.0-7\n- back out out-of-bounds patch (patch for nss-softokn).\n- Fix segfault on empty or malformed ecdh keys (#1777712)\n\n* \uc218 12\uc6d4 04 2019 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.44.0-6\n- Fix out-of-bounds write in NSC_EncryptUpdate (#1775911,#1775910)\n\n* \uc218  8\uc6d4 14 2019 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.44.0-5\n- Fix pkix name constraints processing to only process the common name if the\n  certusage you are checking is IPSEC or SSL Server.\n\n* \uc218  6\uc6d4 05 2019 Bob Relyea &lt;rrelyea@redhat.com&gt; - 3.44.0-4\n- Fix certutil man page\n- Fix extracting a public key from a private key for dh, ec, and dsa\n\n* \ubaa9  5\uc6d4 30 2019 Daiki Ueno &lt;dueno@redhat.com&gt; - 3.44.0-3\n- Disable TLS 1.3 under FIPS mode\n<\/pre><\/div>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:vim decode:true \" title=\"\uc11c\ubc84\uac00 \uc5b4\ub5a4 SSL \uc744 \uc9c0\uc6d0\ud558\ub294\uc9c0 \ud655\uc778 \" ># nmap --script ssl-enum-ciphers -p 443 daum.net\n\nStarting Nmap 6.40 ( http:\/\/nmap.org ) at 2021-11-23 11:43 KST\nNmap scan report for daum.net (203.133.167.81)\nHost is up (0.0029s latency).\nOther addresses for daum.net (not scanned): 203.133.167.16 211.231.99.17 211.231.99.80\nPORT    STATE SERVICE\n443\/tcp open  https\n| ssl-enum-ciphers:\n|   TLSv1.0:\n|     ciphers:\n|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong\n|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_128_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_256_CBC_SHA - strong\n|     compressors:\n|       NULL\n|   TLSv1.1:\n|     ciphers:\n|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong\n|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_128_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_256_CBC_SHA - strong\n|     compressors:\n|       NULL\n|   TLSv1.2:\n|     ciphers:\n|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong\n|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_128_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong\n|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong\n|       TLS_RSA_WITH_AES_256_CBC_SHA - strong\n|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong\n|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong\n|     compressors:\n|       NULL\n|_  least strength: strong\n\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\n<\/pre><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Remark : Name Service Switch NSS(Network Security Services) \ub514\uc9c0\ud138 \uc778\uc99d\uc11c\ub97c \uc0ac\uc6a9\ud558\uc5ec \uac1c\uc778 \ud0a4\uc640 \uc778\uc99d\uc11c\ub97c \uc800\uc7a5\ud558\ub294 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uad00\ub9ac\ud569\ub2c8\ub2e4 \ub9ac\ub205\uc2a4\uc5d0\uc11c \uac01\uc885 \uc815\ubcf4\uc758 \uac80\uc0c9 \uc21c\uc11c\ub97c \uc9c0\uc815\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 \uac83 NSS \ubc84\uc804\ud655\uc778 curl -v https:\/\/www.example.com I encountered a similar &#8220;NSS error -5938&#8221; when using an outdated CentOS 6.x system to connect to an embedded device that stopped accepting TLS &hellip;<br \/><a href=\"https:\/\/centos.ihavenomoney.co.kr\/?page_id=478\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\"><span class=\"screen-reader-text\">NSS<\/span> \ub354\ubcf4\uae30<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-478","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=\/wp\/v2\/pages\/478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=478"}],"version-history":[{"count":6,"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=\/wp\/v2\/pages\/478\/revisions"}],"predecessor-version":[{"id":488,"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=\/wp\/v2\/pages\/478\/revisions\/488"}],"wp:attachment":[{"href":"https:\/\/centos.ihavenomoney.co.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}