[CentOS] RHEL 7.3 wish-list

Alice Wonder alice at domblogger.net
Sat Apr 2 19:38:12 UTC 2016


CentOS tracks RHEL and there is something I think probably can only be 
done in a point release but I believe should be done.

Update to nss and curl.

The problem - the version of curl that ships with CentOS does not 
support ECC cryptography.

A newer version would, but requires manual specification of the ciphers 
if the TLS/SSL library used (NSS on RHEL/Fedora) does not have the ECC 
ciphers enabled by default, and the NSS in RHEL/CentOS 7 does not.

This causes a problem when using CentOS 7 for something like a CDN that 
needs to pull content from a server using modern ECC cryptography 
without support for the older cryptography methods, and some sensitive 
servers are starting to do just that to avoid being vulnerable to 
various 0 day exploits that pop up with older cryptography.

I think the NSS library should be rebuilt to have ECC ciphers enabled by 
default (I don't think that requires a version update) and that curl 
should be updated, with a newer build, that includes a bump to the .so 
version.

Thoughts on this?

I'm out of town, I plan to try and file a bugzilla for this when I get 
back, but if this sounds idiotic to most then I won't.

I can solve it on my system with a local build.

Thank you for your time.

-- 
-=-
Sent my from my laptop, may not be able to respond timely



More information about the CentOS mailing list