Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-10.0.z
Affects Version/s: rhel-10.0.z, rhel-9.7
Component/s: nss
Labels:

Regression:
No
Severity:
Low
Epic Link:
CRYPTO-15443
sprint_count:
2

AssignedTeam:
rhel-security-crypto-clubs

Story Points:
1.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
Crypto25August, Crypto25September

Acceptance Criteria:
Hide

Existing NSS certificate compression tests pass:

/CoreOS/nss/Sanity/compressed-certificate-coverage

/CoreOS/gnutls/Interoperability/cert-compression-with-NSS

/CoreOS/openssl/Interoperability/cert-compression-with-NSS
Show
Existing NSS certificate compression tests pass: /CoreOS/nss/Sanity/compressed-certificate-coverage /CoreOS/gnutls/Interoperability/cert-compression-with-NSS /CoreOS/openssl/Interoperability/cert-compression-with-NSS
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/152258
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

s390x

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Use zlib certificate compression with tstclnt/selfserv on s390x.

What is the impact of this issue to you?

I try to not attach personally to such stuff, but that leaves cert compression as implemented in NSS broken on big-endian platforms.

Please provide the package NVR for which the bug is seen:

nss-3.112.0-2.el10_0

How reproducible is this bug?:

reliably

Steps to reproduce

selfserv -n server -d sql:nssdb -q -p 4433
connect with openssl, gnutls or tlsfuzzer's test-tls13-certificate-compression.py

Expected results

cert compression works

Actual results

handshake_failed alerts from NSS

Fix

https://phabricator.services.mozilla.com/D259453

is triggered by

RHEL-57787 Selfserv -q flag is not enabling compressed certificate support

Release Pending

links to

RHEA-2025:152258 nss enhancement update

Assignee:: Robert Relyea

Reporter:: Alexander Sosedkin

Developer:: Robert Relyea

QA Contact:: Alexander Sosedkin

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/08/01 2:53 PM

Updated:: 2025/09/09 1:22 PM

Resolved:: 2025/09/08 3:27 PM

Next Planned Release Date:: 1970/01/01

Release Date:: 2025/09/08

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Fix

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide