apache2-mod_nss/README-SUSE.txt

86 lines
3.7 KiB
Plaintext
Raw Normal View History

Accepting request 222758 from home:draht:branches:mozilla:Factory - mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of OBS-URL: https://build.opensuse.org/request/show/222758 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8
2014-02-20 22:12:44 +01:00
Fri Nov 8 00:00:00 CET 2013 - draht
README-SUSE.txt for apache2-mod_nss
==============================================================================
Rationale:
The apache2-mod_nss package was added to the SLES11 codebase to satisfy the
increased demand for a TLSv1.2 capable crypto solution for the apache
webserver, as an enhancement in parallel to the mod_ssl package that comes
with the apache2 package set.
SSL/TLS support in the apache2 package is normally provided by mod_ssl, the
apache module that provides SSL/TLS using the openssl crypto suite. The
specific version in SLES11-SP2 and newer is "0.9.8j", which support TLS of
version 1.0 only. TLSv1.2 can only be provided by versions that are not
compatible with the large variety of packages contained in SLES. The
alternative is to make use of the crypto routines provided by mozilla-nss.
The configuration of mod_nss is similar to that of mod_ssl, but some the
individual options expect different values; as a consequence, a simple
conversion of option names does not work as desired.
------------------------------------------------------------------------------
Converting SSL/TLS certificates:
Because mod_nss uses a database format for the server and CA certificates
and the private key, existing mod_ssl-based certificates need to be converted
to be used by mod_nss.
The SUSE package apache2-mod_nss contains the perl script
/usr/sbin/mod_nss_migrate.pl
that can do that work for you. It may lead to satisfactory results, but in
case it doesn't, here is what it does when it converts mod_ssl to mod_nss
key/certificate storage:
# we make a backup. Good practice...
old /etc/apache2/mod_nss.d
# initialize the database; this creates a NEW database!
certutil -N -d /etc/apache2/mod_nss.d
# convert the existing openssl key and the certificate to pkcs#12 format, uses temporary password "foo":
openssl pkcs12 -export -in your_certificate_file.crt -inkey your_keyfile.key -out server.p12 -name \"Server-Cert\" -passout pass:foo
# import the pkcs#12 file into the freshly created NSS database, again temporary password "foo":
pk12util -i server.p12 -d /etc/apache2/mod_nss.d -W foo
# the last step: -n specifies a name that the certificate can be referred to
# in an easy way from within apache config files; you may use a name of your
# choice, provided you use the same string to reference it in mod_nss.
# Often, the subject of a certificate is used for this.
# set SUBJECT=your_subject from the output of "openssl x509 -subject -in your_certificate_file.crt"
# certutil -A -n $SUBJECT -t \"CT,,\" -d /etc/apache2/mod_nss.d -i your_ca_certificate.pem
You are basically done now.
Use the command
certutil -d /etc/apache2/mod_nss.d -L
to list the certificates contained in the NSS database.
More options of the certutil utility are shown with
certutil -h # short help
certutil --help # longer help
------------------------------------------------------------------------------
TLS versions:
This package has a direct dependency on mozilla-nss of version 3.15.1 or
higher, as TLSv1.2 support first came with this version. The specification of
TLS versions is done with the NSSProtocol directive in apache. Contrary to
the SSLProtocol option from mod_ssl, the NSSProtocol directive specifies a
range of versions, not a list.
The default configuration file that comes with the apache2-mod_nss package
is /etc/apache2/conf.d/mod_nss.conf and reads as follows:
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
Please note that SSLv2 support is not provided by mod_nss. If you require
the deprecated SSLv2 protocol, you may need to revert to mod_ssl.
Please read through the comments on top of the file
/etc/apache2/conf.d/mod_nss.conf for more information about usage and
configuration of mod_nss.
Thank you,
Roman Drahtmueller <draht@suse.com>