diff --git a/mod_nss-SNI_support.patch b/0001-SNI-check-with-NameVirtualHosts.patch similarity index 54% rename from mod_nss-SNI_support.patch rename to 0001-SNI-check-with-NameVirtualHosts.patch index a43c9a4..4b83458 100644 --- a/mod_nss-SNI_support.patch +++ b/0001-SNI-check-with-NameVirtualHosts.patch @@ -1,23 +1,34 @@ -From 07405e4dbd1e2df6583bb571a6230da78788c19b Mon Sep 17 00:00:00 2001 -From: standa -Date: Thu, 26 Feb 2015 15:23:50 +0100 +From 1b4116cce21ab58e7a1b9f6ff46de0adce6b9ff0 Mon Sep 17 00:00:00 2001 +From: standa +Date: Thu, 25 Jun 2015 17:14:56 +0200 Subject: [PATCH] SNI check with NameVirtualHosts --- - docs/mod_nss.html | 10 ++++++ - mod_nss.c | 3 ++ - mod_nss.h | 18 ++++++++++ - nss_engine_config.c | 11 +++++++ - nss_engine_init.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++----- - nss_engine_kernel.c | 51 ++++++++++++++++++++++++++++ - nss_util.c | 19 +++++++++++ - 7 files changed, 199 insertions(+), 8 deletions(-) + docs/mod_nss.html | 14 ++++- + mod_nss.c | 3 ++ + mod_nss.h | 21 ++++++++ + nss_engine_config.c | 11 ++++ + nss_engine_init.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++------ + nss_engine_kernel.c | 51 ++++++++++++++++++ + nss_util.c | 72 ++++++++++++++++++++++++- + 7 files changed, 303 insertions(+), 18 deletions(-) Index: mod_nss-1.0.8/docs/mod_nss.html =================================================================== --- mod_nss-1.0.8.orig/docs/mod_nss.html +++ mod_nss-1.0.8/docs/mod_nss.html -@@ -1079,6 +1079,16 @@ components of the client certificate, th +@@ -195,7 +195,9 @@ following line to httpd.conf (location r +
+ This has Apache load the mod_nss configuration file, nss.conf. + It is here that you will setup your VirtualServer entries to and +-configure your SSL servers.
++configure your SSL servers. If you have a certificate with the Subject ++Alternative Names then you will set up these names like ServerAlias for your virtual host.
++ +

Certificate Generation

+ A ksh script, gencert, is included to automatically + generate a self-signed CA plus one server certificate. This is fine for +@@ -1079,6 +1081,16 @@ components of the client certificate, th
NSSRequire

@@ -64,11 +75,6 @@ Index: mod_nss-1.0.8/mod_nss.h PRInt32 version; /* protocol version valid for this cipher */ } cipher_properties; -+typedef struct { -+ const char *vhost_id[70]; -+ const char *nick[30]; -+} vhostNick[500]; -+ +typedef struct { + enum { + PW_NONE = 0, @@ -78,6 +84,11 @@ Index: mod_nss-1.0.8/mod_nss.h + } source; + char *data; +} secuPWData; ++ ++/* pool and hash which will contain ServerName and NSSNickname */ ++apr_pool_t *mp; ++apr_hash_t *ht; ++ /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it * is the last version without this define. This is used for more than just @@ -89,12 +100,13 @@ Index: mod_nss-1.0.8/mod_nss.h const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); -@@ -471,6 +487,8 @@ apr_file_t *nss_util_ppopen(server_rec +@@ -471,6 +487,9 @@ apr_file_t *nss_util_ppopen(server_rec void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, const char * const *); -+char *getSECItemData(char *data, int len); -+char *getSplitURL(char *url); ++char *searchHashVhostNick(char *vhost_id); ++char *searchHashVhostNick_match(char *vhost_id); ++void addHashVhostNick(char *vhost_id, char *nickname); /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request * to allow an SSL renegotiation to take place. */ int nss_io_buffer_fill(request_rec *r); @@ -118,11 +130,10 @@ Index: mod_nss-1.0.8/nss_engine_config.c cfgMergeBool(proxy_enabled); cfgMergeBool(proxy_ssl_check_peer_cn); -@@ -320,6 +322,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c - +@@ -321,6 +323,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c return NULL; } -+ + +const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); @@ -131,14 +142,15 @@ Index: mod_nss-1.0.8/nss_engine_config.c + + return NULL; +} - ++ const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) { + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c +++ mod_nss-1.0.8/nss_engine_init.c -@@ -28,12 +28,17 @@ static SECStatus ownHandshakeCallback(PR +@@ -28,6 +28,8 @@ static SECStatus ownHandshakeCallback(PR static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); @@ -147,28 +159,44 @@ Index: mod_nss-1.0.8/nss_engine_init.c /* * Global variables defined in this file. - */ - char* INTERNAL_TOKEN_NAME = "internal "; +@@ -222,11 +224,10 @@ static void nss_init_SSLLibrary(server_r + NSS_Shutdown(); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration"); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Please check access rights for user:%s!!!", mc->user); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); +- if (mc->nInitCount == 1) +- nss_die(); +- else +- return; ++ nss_die(); + } -+vhostNick vhostNickSNI; -+int vhostNickSize = 0; -+ - cipher_properties ciphers_def[ciphernum] = - { - /* SSL2 cipher suites */ -@@ -382,6 +387,11 @@ int nss_init_Module(apr_pool_t *p, apr_p + if (fipsenabled) { +@@ -325,6 +326,8 @@ int nss_init_Module(apr_pool_t *p, apr_p + int fipsenabled = FALSE; + int threaded = 0; + struct semid_ds status; ++ char *split_vhost_id = NULL; ++ char *last1; + + mc->nInitCount++; + +@@ -381,6 +384,12 @@ int nss_init_Module(apr_pool_t *p, apr_p + */ sc->vhost_id = nss_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); - ++ + if (sc->server->nickname != NULL && sc->vhost_id != NULL) { -+ strcpy(vhostNickSNI[vhostNickSize].vhost_id, sc->vhost_id); -+ strcpy(vhostNickSNI[vhostNickSize].nick, sc->server->nickname); -+ vhostNickSize++; ++ split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1); ++ ap_str_tolower(split_vhost_id); ++ addHashVhostNick(split_vhost_id, (char *)sc->server->nickname); + } + /* Fix up stuff that may not have been set */ if (sc->fips == UNSET) { - sc->fips = FALSE; -@@ -534,7 +544,7 @@ int nss_init_Module(apr_pool_t *p, apr_p +@@ -534,7 +543,7 @@ int nss_init_Module(apr_pool_t *p, apr_p ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); @@ -177,7 +205,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); -@@ -547,7 +557,7 @@ int nss_init_Module(apr_pool_t *p, apr_p +@@ -547,7 +556,7 @@ int nss_init_Module(apr_pool_t *p, apr_p /* * Read the server certificate and key */ @@ -186,7 +214,77 @@ Index: mod_nss-1.0.8/nss_engine_init.c } if (clist) { -@@ -1233,13 +1243,21 @@ static void nss_init_certificate(server_ +@@ -1132,6 +1141,12 @@ static void nss_init_certificate(server_ + SECStatus secstatus; + + PK11SlotInfo* slot = NULL; ++ CERTCertNicknames *certNickDNS = NULL; ++ char **nnptr = NULL; ++ int nn = 0; ++ apr_array_header_t *names = NULL; ++ apr_array_header_t *wild_names = NULL; ++ int i, j; + + if (nickname == NULL) { + return; +@@ -1198,17 +1213,52 @@ static void nss_init_certificate(server_ + + *KEAtype = NSS_FindCertKEAType(*servercert); + ++ /* get ServerAlias entries to hash */ ++ names = s->names; ++ if (names) { ++ char **name = (char **)names->elts; ++ for (i = 0; i < names->nelts; ++i) { ++ ap_str_tolower(name[i]); ++ addHashVhostNick(name[i], (char *)nickname); ++ } ++ } ++ ++ /* get ServerAlias entries with wildcards */ ++ wild_names = s->wild_names; ++ if (wild_names) { ++ char **wild_name = (char **)wild_names->elts; ++ for (j = 0; j < wild_names->nelts; ++j) { ++ ap_str_tolower(wild_name[j]); ++ addHashVhostNick(wild_name[j], (char *)nickname); ++ } ++ } ++ ++ /* get valid DNS names from certificate to hash */ ++ certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert); ++ ++ if (certNickDNS) { ++ nnptr = certNickDNS->nicknames; ++ nn = certNickDNS->numnicknames; ++ ++ while ( nn > 0 ) { ++ ap_str_tolower(*nnptr); ++ addHashVhostNick(*nnptr, (char *)nickname); ++ nnptr++; ++ nn--; ++ } ++ ++ } ++ + /* Subject/hostname check */ + secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); + if (secstatus != SECSuccess) { + char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "Misconfiguration of certificate's CN and virtual name." +- " The certificate CN has %s. We expected %s as virtual" +- " name.", cert_dns, s->server_hostname); ++ "Misconfiguration of certificate's CN and virtual name." ++ " The certificate CN has %s. We expected %s as virtual" ++ " name.", cert_dns, s->server_hostname); + PORT_Free(cert_dns); + } +- + /* + * Check for certs that are expired or not yet valid and WARN about it. + * No need to refuse working - the client gets a warning. +@@ -1233,13 +1283,21 @@ static void nss_init_certificate(server_ break; } @@ -210,7 +308,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c } -@@ -1308,6 +1326,7 @@ static void nss_init_server_certs(server +@@ -1308,6 +1366,7 @@ static void nss_init_server_certs(server nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } @@ -218,7 +316,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c } static void nss_init_proxy_ctx(server_rec *s, -@@ -1374,7 +1393,6 @@ void nss_init_Child(apr_pool_t *p, serve +@@ -1374,7 +1433,6 @@ void nss_init_Child(apr_pool_t *p, serve /* If any servers have SSL, we want sslenabled set so we * can perform further initialization */ @@ -226,7 +324,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c if (sc->enabled == UNSET) { sc->enabled = FALSE; } -@@ -1404,11 +1422,12 @@ void nss_init_Child(apr_pool_t *p, serve +@@ -1404,11 +1462,12 @@ void nss_init_Child(apr_pool_t *p, serve nss_init_SSLLibrary(base_server); /* Configure all virtual servers */ @@ -242,7 +340,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c } if (clist) { CERT_DestroyCertList(clist); -@@ -1741,3 +1760,63 @@ int nss_parse_ciphers(server_rec *s, cha +@@ -1741,3 +1800,67 @@ int nss_parse_ciphers(server_rec *s, cha return 0; } @@ -260,57 +358,61 @@ Index: mod_nss-1.0.8/nss_engine_init.c + SECKEYPrivateKey * privKey = NULL; + char *nickName = NULL; + char *vhost = NULL; -+ int i; ++ apr_pool_t *str_p; + + PORT_Assert(fd && sniNameArr); + if (!fd || !sniNameArr) { -+ return SSL_SNI_SEND_ALERT; ++ nss_die(); + } -+ vhost = getSECItemData((char *) sniNameArr->data, sniNameArr->len); ++ apr_pool_create(&str_p, NULL); ++ vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len); + -+ for(i = 0; iserver, + "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d" -+ , hostInfo->data, hostInfo->len); ++ ,(char *) hostInfo->data, hostInfo->len); + -+ servername = getSECItemData((char *) hostInfo->data, hostInfo->len); ++ apr_pool_create(&s_p, NULL); ++ servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "SNI hostInfo servername:%s, lenght:%d" @@ -356,11 +460,11 @@ Index: mod_nss-1.0.8/nss_engine_kernel.c + " via HTTP are different", servername, host); + + SECITEM_FreeItem(hostInfo, PR_TRUE); -+ servername = NULL; ++ apr_pool_destroy(s_p); + return HTTP_BAD_REQUEST; + } else { + SECITEM_FreeItem(hostInfo, PR_TRUE); -+ servername = NULL; ++ apr_pool_destroy(s_p); + } + } + } @@ -372,26 +476,59 @@ Index: mod_nss-1.0.8/nss_util.c =================================================================== --- mod_nss-1.0.8.orig/nss_util.c +++ mod_nss-1.0.8/nss_util.c -@@ -100,3 +100,22 @@ char *nss_util_readfilter(server_rec *s, +@@ -13,7 +13,6 @@ + * limitations under the License. + */ + +- + #include "mod_nss.h" + #include "ap_mpm.h" + #include "apr_thread_mutex.h" +@@ -100,3 +99,47 @@ char *nss_util_readfilter(server_rec *s, return buf; } + -+char *getSECItemData(char *data, int len) { -+ -+ data[len]='\0'; -+ -+ return data; ++static void initializeHashVhostNick() { ++ apr_pool_create(&mp, NULL); ++ ht = apr_hash_make(mp); +} + -+char *getSplitURL(char *url) { ++char *searchHashVhostNick(char *vhost_id) { ++ char *searchVal = NULL; + -+ int iter = 0; ++ searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING); + -+ while(url[iter] != '\0' && url[iter] != ':'){ -+ url[iter++]; ++ return searchVal; ++} ++ ++char *searchHashVhostNick_match(char *vhost_id) ++{ ++ char *searchValReg = NULL; ++ apr_hash_index_t *hi; ++ for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) { ++ const char *k = NULL; ++ const char *v = NULL; ++ ++ apr_hash_this(hi, (const void**)&k, NULL, (void**)&v); ++ if (!ap_strcasecmp_match(vhost_id, k)) { ++ searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING); ++ return searchValReg; + } -+ url[iter]='\0'; -+ -+ return url; ++ } ++ return NULL; +} ++ ++void addHashVhostNick(char *vhost_id, char *nickname) { ++ ++ if (ht == NULL) { ++ initializeHashVhostNick(); ++ } ++ ++ if(searchHashVhostNick(vhost_id) == NULL) { ++ apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING, ++ apr_pstrdup(mp, nickname)); ++ } ++ return; ++} ++ diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index 968d63f..a3d68c4 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Wed Oct 14 09:23:18 UTC 2015 - pgajdos@suse.com + +- mod_nss-httpd24.patch applied depending on %{apache_branch} + instead of %{suse_version}, fixes build for sle11 with new apache + +------------------------------------------------------------------- +Fri Oct 2 14:35:41 UTC 2015 - pgajdos@suse.com + +- test module with %apache_test_module_curl + +------------------------------------------------------------------- +Mon Sep 7 08:25:03 UTC 2015 - vcizek@suse.com + +- unified ciphers with SLE-12 + * modified patches: + mod_nss-cipherlist_update_for_tls12-doc.diff + mod_nss-cipherlist_update_for_tls12.diff + update-ciphers.patch + +------------------------------------------------------------------- +Mon Sep 7 08:03:31 UTC 2015 - vcizek@suse.com + +- send TLS server name extension on proxy connections (bsc#933832) + * added mod_nss-reverse_proxy_send_SNI.patch +- updates to the SNI code (from Stanislav Tokos): + update update-ciphers.patch + (bsc#928039) + merge changes from the mod_nss-SNI_support.patch to: + 0001-SNI-check-with-NameVirtualHosts.patch + (bnc#927402) + abstract hash for NSSNickname and ServerName, add ServerAliases and Wild + Cards for vhost + (bsc#927402, bsc#928039, bsc#930922) + replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts) + (bsc#930186) + add alert about permission on the certificate database + (bsc#933265) + ------------------------------------------------------------------- Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index 8c408d7..dc9824a 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -39,6 +39,7 @@ PreReq: mozilla-nss-tools BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: bison +BuildRequires: curl BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ @@ -78,7 +79,9 @@ Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch # PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2 Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch # PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support -Patch26: mod_nss-SNI_support.patch +Patch26: 0001-SNI-check-with-NameVirtualHosts.patch +Patch27: update-ciphers.patch +Patch28: mod_nss-reverse_proxy_send_SNI.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -120,10 +123,12 @@ security library. %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch %patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch -%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch +%patch26 -p1 -b .SNI_support.rpmpatch +%patch27 -p1 -b .update-ciphers.rpmpatch +%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch # keep this last, otherwise we get fuzzyness from above -%if 0%{?suse_version} >= 1300 +%if "%{apache_branch}" != "2.2" %patch9 -p1 -b .http24 %endif @@ -185,8 +190,51 @@ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert -%clean -rm -rf $RPM_BUILD_ROOT +%check +set +x +mkdir -p %{apache_test_module_dir} +# create test configuration +cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf +NSSEngine on +NSSNickname Server-Cert +NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d +NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 +NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 + + Require local + +EOF +# create test certificate +mkdir -p %{apache_test_module_dir}/mod_nss.d +# bend gencert to use ServerName of apache test instance +cp %{buildroot}%{_sbindir}/gencert . +sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert +./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1 +# create test document +mkdir -p %{apache_test_module_dir}/htdocs +cat << EOF > %{apache_test_module_dir}/htdocs/index.html +HTTPS HELLO +EOF +exit_code=0 +# run apache test instance +%apache_test_module_start_apache -m nss -i mod_nss-test.conf +# get test document +%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt +echo +echo 'Testing /index.html output' +grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1 +if [ $exit_code -eq 0 ]; then + echo 'SUCCESS' +else + echo 'FAILED, error_log:' + cat %{apache_test_module_dir}/error_log +fi +echo +# stop apache test instance +%apache_test_module_stop_apache +set -x +exit $exit_code %post umask 077 diff --git a/mod_nss-reverse_proxy_send_SNI.patch b/mod_nss-reverse_proxy_send_SNI.patch new file mode 100644 index 0000000..a502ea1 --- /dev/null +++ b/mod_nss-reverse_proxy_send_SNI.patch @@ -0,0 +1,64 @@ +Index: mod_nss-1.0.8/nss_engine_io.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200 ++++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200 +@@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu + return APR_SUCCESS; + } + ++static apr_status_t nss_io_filter_handshake(ap_filter_t *f) ++{ ++ conn_rec *c = f->c; ++ SSLConnRec *sslconn = myConnConfig(c); ++ ++ /* ++ * Enable SNI for backend requests. Make sure we don't do it for ++ * pure SSLv3 connections ++ */ ++ if (sslconn->is_proxy) { ++ const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); ++ if (hostname_note) { ++ if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, ++ "Error setting SNI extension for SSL Proxy request: %d", ++ PR_GetError()); ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, ++ "SNI extension for SSL Proxy request set to '%s'", ++ hostname_note); ++ } ++ } ++ else { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, ++ "Can't set SNI extension: no hostname available"); ++ } ++ } ++ ++ return APR_SUCCESS; ++} ++ + static apr_status_t nss_io_filter_input(ap_filter_t *f, + apr_bucket_brigade *bb, + ap_input_mode_t mode, +@@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input( + inctx->mode = mode; + inctx->block = block; + ++ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { ++ return nss_io_filter_error(f, bb, status); ++ } ++ + if (is_init) { + /* protocol module needs to handshake before sending + * data to client (e.g. NNTP or FTP) +@@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output + inctx->mode = AP_MODE_READBYTES; + inctx->block = APR_BLOCK_READ; + ++ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { ++ return nss_io_filter_error(f, bb, status); ++ } ++ + while (!APR_BRIGADE_EMPTY(bb)) { + apr_bucket *bucket = APR_BRIGADE_FIRST(bb); + diff --git a/mod_nss.conf.in b/mod_nss.conf.in index 3a953da..b6ec400 100644 --- a/mod_nss.conf.in +++ b/mod_nss.conf.in @@ -216,7 +216,7 @@ NSSRequireSafeNegotiation off # * no rc4, no 3des, no des # * ephemeral is what you want (PFS). # * EC has precedence over RSA -NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha # SSL Protocol: # Cryptographic protocols that provide communication security. diff --git a/update-ciphers.patch b/update-ciphers.patch new file mode 100644 index 0000000..64c4f9d --- /dev/null +++ b/update-ciphers.patch @@ -0,0 +1,69 @@ +Index: mod_nss-1.0.8/nss_engine_init.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200 ++++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200 +@@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc + */ + char* INTERNAL_TOKEN_NAME = "internal "; + ++/* When adding or removing ciphers from this table, ++ remember to adjust the ciphernum constant in mod_nss.h ++*/ + cipher_properties ciphers_def[ciphernum] = + { +- /* SSL2 cipher suites */ +- {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, +- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, +- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, +- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, +- {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, +- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, + /* SSL3/TLS cipher suites */ + {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, + {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, +@@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum] + {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, + {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, + {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, +- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, +- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, +- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, + /* TLS 1.0: Exportable 56-bit Cipher Suites. */ + {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, + {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, +Index: mod_nss-1.0.8/mod_nss.h +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200 ++++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200 +@@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4} + + /* the table itself is defined in nss_engine_init.c */ + #ifdef NSS_ENABLE_ECC +-#define ciphernum 59 ++#define ciphernum 50 + #else +-#define ciphernum 28 ++#define ciphernum 19 + #endif + + /* +Index: mod_nss-1.0.8/nss.conf.in +=================================================================== +--- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200 ++++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200 +@@ -90,13 +90,13 @@ NSSEngine on + # See the mod_nss documentation for a complete list. + + # SSL 3 ciphers. SSL 2 is disabled by default. +-NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ++NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha + + # SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. + # + # Comment out the NSSCipherSuite line above and use the one below if you have + # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography +-#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha ++#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha + + NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 +