Accepting request 339934 from Apache:Modules
1 OBS-URL: https://build.opensuse.org/request/show/339934 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=16
This commit is contained in:
commit
21db200b12
@ -1,23 +1,34 @@
|
|||||||
From 07405e4dbd1e2df6583bb571a6230da78788c19b Mon Sep 17 00:00:00 2001
|
From 1b4116cce21ab58e7a1b9f6ff46de0adce6b9ff0 Mon Sep 17 00:00:00 2001
|
||||||
From: standa <stokos@suse.de>
|
From: standa <standa@papaya.suse.cz>
|
||||||
Date: Thu, 26 Feb 2015 15:23:50 +0100
|
Date: Thu, 25 Jun 2015 17:14:56 +0200
|
||||||
Subject: [PATCH] SNI check with NameVirtualHosts
|
Subject: [PATCH] SNI check with NameVirtualHosts
|
||||||
|
|
||||||
---
|
---
|
||||||
docs/mod_nss.html | 10 ++++++
|
docs/mod_nss.html | 14 ++++-
|
||||||
mod_nss.c | 3 ++
|
mod_nss.c | 3 ++
|
||||||
mod_nss.h | 18 ++++++++++
|
mod_nss.h | 21 ++++++++
|
||||||
nss_engine_config.c | 11 +++++++
|
nss_engine_config.c | 11 ++++
|
||||||
nss_engine_init.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++-----
|
nss_engine_init.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++------
|
||||||
nss_engine_kernel.c | 51 ++++++++++++++++++++++++++++
|
nss_engine_kernel.c | 51 ++++++++++++++++++
|
||||||
nss_util.c | 19 +++++++++++
|
nss_util.c | 72 ++++++++++++++++++++++++-
|
||||||
7 files changed, 199 insertions(+), 8 deletions(-)
|
7 files changed, 303 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
Index: mod_nss-1.0.8/docs/mod_nss.html
|
Index: mod_nss-1.0.8/docs/mod_nss.html
|
||||||
===================================================================
|
===================================================================
|
||||||
--- mod_nss-1.0.8.orig/docs/mod_nss.html
|
--- mod_nss-1.0.8.orig/docs/mod_nss.html
|
||||||
+++ mod_nss-1.0.8/docs/mod_nss.html
|
+++ mod_nss-1.0.8/docs/mod_nss.html
|
||||||
@@ -1079,6 +1079,16 @@ components of the client certificate, th
|
@@ -195,7 +195,9 @@ following line to httpd.conf (location r
|
||||||
|
</code><br>
|
||||||
|
This has Apache load the mod_nss configuration file, <code>nss.conf</code>.
|
||||||
|
It is here that you will setup your VirtualServer entries to and
|
||||||
|
-configure your SSL servers.<br>
|
||||||
|
+configure your SSL servers. If you have a certificate with the Subject
|
||||||
|
+Alternative Names then you will set up these names like ServerAlias for your virtual host.<br>
|
||||||
|
+
|
||||||
|
<h1><a name="Generation"></a>Certificate Generation</h1>
|
||||||
|
A ksh script, <code>gencert</code>, is included to automatically
|
||||||
|
generate a self-signed CA plus one server certificate. This is fine for
|
||||||
|
@@ -1079,6 +1081,16 @@ components of the client certificate, th
|
||||||
<br>
|
<br>
|
||||||
<code>NSSRequire<br>
|
<code>NSSRequire<br>
|
||||||
</code><br>
|
</code><br>
|
||||||
@ -64,11 +75,6 @@ Index: mod_nss-1.0.8/mod_nss.h
|
|||||||
PRInt32 version; /* protocol version valid for this cipher */
|
PRInt32 version; /* protocol version valid for this cipher */
|
||||||
} cipher_properties;
|
} cipher_properties;
|
||||||
|
|
||||||
+typedef struct {
|
|
||||||
+ const char *vhost_id[70];
|
|
||||||
+ const char *nick[30];
|
|
||||||
+} vhostNick[500];
|
|
||||||
+
|
|
||||||
+typedef struct {
|
+typedef struct {
|
||||||
+ enum {
|
+ enum {
|
||||||
+ PW_NONE = 0,
|
+ PW_NONE = 0,
|
||||||
@ -78,6 +84,11 @@ Index: mod_nss-1.0.8/mod_nss.h
|
|||||||
+ } source;
|
+ } source;
|
||||||
+ char *data;
|
+ char *data;
|
||||||
+} secuPWData;
|
+} secuPWData;
|
||||||
|
+
|
||||||
|
+/* pool and hash which will contain ServerName and NSSNickname */
|
||||||
|
+apr_pool_t *mp;
|
||||||
|
+apr_hash_t *ht;
|
||||||
|
+
|
||||||
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
|
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
|
||||||
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
|
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
|
||||||
* is the last version without this define. This is used for more than just
|
* is the last version without this define. This is used for more than just
|
||||||
@ -89,12 +100,13 @@ Index: mod_nss-1.0.8/mod_nss.h
|
|||||||
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
|
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
|
||||||
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
|
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
|
||||||
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
|
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
|
||||||
@@ -471,6 +487,8 @@ apr_file_t *nss_util_ppopen(server_rec
|
@@ -471,6 +487,9 @@ apr_file_t *nss_util_ppopen(server_rec
|
||||||
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
|
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
|
||||||
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
|
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
|
||||||
const char * const *);
|
const char * const *);
|
||||||
+char *getSECItemData(char *data, int len);
|
+char *searchHashVhostNick(char *vhost_id);
|
||||||
+char *getSplitURL(char *url);
|
+char *searchHashVhostNick_match(char *vhost_id);
|
||||||
|
+void addHashVhostNick(char *vhost_id, char *nickname);
|
||||||
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
|
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
|
||||||
* to allow an SSL renegotiation to take place. */
|
* to allow an SSL renegotiation to take place. */
|
||||||
int nss_io_buffer_fill(request_rec *r);
|
int nss_io_buffer_fill(request_rec *r);
|
||||||
@ -118,11 +130,10 @@ Index: mod_nss-1.0.8/nss_engine_config.c
|
|||||||
cfgMergeBool(proxy_enabled);
|
cfgMergeBool(proxy_enabled);
|
||||||
cfgMergeBool(proxy_ssl_check_peer_cn);
|
cfgMergeBool(proxy_ssl_check_peer_cn);
|
||||||
|
|
||||||
@@ -320,6 +322,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c
|
@@ -321,6 +323,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c
|
||||||
|
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
+
|
|
||||||
+const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag)
|
+const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag)
|
||||||
+{
|
+{
|
||||||
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||||
@ -131,14 +142,15 @@ Index: mod_nss-1.0.8/nss_engine_config.c
|
|||||||
+
|
+
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+}
|
+}
|
||||||
|
+
|
||||||
const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag)
|
const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag)
|
||||||
{
|
{
|
||||||
|
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||||
+++ mod_nss-1.0.8/nss_engine_init.c
|
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||||
@@ -28,12 +28,17 @@ static SECStatus ownHandshakeCallback(PR
|
@@ -28,6 +28,8 @@ static SECStatus ownHandshakeCallback(PR
|
||||||
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
||||||
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
||||||
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
||||||
@ -147,28 +159,44 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Global variables defined in this file.
|
* Global variables defined in this file.
|
||||||
*/
|
@@ -222,11 +224,10 @@ static void nss_init_SSLLibrary(server_r
|
||||||
char* INTERNAL_TOKEN_NAME = "internal ";
|
NSS_Shutdown();
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||||
|
"NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration");
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||||
|
+ "Please check access rights for user:%s!!!", mc->user);
|
||||||
|
nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
|
||||||
|
- if (mc->nInitCount == 1)
|
||||||
|
- nss_die();
|
||||||
|
- else
|
||||||
|
- return;
|
||||||
|
+ nss_die();
|
||||||
|
}
|
||||||
|
|
||||||
+vhostNick vhostNickSNI;
|
if (fipsenabled) {
|
||||||
+int vhostNickSize = 0;
|
@@ -325,6 +326,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||||
+
|
int fipsenabled = FALSE;
|
||||||
cipher_properties ciphers_def[ciphernum] =
|
int threaded = 0;
|
||||||
{
|
struct semid_ds status;
|
||||||
/* SSL2 cipher suites */
|
+ char *split_vhost_id = NULL;
|
||||||
@@ -382,6 +387,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
+ char *last1;
|
||||||
|
|
||||||
|
mc->nInitCount++;
|
||||||
|
|
||||||
|
@@ -381,6 +384,12 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||||
|
*/
|
||||||
sc->vhost_id = nss_util_vhostid(p, s);
|
sc->vhost_id = nss_util_vhostid(p, s);
|
||||||
sc->vhost_id_len = strlen(sc->vhost_id);
|
sc->vhost_id_len = strlen(sc->vhost_id);
|
||||||
|
+
|
||||||
+ if (sc->server->nickname != NULL && sc->vhost_id != NULL) {
|
+ if (sc->server->nickname != NULL && sc->vhost_id != NULL) {
|
||||||
+ strcpy(vhostNickSNI[vhostNickSize].vhost_id, sc->vhost_id);
|
+ split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1);
|
||||||
+ strcpy(vhostNickSNI[vhostNickSize].nick, sc->server->nickname);
|
+ ap_str_tolower(split_vhost_id);
|
||||||
+ vhostNickSize++;
|
+ addHashVhostNick(split_vhost_id, (char *)sc->server->nickname);
|
||||||
+ }
|
+ }
|
||||||
|
|
||||||
/* Fix up stuff that may not have been set */
|
/* Fix up stuff that may not have been set */
|
||||||
if (sc->fips == UNSET) {
|
if (sc->fips == UNSET) {
|
||||||
sc->fips = FALSE;
|
@@ -534,7 +543,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||||
@@ -534,7 +544,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
|
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
|
||||||
"Init: Initializing (virtual) servers for SSL");
|
"Init: Initializing (virtual) servers for SSL");
|
||||||
|
|
||||||
@ -177,7 +205,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
|
|
||||||
for (s = base_server; s; s = s->next) {
|
for (s = base_server; s; s = s->next) {
|
||||||
sc = mySrvConfig(s);
|
sc = mySrvConfig(s);
|
||||||
@@ -547,7 +557,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
@@ -547,7 +556,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||||
/*
|
/*
|
||||||
* Read the server certificate and key
|
* Read the server certificate and key
|
||||||
*/
|
*/
|
||||||
@ -186,7 +214,77 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (clist) {
|
if (clist) {
|
||||||
@@ -1233,13 +1243,21 @@ static void nss_init_certificate(server_
|
@@ -1132,6 +1141,12 @@ static void nss_init_certificate(server_
|
||||||
|
SECStatus secstatus;
|
||||||
|
|
||||||
|
PK11SlotInfo* slot = NULL;
|
||||||
|
+ CERTCertNicknames *certNickDNS = NULL;
|
||||||
|
+ char **nnptr = NULL;
|
||||||
|
+ int nn = 0;
|
||||||
|
+ apr_array_header_t *names = NULL;
|
||||||
|
+ apr_array_header_t *wild_names = NULL;
|
||||||
|
+ int i, j;
|
||||||
|
|
||||||
|
if (nickname == NULL) {
|
||||||
|
return;
|
||||||
|
@@ -1198,17 +1213,52 @@ static void nss_init_certificate(server_
|
||||||
|
|
||||||
|
*KEAtype = NSS_FindCertKEAType(*servercert);
|
||||||
|
|
||||||
|
+ /* get ServerAlias entries to hash */
|
||||||
|
+ names = s->names;
|
||||||
|
+ if (names) {
|
||||||
|
+ char **name = (char **)names->elts;
|
||||||
|
+ for (i = 0; i < names->nelts; ++i) {
|
||||||
|
+ ap_str_tolower(name[i]);
|
||||||
|
+ addHashVhostNick(name[i], (char *)nickname);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* get ServerAlias entries with wildcards */
|
||||||
|
+ wild_names = s->wild_names;
|
||||||
|
+ if (wild_names) {
|
||||||
|
+ char **wild_name = (char **)wild_names->elts;
|
||||||
|
+ for (j = 0; j < wild_names->nelts; ++j) {
|
||||||
|
+ ap_str_tolower(wild_name[j]);
|
||||||
|
+ addHashVhostNick(wild_name[j], (char *)nickname);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* get valid DNS names from certificate to hash */
|
||||||
|
+ certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert);
|
||||||
|
+
|
||||||
|
+ if (certNickDNS) {
|
||||||
|
+ nnptr = certNickDNS->nicknames;
|
||||||
|
+ nn = certNickDNS->numnicknames;
|
||||||
|
+
|
||||||
|
+ while ( nn > 0 ) {
|
||||||
|
+ ap_str_tolower(*nnptr);
|
||||||
|
+ addHashVhostNick(*nnptr, (char *)nickname);
|
||||||
|
+ nnptr++;
|
||||||
|
+ nn--;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Subject/hostname check */
|
||||||
|
secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
|
||||||
|
if (secstatus != SECSuccess) {
|
||||||
|
char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "Misconfiguration of certificate's CN and virtual name."
|
||||||
|
- " The certificate CN has %s. We expected %s as virtual"
|
||||||
|
- " name.", cert_dns, s->server_hostname);
|
||||||
|
+ "Misconfiguration of certificate's CN and virtual name."
|
||||||
|
+ " The certificate CN has %s. We expected %s as virtual"
|
||||||
|
+ " name.", cert_dns, s->server_hostname);
|
||||||
|
PORT_Free(cert_dns);
|
||||||
|
}
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Check for certs that are expired or not yet valid and WARN about it.
|
||||||
|
* No need to refuse working - the client gets a warning.
|
||||||
|
@@ -1233,13 +1283,21 @@ static void nss_init_certificate(server_
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -210,7 +308,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -1308,6 +1326,7 @@ static void nss_init_server_certs(server
|
@@ -1308,6 +1366,7 @@ static void nss_init_server_certs(server
|
||||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
nss_die();
|
nss_die();
|
||||||
}
|
}
|
||||||
@ -218,7 +316,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void nss_init_proxy_ctx(server_rec *s,
|
static void nss_init_proxy_ctx(server_rec *s,
|
||||||
@@ -1374,7 +1393,6 @@ void nss_init_Child(apr_pool_t *p, serve
|
@@ -1374,7 +1433,6 @@ void nss_init_Child(apr_pool_t *p, serve
|
||||||
/* If any servers have SSL, we want sslenabled set so we
|
/* If any servers have SSL, we want sslenabled set so we
|
||||||
* can perform further initialization
|
* can perform further initialization
|
||||||
*/
|
*/
|
||||||
@ -226,7 +324,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
if (sc->enabled == UNSET) {
|
if (sc->enabled == UNSET) {
|
||||||
sc->enabled = FALSE;
|
sc->enabled = FALSE;
|
||||||
}
|
}
|
||||||
@@ -1404,11 +1422,12 @@ void nss_init_Child(apr_pool_t *p, serve
|
@@ -1404,11 +1462,12 @@ void nss_init_Child(apr_pool_t *p, serve
|
||||||
nss_init_SSLLibrary(base_server);
|
nss_init_SSLLibrary(base_server);
|
||||||
|
|
||||||
/* Configure all virtual servers */
|
/* Configure all virtual servers */
|
||||||
@ -242,7 +340,7 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
}
|
}
|
||||||
if (clist) {
|
if (clist) {
|
||||||
CERT_DestroyCertList(clist);
|
CERT_DestroyCertList(clist);
|
||||||
@@ -1741,3 +1760,63 @@ int nss_parse_ciphers(server_rec *s, cha
|
@@ -1741,3 +1800,67 @@ int nss_parse_ciphers(server_rec *s, cha
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -260,57 +358,61 @@ Index: mod_nss-1.0.8/nss_engine_init.c
|
|||||||
+ SECKEYPrivateKey * privKey = NULL;
|
+ SECKEYPrivateKey * privKey = NULL;
|
||||||
+ char *nickName = NULL;
|
+ char *nickName = NULL;
|
||||||
+ char *vhost = NULL;
|
+ char *vhost = NULL;
|
||||||
+ int i;
|
+ apr_pool_t *str_p;
|
||||||
+
|
+
|
||||||
+ PORT_Assert(fd && sniNameArr);
|
+ PORT_Assert(fd && sniNameArr);
|
||||||
+ if (!fd || !sniNameArr) {
|
+ if (!fd || !sniNameArr) {
|
||||||
+ return SSL_SNI_SEND_ALERT;
|
+ nss_die();
|
||||||
+ }
|
+ }
|
||||||
+ vhost = getSECItemData((char *) sniNameArr->data, sniNameArr->len);
|
+ apr_pool_create(&str_p, NULL);
|
||||||
|
+ vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len);
|
||||||
+
|
+
|
||||||
+ for(i = 0; i<vhostNickSize; i++) {
|
+ /* rfc6125 - Checking of Traditional Domain Names*/
|
||||||
+ if (strcmp(getSplitURL(vhostNickSNI[i].vhost_id), vhost) == 0) {
|
+ ap_str_tolower(vhost);
|
||||||
+ nickName = vhostNickSNI[i].nick;
|
|
||||||
+ pwdata = SSL_RevealPinArg(fd);
|
|
||||||
+
|
+
|
||||||
+ /* if pwdata is NULL, then we would not get the key and
|
+ nickName = searchHashVhostNick(vhost);
|
||||||
+ * return an error status. */
|
+ if (nickName == NULL) {
|
||||||
+ cert = PK11_FindCertFromNickname(nickName, &pwdata);
|
+ /* search wild_names in serverAlises */
|
||||||
+ if (cert == NULL) {
|
+ nickName = searchHashVhostNick_match(vhost);
|
||||||
+ goto loser; /* Send alert */
|
+ if (nickName == NULL) {
|
||||||
+ }
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search [val = %s] failed, unrecognized name.", vhost);
|
||||||
+ privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
|
+ nss_die();
|
||||||
+ if (privKey == NULL) {
|
|
||||||
+ goto loser; /* Send alert */
|
|
||||||
+ }
|
|
||||||
+ SSLKEAType certKEA = NSS_FindCertKEAType(cert);
|
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
||||||
+ "start configure vhost:%s", vhostNickSNI[i].vhost_id);
|
|
||||||
+ if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) {
|
|
||||||
+ goto loser; /* Send alert */
|
|
||||||
+ }
|
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
||||||
+ "successfull setting vhost with nick:%s", vhostNickSNI[i].nick);
|
|
||||||
+ SECKEY_DestroyPrivateKey(privKey);
|
|
||||||
+ CERT_DestroyCertificate(cert);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+loser:
|
+
|
||||||
+ if (privKey) {
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search passed [value = %s] for key:%s", nickName, vhost);
|
||||||
+ SECKEY_DestroyPrivateKey(privKey);
|
+
|
||||||
|
+ pwdata = SSL_RevealPinArg(fd);
|
||||||
|
+
|
||||||
|
+ /* if pwdata is NULL, then we would not get the key and
|
||||||
|
+ * return an error status. */
|
||||||
|
+ cert = PK11_FindCertFromNickname(nickName, &pwdata);
|
||||||
|
+ if (cert == NULL) {
|
||||||
|
+ nss_die();
|
||||||
+ }
|
+ }
|
||||||
+ if (cert) {
|
+ privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
|
||||||
+ CERT_DestroyCertificate(cert);
|
+ if (privKey == NULL) {
|
||||||
|
+ nss_die();
|
||||||
+ }
|
+ }
|
||||||
+ return SSL_SNI_SEND_ALERT;
|
+ SSLKEAType certKEA = NSS_FindCertKEAType(cert);
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "start configure vhost:%s", vhost);
|
||||||
|
+ if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) {
|
||||||
|
+ nss_die();
|
||||||
|
+ }
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "successfull setting vhost with nick:%s", nickName);
|
||||||
|
+ SECKEY_DestroyPrivateKey(privKey);
|
||||||
|
+ CERT_DestroyCertificate(cert);
|
||||||
|
+ apr_pool_destroy(str_p);
|
||||||
|
+ return 0;
|
||||||
+
|
+
|
||||||
+}
|
+}
|
||||||
Index: mod_nss-1.0.8/nss_engine_kernel.c
|
Index: mod_nss-1.0.8/nss_engine_kernel.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
|
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
|
||||||
+++ mod_nss-1.0.8/nss_engine_kernel.c
|
+++ mod_nss-1.0.8/nss_engine_kernel.c
|
||||||
@@ -71,6 +71,57 @@ int nss_hook_ReadReq(request_rec *r)
|
@@ -71,6 +71,59 @@ int nss_hook_ReadReq(request_rec *r)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -327,12 +429,14 @@ Index: mod_nss-1.0.8/nss_engine_kernel.c
|
|||||||
+ char *host, *scope_id;
|
+ char *host, *scope_id;
|
||||||
+ apr_port_t port;
|
+ apr_port_t port;
|
||||||
+ apr_status_t rv;
|
+ apr_status_t rv;
|
||||||
|
+ apr_pool_t *s_p;
|
||||||
+
|
+
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||||
+ "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d"
|
+ "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d"
|
||||||
+ , hostInfo->data, hostInfo->len);
|
+ ,(char *) hostInfo->data, hostInfo->len);
|
||||||
+
|
+
|
||||||
+ servername = getSECItemData((char *) hostInfo->data, hostInfo->len);
|
+ apr_pool_create(&s_p, NULL);
|
||||||
|
+ servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len);
|
||||||
+
|
+
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||||
+ "SNI hostInfo servername:%s, lenght:%d"
|
+ "SNI hostInfo servername:%s, lenght:%d"
|
||||||
@ -356,11 +460,11 @@ Index: mod_nss-1.0.8/nss_engine_kernel.c
|
|||||||
+ " via HTTP are different", servername, host);
|
+ " via HTTP are different", servername, host);
|
||||||
+
|
+
|
||||||
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
|
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
|
||||||
+ servername = NULL;
|
+ apr_pool_destroy(s_p);
|
||||||
+ return HTTP_BAD_REQUEST;
|
+ return HTTP_BAD_REQUEST;
|
||||||
+ } else {
|
+ } else {
|
||||||
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
|
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
|
||||||
+ servername = NULL;
|
+ apr_pool_destroy(s_p);
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
@ -372,26 +476,59 @@ Index: mod_nss-1.0.8/nss_util.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- mod_nss-1.0.8.orig/nss_util.c
|
--- mod_nss-1.0.8.orig/nss_util.c
|
||||||
+++ mod_nss-1.0.8/nss_util.c
|
+++ mod_nss-1.0.8/nss_util.c
|
||||||
@@ -100,3 +100,22 @@ char *nss_util_readfilter(server_rec *s,
|
@@ -13,7 +13,6 @@
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-
|
||||||
|
#include "mod_nss.h"
|
||||||
|
#include "ap_mpm.h"
|
||||||
|
#include "apr_thread_mutex.h"
|
||||||
|
@@ -100,3 +99,47 @@ char *nss_util_readfilter(server_rec *s,
|
||||||
|
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+char *getSECItemData(char *data, int len) {
|
+static void initializeHashVhostNick() {
|
||||||
+
|
+ apr_pool_create(&mp, NULL);
|
||||||
+ data[len]='\0';
|
+ ht = apr_hash_make(mp);
|
||||||
+
|
|
||||||
+ return data;
|
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+char *getSplitURL(char *url) {
|
+char *searchHashVhostNick(char *vhost_id) {
|
||||||
|
+ char *searchVal = NULL;
|
||||||
+
|
+
|
||||||
+ int iter = 0;
|
+ searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING);
|
||||||
+
|
+
|
||||||
+ while(url[iter] != '\0' && url[iter] != ':'){
|
+ return searchVal;
|
||||||
+ url[iter++];
|
+}
|
||||||
|
+
|
||||||
|
+char *searchHashVhostNick_match(char *vhost_id)
|
||||||
|
+{
|
||||||
|
+ char *searchValReg = NULL;
|
||||||
|
+ apr_hash_index_t *hi;
|
||||||
|
+ for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) {
|
||||||
|
+ const char *k = NULL;
|
||||||
|
+ const char *v = NULL;
|
||||||
|
+
|
||||||
|
+ apr_hash_this(hi, (const void**)&k, NULL, (void**)&v);
|
||||||
|
+ if (!ap_strcasecmp_match(vhost_id, k)) {
|
||||||
|
+ searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING);
|
||||||
|
+ return searchValReg;
|
||||||
+ }
|
+ }
|
||||||
+ url[iter]='\0';
|
+ }
|
||||||
+
|
+ return NULL;
|
||||||
+ return url;
|
|
||||||
+}
|
+}
|
||||||
|
+
|
||||||
|
+void addHashVhostNick(char *vhost_id, char *nickname) {
|
||||||
|
+
|
||||||
|
+ if (ht == NULL) {
|
||||||
|
+ initializeHashVhostNick();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(searchHashVhostNick(vhost_id) == NULL) {
|
||||||
|
+ apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING,
|
||||||
|
+ apr_pstrdup(mp, nickname));
|
||||||
|
+ }
|
||||||
|
+ return;
|
||||||
|
+}
|
||||||
|
+
|
@ -1,3 +1,42 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 14 09:23:18 UTC 2015 - pgajdos@suse.com
|
||||||
|
|
||||||
|
- mod_nss-httpd24.patch applied depending on %{apache_branch}
|
||||||
|
instead of %{suse_version}, fixes build for sle11 with new apache
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 2 14:35:41 UTC 2015 - pgajdos@suse.com
|
||||||
|
|
||||||
|
- test module with %apache_test_module_curl
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 7 08:25:03 UTC 2015 - vcizek@suse.com
|
||||||
|
|
||||||
|
- unified ciphers with SLE-12
|
||||||
|
* modified patches:
|
||||||
|
mod_nss-cipherlist_update_for_tls12-doc.diff
|
||||||
|
mod_nss-cipherlist_update_for_tls12.diff
|
||||||
|
update-ciphers.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 7 08:03:31 UTC 2015 - vcizek@suse.com
|
||||||
|
|
||||||
|
- send TLS server name extension on proxy connections (bsc#933832)
|
||||||
|
* added mod_nss-reverse_proxy_send_SNI.patch
|
||||||
|
- updates to the SNI code (from Stanislav Tokos):
|
||||||
|
update update-ciphers.patch
|
||||||
|
(bsc#928039)
|
||||||
|
merge changes from the mod_nss-SNI_support.patch to:
|
||||||
|
0001-SNI-check-with-NameVirtualHosts.patch
|
||||||
|
(bnc#927402)
|
||||||
|
abstract hash for NSSNickname and ServerName, add ServerAliases and Wild
|
||||||
|
Cards for vhost
|
||||||
|
(bsc#927402, bsc#928039, bsc#930922)
|
||||||
|
replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts)
|
||||||
|
(bsc#930186)
|
||||||
|
add alert about permission on the certificate database
|
||||||
|
(bsc#933265)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com
|
Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com
|
||||||
|
|
||||||
|
@ -39,6 +39,7 @@ PreReq: mozilla-nss-tools
|
|||||||
BuildRequires: apache-rpm-macros
|
BuildRequires: apache-rpm-macros
|
||||||
BuildRequires: apache2-devel >= 2.2.12
|
BuildRequires: apache2-devel >= 2.2.12
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
|
BuildRequires: curl
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -78,7 +79,9 @@ Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
|
|||||||
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
|
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
|
||||||
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
|
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
|
||||||
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
|
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
|
||||||
Patch26: mod_nss-SNI_support.patch
|
Patch26: 0001-SNI-check-with-NameVirtualHosts.patch
|
||||||
|
Patch27: update-ciphers.patch
|
||||||
|
Patch28: mod_nss-reverse_proxy_send_SNI.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
%define apxs /usr/sbin/apxs2
|
%define apxs /usr/sbin/apxs2
|
||||||
@ -120,10 +123,12 @@ security library.
|
|||||||
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
||||||
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
|
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
|
||||||
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
|
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
|
||||||
%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch
|
%patch26 -p1 -b .SNI_support.rpmpatch
|
||||||
|
%patch27 -p1 -b .update-ciphers.rpmpatch
|
||||||
|
%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
|
||||||
|
|
||||||
# keep this last, otherwise we get fuzzyness from above
|
# keep this last, otherwise we get fuzzyness from above
|
||||||
%if 0%{?suse_version} >= 1300
|
%if "%{apache_branch}" != "2.2"
|
||||||
%patch9 -p1 -b .http24
|
%patch9 -p1 -b .http24
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
@ -185,8 +190,51 @@ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
|
|||||||
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
|
||||||
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
||||||
|
|
||||||
%clean
|
%check
|
||||||
rm -rf $RPM_BUILD_ROOT
|
set +x
|
||||||
|
mkdir -p %{apache_test_module_dir}
|
||||||
|
# create test configuration
|
||||||
|
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
|
||||||
|
NSSEngine on
|
||||||
|
NSSNickname Server-Cert
|
||||||
|
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
|
||||||
|
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
|
||||||
|
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
|
||||||
|
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||||
|
<Directory /tmp/apache2-mod_nss_test/htdocs>
|
||||||
|
Require local
|
||||||
|
</Directory>
|
||||||
|
EOF
|
||||||
|
# create test certificate
|
||||||
|
mkdir -p %{apache_test_module_dir}/mod_nss.d
|
||||||
|
# bend gencert to use ServerName of apache test instance
|
||||||
|
cp %{buildroot}%{_sbindir}/gencert .
|
||||||
|
sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
|
||||||
|
./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1
|
||||||
|
# create test document
|
||||||
|
mkdir -p %{apache_test_module_dir}/htdocs
|
||||||
|
cat << EOF > %{apache_test_module_dir}/htdocs/index.html
|
||||||
|
HTTPS HELLO
|
||||||
|
EOF
|
||||||
|
exit_code=0
|
||||||
|
# run apache test instance
|
||||||
|
%apache_test_module_start_apache -m nss -i mod_nss-test.conf
|
||||||
|
# get test document
|
||||||
|
%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
|
||||||
|
echo
|
||||||
|
echo 'Testing /index.html output'
|
||||||
|
grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
|
||||||
|
if [ $exit_code -eq 0 ]; then
|
||||||
|
echo 'SUCCESS'
|
||||||
|
else
|
||||||
|
echo 'FAILED, error_log:'
|
||||||
|
cat %{apache_test_module_dir}/error_log
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
# stop apache test instance
|
||||||
|
%apache_test_module_stop_apache
|
||||||
|
set -x
|
||||||
|
exit $exit_code
|
||||||
|
|
||||||
%post
|
%post
|
||||||
umask 077
|
umask 077
|
||||||
|
64
mod_nss-reverse_proxy_send_SNI.patch
Normal file
64
mod_nss-reverse_proxy_send_SNI.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
Index: mod_nss-1.0.8/nss_engine_io.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200
|
||||||
|
@@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu
|
||||||
|
return APR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static apr_status_t nss_io_filter_handshake(ap_filter_t *f)
|
||||||
|
+{
|
||||||
|
+ conn_rec *c = f->c;
|
||||||
|
+ SSLConnRec *sslconn = myConnConfig(c);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Enable SNI for backend requests. Make sure we don't do it for
|
||||||
|
+ * pure SSLv3 connections
|
||||||
|
+ */
|
||||||
|
+ if (sslconn->is_proxy) {
|
||||||
|
+ const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname");
|
||||||
|
+ if (hostname_note) {
|
||||||
|
+ if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
|
||||||
|
+ "Error setting SNI extension for SSL Proxy request: %d",
|
||||||
|
+ PR_GetError());
|
||||||
|
+ } else {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
|
||||||
|
+ "SNI extension for SSL Proxy request set to '%s'",
|
||||||
|
+ hostname_note);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
|
||||||
|
+ "Can't set SNI extension: no hostname available");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return APR_SUCCESS;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static apr_status_t nss_io_filter_input(ap_filter_t *f,
|
||||||
|
apr_bucket_brigade *bb,
|
||||||
|
ap_input_mode_t mode,
|
||||||
|
@@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input(
|
||||||
|
inctx->mode = mode;
|
||||||
|
inctx->block = block;
|
||||||
|
|
||||||
|
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
|
||||||
|
+ return nss_io_filter_error(f, bb, status);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (is_init) {
|
||||||
|
/* protocol module needs to handshake before sending
|
||||||
|
* data to client (e.g. NNTP or FTP)
|
||||||
|
@@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output
|
||||||
|
inctx->mode = AP_MODE_READBYTES;
|
||||||
|
inctx->block = APR_BLOCK_READ;
|
||||||
|
|
||||||
|
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
|
||||||
|
+ return nss_io_filter_error(f, bb, status);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
while (!APR_BRIGADE_EMPTY(bb)) {
|
||||||
|
apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
|
||||||
|
|
@ -216,7 +216,7 @@ NSSRequireSafeNegotiation off
|
|||||||
# * no rc4, no 3des, no des
|
# * no rc4, no 3des, no des
|
||||||
# * ephemeral is what you want (PFS).
|
# * ephemeral is what you want (PFS).
|
||||||
# * EC has precedence over RSA
|
# * EC has precedence over RSA
|
||||||
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
|
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha
|
||||||
|
|
||||||
# SSL Protocol:
|
# SSL Protocol:
|
||||||
# Cryptographic protocols that provide communication security.
|
# Cryptographic protocols that provide communication security.
|
||||||
|
69
update-ciphers.patch
Normal file
69
update-ciphers.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200
|
||||||
|
@@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc
|
||||||
|
*/
|
||||||
|
char* INTERNAL_TOKEN_NAME = "internal ";
|
||||||
|
|
||||||
|
+/* When adding or removing ciphers from this table,
|
||||||
|
+ remember to adjust the ciphernum constant in mod_nss.h
|
||||||
|
+*/
|
||||||
|
cipher_properties ciphers_def[ciphernum] =
|
||||||
|
{
|
||||||
|
- /* SSL2 cipher suites */
|
||||||
|
- {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
|
||||||
|
- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
|
||||||
|
- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
|
||||||
|
- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
|
||||||
|
- {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
|
||||||
|
- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
|
||||||
|
/* SSL3/TLS cipher suites */
|
||||||
|
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
|
||||||
|
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
|
||||||
|
@@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum]
|
||||||
|
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
|
||||||
|
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
||||||
|
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||||
|
- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
|
||||||
|
- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
|
||||||
|
- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
|
||||||
|
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
||||||
|
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||||
|
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
|
||||||
|
Index: mod_nss-1.0.8/mod_nss.h
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200
|
||||||
|
+++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200
|
||||||
|
@@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4}
|
||||||
|
|
||||||
|
/* the table itself is defined in nss_engine_init.c */
|
||||||
|
#ifdef NSS_ENABLE_ECC
|
||||||
|
-#define ciphernum 59
|
||||||
|
+#define ciphernum 50
|
||||||
|
#else
|
||||||
|
-#define ciphernum 28
|
||||||
|
+#define ciphernum 19
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
Index: mod_nss-1.0.8/nss.conf.in
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200
|
||||||
|
+++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200
|
||||||
|
@@ -90,13 +90,13 @@ NSSEngine on
|
||||||
|
# See the mod_nss documentation for a complete list.
|
||||||
|
|
||||||
|
# SSL 3 ciphers. SSL 2 is disabled by default.
|
||||||
|
-NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
||||||
|
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
||||||
|
|
||||||
|
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
|
||||||
|
#
|
||||||
|
# Comment out the NSSCipherSuite line above and use the one below if you have
|
||||||
|
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||||
|
-#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||||
|
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||||
|
|
||||||
|
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||||
|
|
Loading…
Reference in New Issue
Block a user