pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

osc copypac from project:mozilla package:apache2-mod_nss revision:4

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=1
This commit is contained in:
Wolfgang Rosenauer 2013-07-11 16:44:28 +00:00 committed by Git OBS Bridge
commit 347dafaa45
15 changed files with 1111 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

23
apache2-mod_nss.changes Normal file
View File

@ -0,0 +1,23 @@
-------------------------------------------------------------------
Thu Jul 11 14:50:42 UTC 2013 - aj@ajaissle.de
- Added mod_nns-httpd24.patch to support build with apache 2.4
-------------------------------------------------------------------
Tue Jan 22 09:35:41 UTC 2013 - aj@ajaissle.de
- Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE
dir layout [bnc#799483]
- Cleaned up license tag
-------------------------------------------------------------------
Sun Apr 15 14:17:19 UTC 2012 - wr@rosenauer.org
- import some patches from Fedora
- removed autoreconf call
-------------------------------------------------------------------
Wed Feb 17 13:30:47 UTC 2010 - nix@opensuse.org
- Fix mod_nss-conf.patch to work on SUSE
- Rename package from mod_nss to apache2-mod_nss

161
apache2-mod_nss.spec Normal file
View File

@ -0,0 +1,161 @@
#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
Version: 1.0.8
Release: 3
Group: Productivity/Networking/Web/Servers
License: Apache-2.0
Url: http://directory.fedoraproject.org/wiki/Mod_nss
Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.bz2
Provides: mod_nss
Requires: apache2 >= 2.0.52
Requires: findutils
Requires(post): mozilla-nss-tools
BuildRequires: bison
BuildRequires: findutils
BuildRequires: gcc-c++
BuildRequires: libapr1-devel
BuildRequires: libapr-util1-devel
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.12.6
BuildRequires: apache2-devel >= 2.0.52
BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
Patch6: mod_nss-pcachesignal.h
Patch7: mod_nss-reseterror.patch
Patch8: mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9: mod_nss-httpd24.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%define apxs /usr/sbin/apxs2
%define apache apache2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
%define apache_serverroot %(%{apxs} -q PREFIX)
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.
%prep
%setup -q -n mod_nss-%{version}
%patch1 -p1 -b .conf
%patch2 -p1 -b .gencert
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
%patch5 -p1 -b .reverseproxy
%patch6 -p1 -b .pcachesignal.h
%patch7 -p1 -b .reseterror
%patch8 -p1 -b .lockpcache
%if 0%{?suse_version} >= 1300
%patch9 -p1 -b .http24
%endif
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
# For some reason mod_nss can't find nss on SUSE unless we do the following
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
export C_INCLUDE_PATH
#autoreconf -fvi
%configure \
--with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
--with-apxs=%{apxs} \
--with-apr-config
make %{?_smp_mflags} all
%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/alias
%if 0%{?suse_version}
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
%endif
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconfdir}/alias/
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/secmod.db
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/cert8.db
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/key3.db
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
%clean
rm -rf $RPM_BUILD_ROOT
%post
umask 077
if [ "$1" -eq 1 ] ; then
if [ ! -e %{apache_sysconfdir}/alias/key3.db ]; then
%{_sbindir}/gencert %{apache_sysconfdir}/alias > %{apache_sysconfdir}/alias/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
fi
# Make sure that the database ownership is setup properly.
find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chgrp www {} \;
find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
fi
%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html
%config(noreplace) %{apache_sysconfdir}/conf.d/nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/libmodnss.so
%dir %{apache_sysconfdir}/alias/
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/key3.db
%ghost %config(noreplace) %{apache_sysconfdir}/alias/install.log
#%%{apache_sysconfdir}/alias/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%changelog

3
mod_nss-1.0.8.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d723c51ac594158252d22a5fc7c0ae7ebf4ff37f6ff65b9c8ab1e234fdd67622
size 299015

70
mod_nss-conf.patch Normal file
View File

@ -0,0 +1,70 @@
--- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400
+++ mod_nss-1.0.6/nss.conf.in 2013-01-22 10:33:25.000000000 +0100
@@ -8,14 +8,16 @@
# consult the online docs. You have been warned.
#
+LoadModule nss_module @apache_lib@/libmodnss.so
+
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
+# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
#
-Listen 443
+Listen 8443
##
## SSL Global Context
@@ -40,7 +42,7 @@
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
-NSSPassPhraseHelper @apache_bin@/nss_pcache
+NSSPassPhraseHelper /usr/sbin/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
@@ -68,17 +70,17 @@
## SSL Virtual Host Context
##
-<VirtualHost _default_:443>
+<VirtualHost _default_:8443>
# General setup for the virtual host
#DocumentRoot "@apache_prefix@/htdocs"
-#ServerName www.example.com:443
+#ServerName www.example.com:8443
#ServerAdmin you@example.com
# mod_nss can log to separate log files, you can choose to do that if you'd like
# LogLevel is not inherited from httpd.conf.
-#ErrorLog @apache_prefix@/logs/error_log
-#TransferLog @apache_prefix@/logs/access_log
+ErrorLog /var/log/apache2/error_log
+TransferLog /var/log/apache2/access_log
LogLevel warn
# SSL Engine Switch:
@@ -113,7 +115,7 @@
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
-NSSCertificateDatabase @apache_conf@
+NSSCertificateDatabase @apache_conf@/alias
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
@@ -189,7 +191,7 @@
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
-<Directory "@apache_prefix@/cgi-bin">
+<Directory "@apache_prefix@/cgi-bin">
NSSOptions +StdEnvVars
</Directory>

26
mod_nss-gencert.patch Normal file
View File

@ -0,0 +1,26 @@
--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400
+++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400
@@ -82,12 +82,11 @@
DEST=$1
-echo "httptest" > $DEST/pw.txt
+echo -e "\n" > $DEST/pw.txt
echo ""
echo "#####################################################################"
-echo "Generating new server certificate and key database. The password"
-echo "is httptest"
+echo "Generating new server certificate and key database."
echo "#####################################################################"
$CERTUTIL -N -d $DEST -f $DEST/pw.txt
@@ -183,8 +182,4 @@
rm $DEST/pw.txt
rm $DEST/noise
-echo ""
-echo "The database password is httptest"
-echo ""
-
exit 0

135
mod_nss-httpd24.patch Normal file
View File

@ -0,0 +1,135 @@
diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c
--- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700
+++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700
@@ -349,7 +349,7 @@
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
- c->remote_ip ? c->remote_ip : "unknown");
+ c->client_ip ? c->client_ip : "unknown");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h
--- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700
+++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700
@@ -27,7 +27,6 @@
#include "http_protocol.h"
#include "util_script.h"
#include "util_filter.h"
-#include "mpm.h"
#include "apr.h"
#include "apr_strings.h"
#define APR_WANT_STRFUNC
@@ -490,7 +489,7 @@
SECStatus nss_Init_Tokens(server_rec *s);
/* Logging */
-void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s);
void nss_die(void);
/* NSS callback */
diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700
+++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700
@@ -15,7 +15,7 @@
#include "mod_nss.h"
#include "apr_thread_proc.h"
-#include "ap_mpm.h"
+#include "mpm_common.h"
#include "secmod.h"
#include "sslerr.h"
#include "pk11func.h"
diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
--- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700
+++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700
@@ -621,13 +621,13 @@
PR_Close(ssl);
/* log the fact that we've closed the connection */
- if (c->base_server->loglevel >= APLOG_INFO) {
+ if (c->base_server->log.level >= APLOG_INFO) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld closed "
"(server %s, client %s)",
c->id,
nss_util_vhostid(c->pool, c->base_server),
- c->remote_ip ? c->remote_ip : "unknown");
+ c->client_ip ? c->client_ip : "unknown");
}
/* deallocate the SSL connection */
@@ -1165,7 +1165,7 @@
filter_ctx = (nss_filter_ctx_t *)(fd->secret);
c = filter_ctx->c;
- return PR_StringToNetAddr(c->remote_ip, addr);
+ return PR_StringToNetAddr(c->client_ip, addr);
}
/*
diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
--- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700
+++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700
@@ -73,7 +73,7 @@
/*
* Log information about incoming HTTPS requests
*/
- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
+ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
@@ -530,7 +530,7 @@
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Access to %s denied for %s "
"(requirement expression not fulfilled)",
- r->filename, r->connection->remote_ip);
+ r->filename, r->connection->client_ip);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Failed expression: %s", req->cpExpr);
diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
--- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700
+++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700
@@ -321,7 +321,7 @@
exit(1);
}
-void nss_log_nss_error(const char *file, int line, int level, server_rec *s)
+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s)
{
const char *err;
PRInt32 error;
@@ -340,7 +340,7 @@
err = "Unknown";
}
- ap_log_error(file, line, level, 0, s,
+ ap_log_error(file, line, module_index, level, 0, s,
"SSL Library Error: %d %s",
error, err);
}
diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
--- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700
+++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700
@@ -178,7 +178,7 @@
&& sslconn && sslconn->ssl)
result = nss_var_lookup_ssl(p, c, var+4);
else if (strcEQ(var, "REMOTE_ADDR"))
- result = c->remote_ip;
+ result = c->client_ip;
else if (strcEQ(var, "HTTPS")) {
if (sslconn && sslconn->ssl)
result = "on";
@@ -194,7 +194,7 @@
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
result = nss_var_lookup_nss_version(p, var+12);
else if (strcEQ(var, "SERVER_SOFTWARE"))
- result = (char *)ap_get_server_version();
+ result = (char *)ap_get_server_banner();
else if (strcEQ(var, "API_VERSION")) {
result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
resdup = FALSE;

240
mod_nss-lockpcache.patch Normal file
View File

@ -0,0 +1,240 @@
diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c
--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500
+++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500
@@ -152,6 +152,8 @@
AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
#endif
+ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
+ "Apache user. Comes from httpd.conf."),
AP_END_CMD
};
diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h
--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500
+++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500
@@ -41,6 +41,9 @@
#include "apr_shm.h"
#include "apr_global_mutex.h"
#include "apr_optional.h"
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
#define MOD_NSS_VERSION AP_SERVER_BASEREVISION
@@ -244,6 +247,9 @@
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
+
+ int semid;
+ const char *user;
} SSLModConfigRec;
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
@@ -412,6 +418,7 @@
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c
--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500
+++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500
@@ -830,3 +830,12 @@
return NULL;
}
+
+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg)
+{
+ SSLModConfigRec *mc = myModConfig(cmd->server);
+
+ mc->user = arg;
+
+ return NULL;
+}
diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c
--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500
+++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500
@@ -312,6 +312,7 @@
int sslenabled = FALSE;
int fipsenabled = FALSE;
int threaded = 0;
+ struct semid_ds status;
mc->nInitCount++;
@@ -412,10 +413,26 @@
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i");
+ /* The first pass through this function will create the semaphore that
+ * will be used to lock the pipe. The user is still root at that point
+ * so for any later calls the semaphore ops will fail with permission
+ * errors. So switch the user to the Apache user.
+ */
+ if (mc->semid) {
+ uid_t user_id;
+
+ user_id = ap_uname2id(mc->user);
+ semctl(mc->semid, 0, IPC_STAT, &status);
+ status.sem_perm.uid = user_id;
+ semctl(mc->semid,0,IPC_SET,&status);
+ }
+
/* Do we need to fire up our password helper? */
if (mc->nInitCount == 1) {
const char * child_argv[5];
apr_status_t rv;
+ struct sembuf sb;
+ char sembuf[32];
if (mc->pphrase_dialog_helper == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
@@ -423,11 +440,31 @@
nss_die();
}
+ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
+ if (mc->semid == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to obtain semaphore.");
+ nss_die();
+ }
+
+ /* Initialize the semaphore */
+ sb.sem_num = 0;
+ sb.sem_op = 1;
+ sb.sem_flg = 0;
+ if ((semop(mc->semid, &sb, 1)) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to initialize semaphore.");
+ nss_die();
+ }
+
+ PR_snprintf(sembuf, 32, "%d", mc->semid);
+
child_argv[0] = mc->pphrase_dialog_helper;
- child_argv[1] = fipsenabled ? "on" : "off";
- child_argv[2] = mc->pCertificateDatabase;
- child_argv[3] = mc->pDBPrefix;
- child_argv[4] = NULL;
+ child_argv[1] = sembuf;
+ child_argv[2] = fipsenabled ? "on" : "off";
+ child_argv[3] = mc->pCertificateDatabase;
+ child_argv[4] = mc->pDBPrefix;
+ child_argv[5] = NULL;
rv = apr_procattr_create(&mc->procattr, mc->pPool);
diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c
--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400
+++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500
@@ -279,6 +279,16 @@
char buf[1024];
apr_status_t rv;
apr_size_t nBytes = 1024;
+ struct sembuf sb;
+
+ /* lock the pipe */
+ sb.sem_num = 0;
+ sb.sem_op = -1;
+ sb.sem_flg = SEM_UNDO;
+ if (semop(parg->mc->semid, &sb, 1) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "Unable to reserve semaphore resource");
+ }
snprintf(buf, 1024, "RETR\t%s", token_name);
rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
@@ -293,6 +303,13 @@
*/
memset(buf, 0, sizeof(buf));
rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
+ sb.sem_op = 1;
+ if (semop(parg->mc->semid, &sb, 1) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "Unable to free semaphore resource");
+ /* perror("semop free resource id"); */
+ }
+
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c
--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500
+++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500
@@ -21,6 +21,9 @@
#include <pk11func.h>
#include <secmod.h>
#include <signal.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
#include "nss_pcache.h"
static char * getstr(const char * cmd, int el);
@@ -70,6 +73,13 @@
unsigned char *crypt;
};
+union semun {
+ int val;
+ struct semid_ds *buf;
+ unsigned short *array;
+ struct seminfo *__buf;
+};
+
/*
* Node - for maintaining link list of tokens with cached PINs
*/
@@ -304,15 +314,19 @@
char * tokenName;
char * tokenpw;
int fipsmode = 0;
+ int semid = 0;
+ union semun semarg;
- if (argc < 3 || argc > 4) {
- fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n");
+ if (argc < 4 || argc > 5) {
+ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
exit(1);
}
signal(SIGHUP, SIG_IGN);
- if (!strcasecmp(argv[1], "on"))
+ semid = strtol(argv[1], NULL, 10);
+
+ if (!strcasecmp(argv[2], "on"))
fipsmode = 1;
/* Initialize NSPR */
@@ -322,7 +336,7 @@
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
/* Initialize NSS and open the certificate database read-only. */
- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY);
+ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
if (rv != SECSuccess) {
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
@@ -437,6 +451,11 @@
}
freeList(pinList);
PR_Close(in);
+ /* Remove the semaphore used for locking here. This is because this
+ * program only goes away when Apache shuts down so we don't have to
+ * worry about reloads.
+ */
+ semctl(semid, 0, IPC_RMID, semarg);
return 0;
}
Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig
Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej

180
mod_nss-negotiate.patch Normal file
View File

@ -0,0 +1,180 @@
diff -up ./mod_nss.c.norego ./mod_nss.c
--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+ SSL_CMD_SRV(Renegotiation, FLAG,
+ "Enable SSL Renegotiation (default off) "
+ "(`on', `off')")
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+ "If Rengotiation is allowed, require safe negotiation (default off) "
+ "(`on', `off')")
+#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
diff -up ./mod_nss.h.norego ./mod_nss.h
--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100
@@ -269,6 +269,10 @@ typedef struct {
int tls;
int tlsrollback;
int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ int enablerenegotiation;
+ int requiresafenegotiation;
+#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
mctx->tls = PR_FALSE;
mctx->tlsrollback = PR_FALSE;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ mctx->enablerenegotiation = PR_FALSE;
+ mctx->requiresafenegotiation = PR_FALSE;
+#endif
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
#ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
cfgMerge(eccnickname, NULL);
#endif
cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+ cfgMerge(enablerenegotiation, PR_FALSE);
+ cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
}
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
return NULL;
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+#endif
+
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
void *dcfg,
diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
nss_die();
}
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+ mctx->enablerenegotiation ?
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+ ) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL renegotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+ mctx->requiresafenegotiation) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL safe negotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+#endif
}
static void nss_init_ctx_protocol(server_rec *s,
diff -up ./nss.conf.in.norego ./nss.conf.in
--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
+++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
@@ -64,6 +64,17 @@
#NSSRandomSeed startup file:/dev/random 512
#NSSRandomSeed startup file:/dev/urandom 512
+#
+# TLS Negotiation configuration under RFC 5746
+#
+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
+# extension. Default off.
+NSSRenegotiation off
+
+# Peer must send Signaling Cipher Suite Value (SCSV) or
+# Renegotiation Info (RI) extension in ALL handshakes. Default: off
+NSSRequireSafeNegotiation off
+
##
## SSL Virtual Host Context
##
diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
+++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000
@@ -27,7 +27,7 @@
#define LIBSEC_ERROR_BASE (-8192)
#define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
#define LIBSSL_ERROR_BASE (-12288)
-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
typedef struct l_error_t {
int errorNumber;
@@ -296,7 +296,19 @@
{ 99, "Server requires ciphers more secure than those supported by client" },
{ 100, "Peer reports it experienced an internal error" },
{ 101, "Peer user canceled handshake" },
- { 102, "Peer does not permit renegotiation of SSL security parameters" }
+ { 102, "Peer does not permit renegotiation of SSL security parameters" },
+ { 103, "Server cache not configured" },
+ { 104, "Unsupported extension" },
+ { 105, "Certificate unobtainable" },
+ { 106, "Unrecognized name" },
+ { 107, "Bad certificate status" },
+ { 108, "Bad certificate hash value" },
+ { 109, "Unexpected new session ticket" },
+ { 110, "Malformed new session ticket" },
+ { 111, "Decompression failure" },
+ { 112, "Renegotiation not allowed" },
+ { 113, "Safe negotiation required but not provided by client" },
+ { 114, "Unexpected uncompressed record" },
};
void nss_die(void)

24
mod_nss-overlapping_memcpy.patch Normal file
View File

@ -0,0 +1,24 @@
Bug 669118
memcpy of overlapping memory is no longer allowed by glibc.
This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500
+++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500
@@ -123,13 +123,13 @@
if (buffer->length > inl) {
/* we have have enough to fill the caller's buffer */
- memcpy(in, buffer->value, inl);
+ memmove(in, buffer->value, inl);
buffer->value += inl;
buffer->length -= inl;
}
else {
/* swallow remainder of the buffer */
- memcpy(in, buffer->value, buffer->length);
+ memmove(in, buffer->value, buffer->length);
inl = buffer->length;
buffer->value = NULL;
buffer->length = 0;

21
mod_nss-pcachesignal.h Normal file
View File

@ -0,0 +1,21 @@
diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400
+++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400
@@ -20,6 +20,7 @@
#include <seccomon.h>
#include <pk11func.h>
#include <secmod.h>
+#include <signal.h>
#include "nss_pcache.h"
static char * getstr(const char * cmd, int el);
@@ -309,6 +310,8 @@
exit(1);
}
+ signal(SIGHUP, SIG_IGN);
+
if (!strcasecmp(argv[1], "on"))
fipsmode = 1;
Only in mod_nss-1.0.8: nss_pcache.c.rej

10
mod_nss-reseterror.patch Normal file
View File

@ -0,0 +1,10 @@
--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400
+++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400
@@ -348,6 +348,7 @@
break;
}
+ PR_SetError(0, 0);
rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes);
if (rc > 0) {

182
mod_nss-reverseproxy.patch Normal file
View File

@ -0,0 +1,182 @@
mod_proxy now sets the requested remote host name. Use this to compare
to the CN value of the peer certificate and reject the request if they
do not match (and we are have NSSProxyCheckPeerCN set to on).
diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
@@ -1028,7 +1028,21 @@
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
-<code>NSSProxyNickname beta</code><br>
+<code>NSSProxyNickname beta<br>
+<br>
+</code><big><big>NSSProxyCheckPeerCN</big></big><br>
+<br>
+Compare the CN value of the peer certificate with the hostname being
+requested. If this is set to on, the default, then the request will
+fail if they do not match. If this is set to off then this comparison
+is not done. Note that this test is your only protection against a
+man-in-the-middle attack so leaving this as on is strongly recommended.<br>
+<br>
+<span style="font-weight: bold;">Example</span><br>
+<br>
+<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code>
+on<br>
+</code><br>
<h1><a name="Environment"></a>Environment Variables</h1>
Quite a few environment variables (for CGI and SSI) may be set
depending on the NSSOptions configuration. It can be expensive to set
@@ -1435,42 +1449,9 @@
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
Q. Does mod_nss support mod_proxy?<br>
<br>
-A. In order to use the mod_nss proxy support you will need to build
-your own mod_proxy by applying a patch found in bug <a
- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>.
-The patch is needed so we can compare the hostname contained in the
-remote certificate with the hostname you meant to visit. This prevents
-man-in-the-middle attacks.<br>
-<br>
-You also have to change the SSL functions that mod_proxy looks to use.
-You'll need to apply this patch:<br>
-<br>
-<code>1038,1039c1038,1039<br>
-&lt; APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br>
-&lt; APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br>
----<br>
-&gt; APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br>
-&gt; APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br>
-1041,1042c1041,1042<br>
-&lt; static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
-NULL;<br>
-&lt; static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
-= NULL;<br>
----<br>
-&gt; static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
-NULL;<br>
-&gt; static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
-= NULL;<br>
-1069,1070c1069,1070<br>
-&lt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br>
-&lt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br>
----<br>
-&gt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br>
-&gt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br>
-</code><br>
+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
+provides a single interface for SSL providers and mod_nss defers to
+mod_ssl
+if it is loaded.
</body>
</html>
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
@@ -142,6 +142,8 @@
SSL_CMD_SRV(ProxyNickname, TAKE1,
"SSL Proxy: client certificate Nickname to be for proxy connections "
"(`nickname')")
+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
+ "SSL Proxy: check the peers certificate CN")
#ifdef IGNORE
/* Deprecated directives. */
@@ -238,23 +240,30 @@
SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
{
conn_rec *c = (conn_rec *)arg;
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
PRErrorCode err = PR_GetError();
SECStatus rv = SECFailure;
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
+ const char *hostname_note;
switch (err) {
case SSL_ERROR_BAD_CERT_DOMAIN:
- if (c->remote_host != NULL) {
- rv = CERT_VerifyCertName(peerCert, c->remote_host);
- if (rv != SECSuccess) {
- char *remote = CERT_GetCommonName(&peerCert->subject);
+ if (sc->proxy_ssl_check_peer_cn == TRUE) {
+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
+ apr_table_unset(c->notes, "proxy-request-hostname");
+ rv = CERT_VerifyCertName(peerCert, hostname_note);
+ if (rv != SECSuccess) {
+ char *remote = CERT_GetCommonName(&peerCert->subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
+ PORT_Free(remote);
+ }
+ } else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
- PORT_Free(remote);
+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
}
} else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
+ rv = SECSuccess;
}
break;
default:
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
@@ -306,6 +306,7 @@
int vhost_id_len;
modnss_ctx_t *server;
modnss_ctx_t *proxy;
+ BOOL proxy_ssl_check_peer_cn;
};
/*
@@ -410,6 +411,7 @@
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
@@ -140,6 +140,7 @@
sc->vhost_id_len = 0; /* set during module init */
sc->proxy = NULL;
sc->server = NULL;
+ sc->proxy_ssl_check_peer_cn = TRUE;
modnss_ctx_init_proxy(sc, p);
@@ -214,6 +215,7 @@
cfgMergeBool(fips);
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
+ cfgMergeBool(proxy_ssl_check_peer_cn);
modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -544,6 +546,15 @@
return NULL;
}
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
void *dcfg,
int flag)

12
mod_nss-wouldblock.patch Normal file
View File

@ -0,0 +1,12 @@
--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400
+++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500
@@ -259,7 +259,8 @@
*/
if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
|| (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
- return 0;
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return -1;
}
if (inctx->rc != APR_SUCCESS) {