pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 186032 from home:msmeissn:branches:mozilla:Factory

Browse Source 
- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
- mod_nss-clientauth.patch: merged from RHEL6 pkg
- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
- make it build on both Apache2 2.4 and 2.2 systems

OBS-URL: https://build.opensuse.org/request/show/186032
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=6
This commit is contained in:
Wolfgang Rosenauer 2013-08-06 09:34:39 +00:00 committed by Git OBS Bridge
parent 0b43549e36
commit 4b69663a7b
8 changed files with 556 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apache2-mod_nss.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Fri Aug 2 08:29:35 UTC 2013 - meissner@suse.com
- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
- mod_nss-clientauth.patch: merged from RHEL6 pkg
- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
- make it build on both Apache2 2.4 and 2.2 systems
-------------------------------------------------------------------
Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com

18
apache2-mod_nss.spec
View File

@ -53,6 +53,11 @@ Patch9: mod_nss-httpd24.patch
Patch10: mod_nss-proxyvariables.patch
Patch11: mod_nss-tlsv1_1.patch
Patch12: mod_nss-array_overrun.patch
Patch13: mod_nss-clientauth.patch
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
Patch15: mod_nss-PK11_ListCerts_2.patch
Patch16: mod_nss-sslmultiproxy.patch
Patch17: mod_nss-overlapping_memcpy.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
%define apache apache2
@ -78,12 +83,19 @@ security library.
%patch6 -p1 -b .pcachesignal.h
%patch7 -p1 -b .reseterror
%patch8 -p1 -b .lockpcache
%if 0%{?suse_version} >= 1300
%patch9 -p1 -b .http24
%endif
%patch10 -p1 -b .proxyvariables
%patch11 -p1 -b .tlsv1_1
%patch12 -p1 -b .array_overrun
%patch13 -p1 -b .clientauth.patch
%patch14 -p1 -b .no_shutdown_if_not_init_2
%patch15 -p1 -b .PK11_ListCerts_2
%patch16 -p1 -b .sslmultiproxy
%patch17 -p1 -b .overlapping_memcpy
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} >= 1300
%patch9 -p1 -b .http24
%endif
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]

201
mod_nss-PK11_ListCerts_2.patch Normal file
View File

@ -0,0 +1,201 @@
diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800
+++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800
@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void nss_init_Child(apr_pool_t *, server_rec *);
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
apr_status_t nss_init_ModuleKill(void *data);
apr_status_t nss_init_ChildKill(void *data);
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800
+++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800
@@ -26,7 +26,7 @@
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
-static CERTCertificate* FindServerCertFromNickname(const char* name);
+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
/*
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
/*
* Read the server certificate and key
*/
- nss_init_ConfigureServer(s, p, ptemp, sc);
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
+ }
+
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
}
@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
SECKEYPrivateKey **serverkey,
SSLKEAType *KEAtype,
PRFileDesc *model,
- int enforce)
+ int enforce,
+ const CERTCertList* clist)
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Using nickname %s.", nickname);
- *servercert = FindServerCertFromNickname(nickname);
+ *servercert = FindServerCertFromNickname(nickname, clist);
/* Verify the certificate chain. */
if (*servercert != NULL) {
SECCertificateUsage usage = certificateUsageSSLServer;
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified: '%s'", nickname);
+ if (enforce) {
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
- if (enforce) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
nss_die();
@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
static void nss_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+ modnss_ctx_t *mctx,
+ const CERTCertList* clist)
{
SECStatus secstatus;
@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
nss_init_certificate(s, mctx->nickname, &mctx->servercert,
&mctx->serverkey, &mctx->serverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#ifdef NSS_ENABLE_ECC
nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
&mctx->eccserverkey, &mctx->eccserverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#endif
}
@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
static void nss_init_proxy_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_ctx(s, p, ptemp, sc->proxy);
- nss_init_server_certs(s, p, ptemp, sc->proxy);
+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
}
static void nss_init_server_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_server_check(s, p, ptemp, sc->server);
nss_init_ctx(s, p, ptemp, sc->server);
- nss_init_server_certs(s, p, ptemp, sc->server);
+ nss_init_server_certs(s, p, ptemp, sc->server, clist);
}
/*
@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
void nss_init_ConfigureServer(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
if (sc->enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Configuring server for SSL protocol");
- nss_init_server_ctx(s, p, ptemp, sc);
+ nss_init_server_ctx(s, p, ptemp, sc, clist);
}
if (sc->proxy_enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Enabling proxy.");
- nss_init_proxy_ctx(s, p, ptemp, sc);
+ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
}
}
@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server->servercert == NULL && NSS_IsInitialized())
- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
+ }
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
/*
@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
* newest, valid server certificate.
*/
static CERTCertificate*
-FindServerCertFromNickname(const char* name)
+FindServerCertFromNickname(const char* name, const CERTCertList* clist)
{
- CERTCertList* clist;
CERTCertificate* bestcert = NULL;
CERTCertListNode *cln;
@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
if (name == NULL)
return NULL;
- clist = PK11_ListCerts(PK11CertListUser, NULL);
-
for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
cln = CERT_LIST_NEXT(cln)) {
CERTCertificate* cert = cln->cert;
@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
if (bestcert) {
bestcert = CERT_DupCertificate(bestcert);
}
- if (clist) {
- CERT_DestroyCertList(clist);
- }
return bestcert;
}

50
mod_nss-clientauth.patch Normal file
View File

@ -0,0 +1,50 @@
The first fix is to retrieve the full certificate subject instead of just the
CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
The second always attempts to retrieve the client certificate in
nss_hook_ReadReq().
https://bugzilla.redhat.com/show_bug.cgi?id=702437
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
+++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
status = SSL_AuthCertificate(arg, socket, checksig, isServer);
- if (status == SECSuccess) {
- conn_rec *c = filter_ctx->c;
- SSLConnRec *sslconn = myConnConfig(c);
-
- sslconn->client_cert = SSL_PeerCertificate(socket);
- sslconn->client_dn = NULL;
- }
+ /* The certificate is copied to sslconn->client_cert in
+ * nss_hook_ReadReq()
+ */
return status;
}
--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
+++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
nss_util_vhostid(r->pool, r->server));
}
+ if (sslconn->client_cert != NULL)
+ CERT_DestroyCertificate(sslconn->client_cert);
+ sslconn->client_cert = SSL_PeerCertificate(ssl);
+ sslconn->client_dn = NULL;
+
return DECLINED;
}
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
}
if (!sslconn->client_dn) {
- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
PORT_Free(cp);
}

73
mod_nss-httpd24.patch
View File

@ -1,7 +1,8 @@
diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c
--- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700
+++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700
@@ -349,7 +349,7 @@
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
@ -10,18 +11,19 @@ diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h
--- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700
+++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700
@@ -27,7 +27,6 @@
#include "http_protocol.h"
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -28,7 +28,6 @@
#include "mod_ssl.h"
#include "util_script.h"
#include "util_filter.h"
-#include "mpm.h"
#include "apr.h"
#include "apr_strings.h"
#define APR_WANT_STRFUNC
@@ -490,7 +489,7 @@
@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo
SECStatus nss_Init_Tokens(server_rec *s);
/* Logging */
@ -30,9 +32,10 @@ diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h
void nss_die(void);
/* NSS callback */
diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700
+++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -15,7 +15,7 @@
#include "mod_nss.h"
@ -42,10 +45,11 @@ diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
#include "secmod.h"
#include "sslerr.h"
#include "pk11func.h"
diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
--- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700
+++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700
@@ -621,13 +621,13 @@
Index: mod_nss-1.0.8/nss_engine_io.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_io.c
+++ mod_nss-1.0.8/nss_engine_io.c
@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo
PR_Close(ssl);
/* log the fact that we've closed the connection */
@ -61,7 +65,7 @@ diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
}
/* deallocate the SSL connection */
@@ -1165,7 +1165,7 @@
@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_
filter_ctx = (nss_filter_ctx_t *)(fd->secret);
c = filter_ctx->c;
@ -70,10 +74,11 @@ diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
}
/*
diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
--- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700
+++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700
@@ -73,7 +73,7 @@
Index: mod_nss-1.0.8/nss_engine_kernel.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
+++ mod_nss-1.0.8/nss_engine_kernel.c
@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r)
/*
* Log information about incoming HTTPS requests
*/
@ -82,7 +87,7 @@ diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
@@ -530,7 +530,7 @@
@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r)
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Access to %s denied for %s "
"(requirement expression not fulfilled)",
@ -91,10 +96,11 @@ diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Failed expression: %s", req->cpExpr);
diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
--- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700
+++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700
@@ -321,7 +321,7 @@
Index: mod_nss-1.0.8/nss_engine_log.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_log.c
+++ mod_nss-1.0.8/nss_engine_log.c
@@ -321,7 +321,7 @@ void nss_die(void)
exit(1);
}
@ -103,7 +109,7 @@ diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
{
const char *err;
PRInt32 error;
@@ -340,7 +340,7 @@
@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file,
err = "Unknown";
}
@ -112,10 +118,11 @@ diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
"SSL Library Error: %d %s",
error, err);
}
diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
--- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700
+++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700
@@ -178,7 +178,7 @@
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
&& sslconn && sslconn->ssl)
result = nss_var_lookup_ssl(p, c, var+4);
else if (strcEQ(var, "REMOTE_ADDR"))
@ -124,7 +131,7 @@ diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
else if (strcEQ(var, "HTTPS")) {
if (sslconn && sslconn->ssl)
result = "on";
@@ -194,7 +194,7 @@
@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
result = nss_var_lookup_nss_version(p, var+12);
else if (strcEQ(var, "SERVER_SOFTWARE"))

23
mod_nss-no_shutdown_if_not_init_2.patch Normal file
View File

@ -0,0 +1,23 @@
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800
+++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800
@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da
server_rec *s;
int shutdown = 0;
- /* Clear any client-side session cache data */
- SSL_ClearSessionCache();
-
/*
* Free the non-pool allocated structures
* in the per-server configurations
@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da
}
if (shutdown) {
+ /* Clear any client-side session cache data */
+ SSL_ClearSessionCache();
+
if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
!= SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,

214
mod_nss-sslmultiproxy.patch Normal file
View File

@ -0,0 +1,214 @@
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
return sslconn;
}
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
+
int nss_proxy_enable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
SSLConnRec *sslconn = nss_init_connection_ctx(c);
if (!sc->proxy_enabled) {
+ if (othermod_proxy_enable) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+ "mod_nss proxy not configured, passing through to mod_ssl module");
+ return othermod_proxy_enable(c);
+ }
+
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"SSL Proxy requested for %s but not enabled "
"[Hint: NSSProxyEngine]", sc->vhost_id);
@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
return 1;
}
-int ssl_proxy_enable(conn_rec *c) {
+static int ssl_proxy_enable(conn_rec *c) {
return nss_proxy_enable(c);
}
@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
SSLConnRec *sslconn;
+ if (othermod_engine_disable) {
+ othermod_engine_disable(c);
+ }
+
if (sc->enabled == FALSE) {
return 0;
}
@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
return 1;
}
-int ssl_engine_disable(conn_rec *c) {
+static int ssl_engine_disable(conn_rec *c) {
return nss_engine_disable(c);
}
@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
nss_var_register();
+ /* Always register these mod_nss optional functions */
APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ /* Save the state of any previously registered mod_ssl functions */
+ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+
+ /* Always register these local mod_ssl optional functions */
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
}
module AP_MODULE_DECLARE_DATA nss_module = {
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -13,8 +13,8 @@
* limitations under the License.
*/
-#ifndef __MOD_SSL_H__
-#define __MOD_SSL_H__
+#ifndef __MOD_NSS_H__
+#define __MOD_NSS_H__
/* Apache headers */
#include "httpd.h"
@@ -25,6 +25,7 @@
#include "http_connection.h"
#include "http_request.h"
#include "http_protocol.h"
+#include "mod_ssl.h"
#include "util_script.h"
#include "util_filter.h"
#include "mpm.h"
@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
/* Variables */
void nss_var_register(void);
char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
void nss_var_log_config_register(apr_pool_t *p);
APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
(apr_pool_t *, server_rec *,
conn_rec *, request_rec *,
char *));
-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
- (apr_pool_t *, server_rec *,
- conn_rec *, request_rec *,
- char *));
/* An optional function which returns non-zero if the given connection
* is using SSL/TLS. */
APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
/* Proxy Support */
int nss_proxy_enable(conn_rec *c);
int nss_engine_disable(conn_rec *c);
-int ssl_proxy_enable(conn_rec *c);
-int ssl_engine_disable(conn_rec *c);
APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
/* I/O */
PRFileDesc * nss_io_new_fd();
@@ -495,4 +486,4 @@ void nss_die(void);
/* NSS callback */
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
-#endif /* __MOD_SSL_H__ */
+#endif /* __MOD_NSS_H__ */
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
+
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
static int nss_is_https(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
- return sslconn && sslconn->ssl;
+
+ return (sslconn && sslconn->ssl)
+ || (othermod_is_https && othermod_is_https(c));
}
static int ssl_is_https(conn_rec *c) {
@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
void nss_var_register(void)
{
+ /* Always register these mod_nss optional functions */
APR_REGISTER_OPTIONAL_FN(nss_is_https);
APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
- /* These can only be registered if mod_ssl is not loaded */
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+ /* Save the state of any previously registered mod_ssl functions */
+ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+
+ /* Always register these local mod_ssl optional functions */
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
return;
}
@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
*/
if (result == NULL && c != NULL) {
SSLConnRec *sslconn = myConnConfig(c);
+
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
+ /* If mod_ssl is registered for this connection,
+ * pass any SSL_* variable through to the mod_ssl module
+ */
+ return othermod_var_lookup(p, s, c, r, var);
+ }
+
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
&& sslconn && sslconn->ssl)
result = nss_var_lookup_ssl(p, c, var+4);
@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
return result;
}
-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
return nss_var_lookup(p, s, c, r, var);
}

6
mod_nss-tlsv1_1.patch
View File

@ -391,9 +391,9 @@ Index: mod_nss-1.0.8/nss.conf.in
+# with the maximum specified protocol and downgrading as necessary to the
+# minimum specified protocol that can be used between two processes.
+# Since all protocol ranges are completely inclusive, and no protocol in the
+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2"
+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2".
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.