diff --git a/0001-SNI-check-with-NameVirtualHosts.patch b/0001-SNI-check-with-NameVirtualHosts.patch deleted file mode 100644 index 4b83458..0000000 --- a/0001-SNI-check-with-NameVirtualHosts.patch +++ /dev/null @@ -1,534 +0,0 @@ -From 1b4116cce21ab58e7a1b9f6ff46de0adce6b9ff0 Mon Sep 17 00:00:00 2001 -From: standa -Date: Thu, 25 Jun 2015 17:14:56 +0200 -Subject: [PATCH] SNI check with NameVirtualHosts - ---- - docs/mod_nss.html | 14 ++++- - mod_nss.c | 3 ++ - mod_nss.h | 21 ++++++++ - nss_engine_config.c | 11 ++++ - nss_engine_init.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++------ - nss_engine_kernel.c | 51 ++++++++++++++++++ - nss_util.c | 72 ++++++++++++++++++++++++- - 7 files changed, 303 insertions(+), 18 deletions(-) - -Index: mod_nss-1.0.8/docs/mod_nss.html -=================================================================== ---- mod_nss-1.0.8.orig/docs/mod_nss.html -+++ mod_nss-1.0.8/docs/mod_nss.html -@@ -195,7 +195,9 @@ following line to httpd.conf (location r -
- This has Apache load the mod_nss configuration file, nss.conf. - It is here that you will setup your VirtualServer entries to and --configure your SSL servers.
-+configure your SSL servers. If you have a certificate with the Subject -+Alternative Names then you will set up these names like ServerAlias for your virtual host.
-+ -

Certificate Generation

- A ksh script, gencert, is included to automatically - generate a self-signed CA plus one server certificate. This is fine for -@@ -1079,6 +1081,16 @@ components of the client certificate, th -
- NSSRequire
-
-+NSSSNI
-+
-+Enables or disables Server Name Identification(SNI) extension check for -+SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header. -+
-+
-+Example
-+
-+NSSSNI off
-+
- NSSProxyEngine
-
- Enables or disables mod_nss HTTPS support for mod_proxy.
-Index: mod_nss-1.0.8/mod_nss.c -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.c -+++ mod_nss-1.0.8/mod_nss.c -@@ -85,6 +85,9 @@ static const command_rec nss_config_cmds - SSL_CMD_SRV(FIPS, FLAG, - "FIPS 140-1 mode " - "(`on', `off')") -+ SSL_CMD_SRV(SNI, FLAG, -+ "SNI" -+ "(`on', `off')") - SSL_CMD_ALL(CipherSuite, TAKE1, - "Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable " - "(`[+-]XXX,...,[+-]XXX' - see manual)") -Index: mod_nss-1.0.8/mod_nss.h -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.h -+++ mod_nss-1.0.8/mod_nss.h -@@ -308,6 +308,7 @@ struct SSLSrvConfigRec { - const char *ocsp_name; - BOOL ocsp; - BOOL enabled; -+ BOOL sni; - BOOL proxy_enabled; - const char *vhost_id; - int vhost_id_len; -@@ -343,6 +344,20 @@ typedef struct - PRInt32 version; /* protocol version valid for this cipher */ - } cipher_properties; - -+typedef struct { -+ enum { -+ PW_NONE = 0, -+ PW_FROMFILE = 1, -+ PW_PLAINTEXT = 2, -+ PW_EXTERNAL = 3 -+ } source; -+ char *data; -+} secuPWData; -+ -+/* pool and hash which will contain ServerName and NSSNickname */ -+apr_pool_t *mp; -+apr_hash_t *ht; -+ - /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of - * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it - * is the last version without this define. This is used for more than just -@@ -384,6 +399,7 @@ void *nss_config_perdir_merge(apr_pool_t - void *nss_config_server_create(apr_pool_t *p, server_rec *s); - void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv); - const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int); -+const char *nss_cmd_NSSSNI(cmd_parms *, void *, int); - const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); - const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); - const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); -@@ -471,6 +487,9 @@ apr_file_t *nss_util_ppopen(server_rec - void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); - char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, - const char * const *); -+char *searchHashVhostNick(char *vhost_id); -+char *searchHashVhostNick_match(char *vhost_id); -+void addHashVhostNick(char *vhost_id, char *nickname); - /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request - * to allow an SSL renegotiation to take place. */ - int nss_io_buffer_fill(request_rec *r); -Index: mod_nss-1.0.8/nss_engine_config.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_config.c -+++ mod_nss-1.0.8/nss_engine_config.c -@@ -135,6 +135,7 @@ static SSLSrvConfigRec *nss_config_serve - sc->ocsp_name = NULL; - sc->fips = UNSET; - sc->enabled = UNSET; -+ sc->sni = TRUE; - sc->proxy_enabled = UNSET; - sc->vhost_id = NULL; /* set during module init */ - sc->vhost_id_len = 0; /* set during module init */ -@@ -214,6 +215,7 @@ void *nss_config_server_merge(apr_pool_t - cfgMerge(ocsp_name, NULL); - cfgMergeBool(fips); - cfgMergeBool(enabled); -+ cfgMergeBool(sni); - cfgMergeBool(proxy_enabled); - cfgMergeBool(proxy_ssl_check_peer_cn); - -@@ -321,6 +323,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c - return NULL; - } - -+const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ -+ sc->sni = flag ? TRUE : FALSE; -+ -+ return NULL; -+} -+ - const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) - { - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -Index: mod_nss-1.0.8/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_init.c -+++ mod_nss-1.0.8/nss_engine_init.c -@@ -28,6 +28,8 @@ static SECStatus ownHandshakeCallback(PR - static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); - static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); - SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); -+PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, -+ PRUint32 sniNameArrSize, void *arg); - - /* - * Global variables defined in this file. -@@ -222,11 +224,10 @@ static void nss_init_SSLLibrary(server_r - NSS_Shutdown(); - ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, - "NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration"); -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, -+ "Please check access rights for user:%s!!!", mc->user); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); -- if (mc->nInitCount == 1) -- nss_die(); -- else -- return; -+ nss_die(); - } - - if (fipsenabled) { -@@ -325,6 +326,8 @@ int nss_init_Module(apr_pool_t *p, apr_p - int fipsenabled = FALSE; - int threaded = 0; - struct semid_ds status; -+ char *split_vhost_id = NULL; -+ char *last1; - - mc->nInitCount++; - -@@ -381,6 +384,12 @@ int nss_init_Module(apr_pool_t *p, apr_p - */ - sc->vhost_id = nss_util_vhostid(p, s); - sc->vhost_id_len = strlen(sc->vhost_id); -+ -+ if (sc->server->nickname != NULL && sc->vhost_id != NULL) { -+ split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1); -+ ap_str_tolower(split_vhost_id); -+ addHashVhostNick(split_vhost_id, (char *)sc->server->nickname); -+ } - - /* Fix up stuff that may not have been set */ - if (sc->fips == UNSET) { -@@ -534,7 +543,7 @@ int nss_init_Module(apr_pool_t *p, apr_p - ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, - "Init: Initializing (virtual) servers for SSL"); - -- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); -+ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); - - for (s = base_server; s; s = s->next) { - sc = mySrvConfig(s); -@@ -547,7 +556,7 @@ int nss_init_Module(apr_pool_t *p, apr_p - /* - * Read the server certificate and key - */ -- nss_init_ConfigureServer(s, p, ptemp, sc, clist); -+ nss_init_ConfigureServer(s, p, ptemp, sc, clist); - } - - if (clist) { -@@ -1132,6 +1141,12 @@ static void nss_init_certificate(server_ - SECStatus secstatus; - - PK11SlotInfo* slot = NULL; -+ CERTCertNicknames *certNickDNS = NULL; -+ char **nnptr = NULL; -+ int nn = 0; -+ apr_array_header_t *names = NULL; -+ apr_array_header_t *wild_names = NULL; -+ int i, j; - - if (nickname == NULL) { - return; -@@ -1198,17 +1213,52 @@ static void nss_init_certificate(server_ - - *KEAtype = NSS_FindCertKEAType(*servercert); - -+ /* get ServerAlias entries to hash */ -+ names = s->names; -+ if (names) { -+ char **name = (char **)names->elts; -+ for (i = 0; i < names->nelts; ++i) { -+ ap_str_tolower(name[i]); -+ addHashVhostNick(name[i], (char *)nickname); -+ } -+ } -+ -+ /* get ServerAlias entries with wildcards */ -+ wild_names = s->wild_names; -+ if (wild_names) { -+ char **wild_name = (char **)wild_names->elts; -+ for (j = 0; j < wild_names->nelts; ++j) { -+ ap_str_tolower(wild_name[j]); -+ addHashVhostNick(wild_name[j], (char *)nickname); -+ } -+ } -+ -+ /* get valid DNS names from certificate to hash */ -+ certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert); -+ -+ if (certNickDNS) { -+ nnptr = certNickDNS->nicknames; -+ nn = certNickDNS->numnicknames; -+ -+ while ( nn > 0 ) { -+ ap_str_tolower(*nnptr); -+ addHashVhostNick(*nnptr, (char *)nickname); -+ nnptr++; -+ nn--; -+ } -+ -+ } -+ - /* Subject/hostname check */ - secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); - if (secstatus != SECSuccess) { - char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "Misconfiguration of certificate's CN and virtual name." -- " The certificate CN has %s. We expected %s as virtual" -- " name.", cert_dns, s->server_hostname); -+ "Misconfiguration of certificate's CN and virtual name." -+ " The certificate CN has %s. We expected %s as virtual" -+ " name.", cert_dns, s->server_hostname); - PORT_Free(cert_dns); - } -- - /* - * Check for certs that are expired or not yet valid and WARN about it. - * No need to refuse working - the client gets a warning. -@@ -1233,13 +1283,21 @@ static void nss_init_certificate(server_ - break; - } - -- secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); -+ secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); - if (secstatus != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL error configuring server: '%s'", nickname); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); -- } -+ } -+ -+ /* SNI */ -+ if (SSL_SNISocketConfigHook(model, (SSLSNISocketConfig) ownSSLSNISocketConfig, (void*) s) != SECSuccess) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "SSL_SNISocketConfigHook failed"); -+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); -+ nss_die(); -+ } - } - - -@@ -1308,6 +1366,7 @@ static void nss_init_server_certs(server - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); - } -+ - } - - static void nss_init_proxy_ctx(server_rec *s, -@@ -1374,7 +1433,6 @@ void nss_init_Child(apr_pool_t *p, serve - /* If any servers have SSL, we want sslenabled set so we - * can perform further initialization - */ -- - if (sc->enabled == UNSET) { - sc->enabled = FALSE; - } -@@ -1404,11 +1462,12 @@ void nss_init_Child(apr_pool_t *p, serve - nss_init_SSLLibrary(base_server); - - /* Configure all virtual servers */ -- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); -+ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); - for (s = base_server; s; s = s->next) { - sc = mySrvConfig(s); -- if (sc->server->servercert == NULL && NSS_IsInitialized()) -- nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); -+ if (sc->server->servercert == NULL && NSS_IsInitialized()) { -+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); -+ } - } - if (clist) { - CERT_DestroyCertList(clist); -@@ -1741,3 +1800,67 @@ int nss_parse_ciphers(server_rec *s, cha - - return 0; - } -+ -+PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, -+ PRUint32 sniNameArrSize, void *arg) -+{ -+ server_rec *s = (server_rec *)arg; -+ -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "start function ownSSLSNISocketConfig for SNI"); -+ -+ secuPWData *pwdata; -+ CERTCertificate * cert = NULL; -+ SECKEYPrivateKey * privKey = NULL; -+ char *nickName = NULL; -+ char *vhost = NULL; -+ apr_pool_t *str_p; -+ -+ PORT_Assert(fd && sniNameArr); -+ if (!fd || !sniNameArr) { -+ nss_die(); -+ } -+ apr_pool_create(&str_p, NULL); -+ vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len); -+ -+ /* rfc6125 - Checking of Traditional Domain Names*/ -+ ap_str_tolower(vhost); -+ -+ nickName = searchHashVhostNick(vhost); -+ if (nickName == NULL) { -+ /* search wild_names in serverAlises */ -+ nickName = searchHashVhostNick_match(vhost); -+ if (nickName == NULL) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search [val = %s] failed, unrecognized name.", vhost); -+ nss_die(); -+ } -+ } -+ -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search passed [value = %s] for key:%s", nickName, vhost); -+ -+ pwdata = SSL_RevealPinArg(fd); -+ -+ /* if pwdata is NULL, then we would not get the key and -+ * return an error status. */ -+ cert = PK11_FindCertFromNickname(nickName, &pwdata); -+ if (cert == NULL) { -+ nss_die(); -+ } -+ privKey = PK11_FindKeyByAnyCert(cert, &pwdata); -+ if (privKey == NULL) { -+ nss_die(); -+ } -+ SSLKEAType certKEA = NSS_FindCertKEAType(cert); -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "start configure vhost:%s", vhost); -+ if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) { -+ nss_die(); -+ } -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "successfull setting vhost with nick:%s", nickName); -+ SECKEY_DestroyPrivateKey(privKey); -+ CERT_DestroyCertificate(cert); -+ apr_pool_destroy(str_p); -+ return 0; -+ -+} -Index: mod_nss-1.0.8/nss_engine_kernel.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_kernel.c -+++ mod_nss-1.0.8/nss_engine_kernel.c -@@ -71,6 +71,59 @@ int nss_hook_ReadReq(request_rec *r) - } - - /* -+ * SNI check is default on. In same cases you switch of by NSSSNI off -+ * sc->sni parameter gets vhost from HTTPS header -+ */ -+ SSLSrvConfigRec *sc = mySrvConfig(r->server); -+ -+ SECItem *hostInfo = NULL; -+ hostInfo = SSL_GetNegotiatedHostInfo(ssl); -+ if (hostInfo != NULL && sc->sni) { -+ if (ap_is_initial_req(r) && (hostInfo->len != 0)) { -+ char *servername = NULL; -+ char *host, *scope_id; -+ apr_port_t port; -+ apr_status_t rv; -+ apr_pool_t *s_p; -+ -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, -+ "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d" -+ ,(char *) hostInfo->data, hostInfo->len); -+ -+ apr_pool_create(&s_p, NULL); -+ servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len); -+ -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, -+ "SNI hostInfo servername:%s, lenght:%d" -+ , servername, (unsigned)strlen(servername)); -+ -+ if (!r->hostname) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, -+ "Hostname %s provided via SNI, but no hostname" -+ " provided in HTTP request", servername); -+ return HTTP_BAD_REQUEST; -+ } -+ -+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); -+ if (rv != APR_SUCCESS || scope_id) { -+ return HTTP_BAD_REQUEST; -+ } -+ -+ if (strcasecmp(host, servername)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, -+ "Hostname %s provided via SNI and hostname %s provided" -+ " via HTTP are different", servername, host); -+ -+ SECITEM_FreeItem(hostInfo, PR_TRUE); -+ apr_pool_destroy(s_p); -+ return HTTP_BAD_REQUEST; -+ } else { -+ SECITEM_FreeItem(hostInfo, PR_TRUE); -+ apr_pool_destroy(s_p); -+ } -+ } -+ } -+ /* - * Log information about incoming HTTPS requests - */ - if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { -Index: mod_nss-1.0.8/nss_util.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_util.c -+++ mod_nss-1.0.8/nss_util.c -@@ -13,7 +13,6 @@ - * limitations under the License. - */ - -- - #include "mod_nss.h" - #include "ap_mpm.h" - #include "apr_thread_mutex.h" -@@ -100,3 +99,47 @@ char *nss_util_readfilter(server_rec *s, - - return buf; - } -+ -+static void initializeHashVhostNick() { -+ apr_pool_create(&mp, NULL); -+ ht = apr_hash_make(mp); -+} -+ -+char *searchHashVhostNick(char *vhost_id) { -+ char *searchVal = NULL; -+ -+ searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING); -+ -+ return searchVal; -+} -+ -+char *searchHashVhostNick_match(char *vhost_id) -+{ -+ char *searchValReg = NULL; -+ apr_hash_index_t *hi; -+ for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) { -+ const char *k = NULL; -+ const char *v = NULL; -+ -+ apr_hash_this(hi, (const void**)&k, NULL, (void**)&v); -+ if (!ap_strcasecmp_match(vhost_id, k)) { -+ searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING); -+ return searchValReg; -+ } -+ } -+ return NULL; -+} -+ -+void addHashVhostNick(char *vhost_id, char *nickname) { -+ -+ if (ht == NULL) { -+ initializeHashVhostNick(); -+ } -+ -+ if(searchHashVhostNick(vhost_id) == NULL) { -+ apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING, -+ apr_pstrdup(mp, nickname)); -+ } -+ return; -+} -+ diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index fea0289..f75d35a 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Thu Mar 17 16:27:13 UTC 2016 - vcizek@suse.com + +- use a whitelist approach for keeping directives in the migration + script (bsc#961907) + * modify mod_nss_migrate.pl + +------------------------------------------------------------------- +Wed Mar 16 14:45:24 UTC 2016 - pgajdos@suse.com + +- fix test: add NSSPassPhraseDialog, point it to plain file + +------------------------------------------------------------------- +Mon Mar 14 12:27:37 UTC 2016 - vcizek@suse.com + +- update to 1.0.13 + Update default ciphers to something more modern and secure + Check for host and netstat commands in gencert before trying to use them + Add server support for DHE ciphers + Extract SAN from server/client certificates into env + Fix memory leaks and other coding issues caught by clang analyzer + Add support for Server Name Indication (SNI) (#1010751) + Add support for SNI for reverse proxy connections + Add RenegBufferSize? option + Add support for TLS Session Tickets (RFC 5077) + Fix logical AND support in OpenSSL cipher compatibility + Correctly handle disabled ciphers (CVE-2015-5244) + Implement a slew more OpenSSL cipher macros + Fix a number of illegal memory accesses and memory leaks + Support for SHA384 ciphers if they are available in NSS + Add compatibility for mod_ssl-style cipher definitions (#862938) + Add TLSv1.2-specific ciphers + Completely remove support for SSLv2 + Add support for sqlite NSS databases (#1057650) + Compare subject CN and VS hostname during server start up + Add support for enabling TLS v1.2 + Don't enable SSL 3 by default (CVE-2014-3566) + Fix CVE-2013-4566 + Move nss_pcache to /usr/libexec + Support httpd 2.4+ +- drop almost all our patches (upstream) + * 0001-SNI-check-with-NameVirtualHosts.patch + * mod_nss-CVE-2013-4566-NSSVerifyClient.diff + * mod_nss-PK11_ListCerts_2.patch + * mod_nss-add_support_for_enabling_TLS_v1.2.patch + * mod_nss-array_overrun.patch + * mod_nss-cipherlist_update_for_tls12-doc.diff + * mod_nss-cipherlist_update_for_tls12.diff + * mod_nss-clientauth.patch + * mod_nss-compare_subject_CN_and_VS_hostname.patch + * mod_nss-gencert.patch + * mod_nss-httpd24.patch + * mod_nss-lockpcache.patch + * mod_nss-negotiate.patch + * mod_nss-no_shutdown_if_not_init_2.patch + * mod_nss-overlapping_memcpy.patch + * mod_nss-pcachesignal.h + * mod_nss-proxyvariables.patch + * mod_nss-reseterror.patch + * mod_nss-reverse_proxy_send_SNI.patch + * mod_nss-reverseproxy.patch + * mod_nss-sslmultiproxy.patch + * mod_nss-tlsv1_1.patch + * mod_nss-wouldblock.patch + * update-ciphers.patch +- add automake and libtool to BuildRequires +- temporarily comment out %check + ------------------------------------------------------------------- Tue Jan 12 08:31:19 UTC 2016 - pgajdos@suse.com diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index f7ec498..4c541d4 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -20,7 +20,7 @@ Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers -Version: 1.0.8 +Version: 1.0.13 Release: 0.4.8 Url: https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz @@ -38,6 +38,7 @@ Requires: mozilla-nss >= 3.15.1 PreReq: mozilla-nss-tools BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 +BuildRequires: automake BuildRequires: bison BuildRequires: curl BuildRequires: findutils @@ -45,43 +46,13 @@ BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel +BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig -# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout -# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch. -#Patch1: mod_nss-conf.patch -Patch2: mod_nss-gencert.patch -Patch3: mod_nss-wouldblock.patch -Patch4: mod_nss-negotiate.patch -Patch5: mod_nss-reverseproxy.patch -Patch6: mod_nss-pcachesignal.h -Patch7: mod_nss-reseterror.patch -Patch8: mod_nss-lockpcache.patch -# Fix build with apache 2.4 -Patch9: mod_nss-httpd24.patch -Patch10: mod_nss-proxyvariables.patch -Patch11: mod_nss-tlsv1_1.patch -Patch12: mod_nss-array_overrun.patch -Patch13: mod_nss-clientauth.patch -Patch14: mod_nss-no_shutdown_if_not_init_2.patch -Patch15: mod_nss-PK11_ListCerts_2.patch -Patch16: mod_nss-sslmultiproxy.patch -Patch17: mod_nss-overlapping_memcpy.patch -Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff -Patch19: mod_nss-cipherlist_update_for_tls12.diff -Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff Patch23: mod_nss-bnc863518-reopen_dev_tty.diff -# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name -Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch -# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2 -Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch -# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support -Patch26: 0001-SNI-check-with-NameVirtualHosts.patch -Patch27: update-ciphers.patch -Patch28: mod_nss-reverse_proxy_send_SNI.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -101,36 +72,7 @@ security library. %prep %setup -q -n mod_nss-%{version} -##%patch1 -p1 -b .conf.rpmpatch -%patch2 -p1 -b .gencert.rpmpatch -%patch3 -p1 -b .wouldblock.rpmpatch -%patch4 -p1 -b .negotiate.rpmpatch -%patch5 -p1 -b .reverseproxy.rpmpatch -%patch6 -p1 -b .pcachesignal.h.rpmpatch -%patch7 -p1 -b .reseterror.rpmpatch -%patch8 -p1 -b .lockpcache.rpmpatch -%patch10 -p1 -b .proxyvariables.rpmpatch -%patch11 -p1 -b .tlsv1_1.rpmpatch -%patch12 -p1 -b .array_overrun.rpmpatch -%patch13 -p1 -b .clientauth.rpmpatch -%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch -%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch -%patch16 -p1 -b .sslmultiproxy.rpmpatch -%patch17 -p1 -b .overlapping_memcpy.rpmpatch -%patch18 -p0 -b .CVE-2013-4566.rpmpatch -%patch19 -p0 -b .ciphers.rpmpatch -%patch20 -p0 -b .ciphers.doc.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch -%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch -%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch -%patch26 -p1 -b .SNI_support.rpmpatch -%patch27 -p1 -b .update-ciphers.rpmpatch -%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch - -# keep this last, otherwise we get fuzzyness from above -%if %{apache_branch} >= 204 -%patch9 -p1 -b .http24 -%endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -150,7 +92,7 @@ export C_INCLUDE_PATH cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE4} . chmod 644 ./nss.conf.in -#autoreconf -fvi +autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ @@ -193,11 +135,18 @@ perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert %check set +x mkdir -p %{apache_test_module_dir} +# create password file including internal token to suppress +# apache 'builtin dialog', see NSSPassPhraseDialog below +# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html) +cat << EOF > %{apache_test_module_dir}/password.conf +internal:httptest +EOF # create test configuration cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf NSSEngine on NSSNickname Server-Cert NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d +NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 diff --git a/mod_nss-1.0.13.tar.gz b/mod_nss-1.0.13.tar.gz new file mode 100644 index 0000000..1ee1ea0 --- /dev/null +++ b/mod_nss-1.0.13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:244afe11101bf75d85562fadf7b5e4292f8de634446414c268b4b4636cc88817 +size 177668 diff --git a/mod_nss-1.0.8.tar.gz b/mod_nss-1.0.8.tar.gz deleted file mode 100644 index cfa4d75..0000000 --- a/mod_nss-1.0.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f8477dfc432033738ee1aad5e010e9f0429eb1c1debd273a05fed6316d50a801 -size 405061 diff --git a/mod_nss-CVE-2013-4566-NSSVerifyClient.diff b/mod_nss-CVE-2013-4566-NSSVerifyClient.diff deleted file mode 100644 index 3bf2f51..0000000 --- a/mod_nss-CVE-2013-4566-NSSVerifyClient.diff +++ /dev/null @@ -1,319 +0,0 @@ -This is CVE-2013-4566: -The flaw is in the NSSVerifyClient (which is equivalent to mod_ssl's -SSLVerifyClient) setting enforcement. If 'NSSVerifyClient none' is set -in the server / vhost context (i.e. when server is configured to not -request or require client certificate authentication on the initial -connection), and client certificate authentication is expected to be -required for a specific directory via 'NSSVerifyClient require' -setting, mod_nss fails to properly require certificate authentication. -Remote attacker can use this to access content of the restricted -directories. - -Reported by Thomas Hoger . - -diff -rNU 150 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c ---- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2013-11-29 16:09:37.000000000 +0100 -+++ ./nss_engine_kernel.c 2013-11-29 16:12:20.000000000 +0100 -@@ -133,301 +133,301 @@ - /* - * Check to see if SSL protocol is enabled. If it's not then - * no further access control checks are relevant. The test for - * sc->enabled is probably strictly unnecessary - */ - if (!((sc->enabled == TRUE) || !ssl)) { - return DECLINED; - } - - /* - * Support for per-directory reconfigured SSL connection parameters. - * - * This is implemented by forcing an SSL renegotiation with the - * reconfigured parameter suite. But Apache's internal API processing - * makes our life very hard here, because when internal sub-requests occur - * we nevertheless should avoid multiple unnecessary SSL handshakes (they - * require extra network I/O and especially time to perform). - * - * But the optimization for filtering out the unnecessary handshakes isn't - * obvious and trivial. Especially because while Apache is in its - * sub-request processing the client could force additional handshakes, - * too. And these take place perhaps without our notice. So the only - * possibility is to explicitly _ask_ OpenSSL whether the renegotiation - * has to be performed or not. It has to performed when some parameters - * which were previously known (by us) are not those we've now - * reconfigured (as known by OpenSSL) or (in optimized way) at least when - * the reconfigured parameter suite is stronger (more restrictions) than - * the currently active one. - */ - - /* - * Override of NSSCipherSuite - * - * We provide two options here: - * - * o The paranoid and default approach where we force a renegotiation when - * the cipher suite changed in _any_ way (which is straight-forward but - * often forces renegotiations too often and is perhaps not what the - * user actually wanted). - * - * o The optimized and still secure way where we force a renegotiation - * only if the currently active cipher is no longer contained in the - * reconfigured/new cipher suite. Any other changes are not important - * because it's the servers choice to select a cipher from the ones the - * client supports. So as long as the current cipher is still in the new - * cipher suite we're happy. Because we can assume we would have - * selected it again even when other (better) ciphers exists now in the - * new cipher suite. This approach is fine because the user explicitly - * has to enable this via ``NSSOptions +OptRenegotiate''. So we do no - * implicit optimizations. - */ - if (dc->szCipherSuite) { - /* remember old state */ - for (i=0; i < ciphernum; i++) { - SSL_CipherPrefGet(ssl, ciphers_def[i].num, &ciphers_old[i]); - } - - if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { - int on, keySize, secretKeySize; - char *issuer, *subject; - - SSL_SecurityStatus(ssl, &on, &cipher, - &keySize, &secretKeySize, &issuer, - &subject); - } - - /* configure new state */ - - ciphers = strdup(dc->szCipherSuite); - if (nss_parse_ciphers(r->server, ciphers, ciphers_new) < 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, - r->server, - "Unable to reconfigure (per-directory) " - "permitted SSL ciphers"); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, r->server); - free(ciphers); - - return HTTP_FORBIDDEN; - } - free(ciphers); - - /* Actually enable the selected ciphers. Also check to - see if the existing cipher is in the new list for - a possible optimization later. */ - - for (i=0; inOptions & SSL_OPT_OPTRENEGOTIATE) { - if (cipher_in_list != PR_TRUE) - renegotiate = TRUE; - } - else { - /* paranoid way */ - for (i=0; iserver, - "Reconfigured cipher suite will force renegotiation"); - } - } - - /* - * override of SSLVerifyClient - * - * We force a renegotiation if the reconfigured/new verify type is - * stronger than the currently active verify type. - * - * The order is: none << optional_no_ca << optional << require - * - * Additionally the following optimization is possible here: When the - * currently active verify type is "none" but a client certificate is - * already known/present, it's enough to manually force a client - * verification but at least skip the I/O-intensive renegotation - * handshake. - */ - if (dc->nVerifyClient != SSL_CVERIFY_UNSET) { - PRInt32 on; - - /* remember old state */ - SSL_OptionGet(ssl, SSL_REQUIRE_CERTIFICATE, &on); - if (on == PR_TRUE) { - verify_old = SSL_CVERIFY_REQUIRE; - } else { - SSL_OptionGet(ssl, SSL_REQUEST_CERTIFICATE, &on); - if (on == PR_TRUE) - verify_old = SSL_CVERIFY_OPTIONAL; - else - verify_old = SSL_CVERIFY_NONE; - } - - /* configure new state */ - verify = dc->nVerifyClient; - - if (verify == SSL_CVERIFY_REQUIRE) { - SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE); -- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR); -+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS); - } else if (verify == SSL_CVERIFY_OPTIONAL) { - SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE); - SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); - } else { - SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_FALSE); - SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); - } - - /* determine whether we've to force a renegotiation */ - if (!renegotiate && verify != verify_old) { - if (((verify_old == SSL_CVERIFY_NONE) && - (verify != SSL_CVERIFY_NONE)) || - - (!(verify_old & SSL_CVERIFY_OPTIONAL) && - (verify & SSL_CVERIFY_OPTIONAL)) || - - (!(verify_old & SSL_CVERIFY_REQUIRE) && - (verify & SSL_CVERIFY_REQUIRE))) - { - renegotiate = TRUE; - /* optimization */ - - if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && - (verify_old == SSL_CVERIFY_NONE) && - ((peercert = SSL_PeerCertificate(ssl)) != NULL)) - { - renegotiate_quick = TRUE; - CERT_DestroyCertificate(peercert); - } - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, - r->server, - "Changed client verification type will force " - "%srenegotiation", - renegotiate_quick ? "quick " : ""); - } - } - } - - /* If a renegotiation is now required for this location, and the - * request includes a message body (and the client has not - * requested a "100 Continue" response), then the client will be - * streaming the request body over the wire already. In that - * case, it is not possible to stop and perform a new SSL - * handshake immediately; once the SSL library moves to the - * "accept" state, it will reject the SSL packets which the client - * is sending for the request body. - * - * To allow authentication to complete in this auth hook, the - * solution used here is to fill a (bounded) buffer with the - * request body, and then to reinject that request body later. - */ - if (renegotiate && !renegotiate_quick - && (apr_table_get(r->headers_in, "transfer-encoding") - || (apr_table_get(r->headers_in, "content-length") - && strcmp(apr_table_get(r->headers_in, "content-length"), "0"))) - && !r->expecting_100) { - int rv; - - /* Fill the I/O buffer with the request body if possible. */ - rv = nss_io_buffer_fill(r); - - if (rv) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "could not buffer message body to allow " - "SSL renegotiation to proceed"); - return rv; - } - } - - /* - * now do the renegotiation if anything was actually reconfigured - */ - if (renegotiate) { - /* - * Now we force the SSL renegotation by sending the Hello Request - * message to the client. Here we have to do a workaround: Actually - * OpenSSL returns immediately after sending the Hello Request (the - * intent AFAIK is because the SSL/TLS protocol says it's not a must - * that the client replies to a Hello Request). But because we insist - * on a reply (anything else is an error for us) we have to go to the - * ACCEPT state manually. Using SSL_set_accept_state() doesn't work - * here because it resets too much of the connection. So we set the - * state explicitly and continue the handshake manually. - */ - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Requesting connection re-negotiation"); - - if (renegotiate_quick) { - SECStatus rv; - CERTCertificate *peerCert; - void *pinArg; - - /* perform just a manual re-verification of the peer */ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "Performing quick renegotiation: " - "just re-verifying the peer"); - - peerCert = SSL_PeerCertificate(sslconn->ssl); - - pinArg = SSL_RevealPinArg(sslconn->ssl); - - rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), - peerCert, - PR_TRUE, - certUsageSSLClient, - pinArg); - - CERT_DestroyCertificate(peerCert); - - if (rv != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, - "Re-negotiation handshake failed: " - "Client verification failed"); - - return HTTP_FORBIDDEN; - } - - /* The cert is ok, fall through to the check SSLRequires */ - } - else { - int handshake_done = 0; - int result = 0; - - /* do a full renegotiation */ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "Performing full renegotiation: " - "complete handshake protocol"); - - /* Do NOT call SSL_ResetHandshake as this will tear down the - * existing connection. - */ - if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) { - int errCode = PR_GetError(); - if (errCode == SEC_ERROR_INVALID_ARGS) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "Re-negotation request failed: " - "trying to do client authentication on a non-SSL3 connection"); - } else { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "Re-negotation request failed: " - "returned error %d", errCode); - } - r->connection->aborted = 1; - return HTTP_FORBIDDEN; - } - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "Awaiting re-negotiation handshake"); - diff --git a/mod_nss-PK11_ListCerts_2.patch b/mod_nss-PK11_ListCerts_2.patch deleted file mode 100644 index 800f0b3..0000000 --- a/mod_nss-PK11_ListCerts_2.patch +++ /dev/null @@ -1,201 +0,0 @@ -diff -pu mod_nss.h mod_nss.h.PK11_ListCerts ---- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800 -+++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800 -@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd - /* module initialization */ - int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); - void nss_init_Child(apr_pool_t *, server_rec *); --void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); -+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); - apr_status_t nss_init_ModuleKill(void *data); - apr_status_t nss_init_ChildKill(void *data); - int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); -diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts ---- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800 -+++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800 -@@ -26,7 +26,7 @@ - static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); - static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); - static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); --static CERTCertificate* FindServerCertFromNickname(const char* name); -+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); - SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); - - /* -@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p - ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, - "Init: Initializing (virtual) servers for SSL"); - -+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); -+ - for (s = base_server; s; s = s->next) { - sc = mySrvConfig(s); - /* -@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p - /* - * Read the server certificate and key - */ -- nss_init_ConfigureServer(s, p, ptemp, sc); -+ nss_init_ConfigureServer(s, p, ptemp, sc, clist); -+ } -+ -+ if (clist) { -+ CERT_DestroyCertList(clist); - } - } - -@@ -880,7 +886,8 @@ static void nss_init_certificate(server_ - SECKEYPrivateKey **serverkey, - SSLKEAType *KEAtype, - PRFileDesc *model, -- int enforce) -+ int enforce, -+ const CERTCertList* clist) - { - SECCertTimeValidity certtimestatus; - SECStatus secstatus; -@@ -894,17 +901,15 @@ static void nss_init_certificate(server_ - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Using nickname %s.", nickname); - -- *servercert = FindServerCertFromNickname(nickname); -+ *servercert = FindServerCertFromNickname(nickname, clist); - - /* Verify the certificate chain. */ - if (*servercert != NULL) { - SECCertificateUsage usage = certificateUsageSSLServer; - -- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "Certificate not verified: '%s'", nickname); -+ if (enforce) { -+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); -- if (enforce) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); - nss_die(); -@@ -994,7 +999,8 @@ static void nss_init_certificate(server_ - static void nss_init_server_certs(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -- modnss_ctx_t *mctx) -+ modnss_ctx_t *mctx, -+ const CERTCertList* clist) - { - SECStatus secstatus; - -@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server - - nss_init_certificate(s, mctx->nickname, &mctx->servercert, - &mctx->serverkey, &mctx->serverKEAType, -- mctx->model, mctx->enforce); -+ mctx->model, mctx->enforce, clist); - #ifdef NSS_ENABLE_ECC - nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, - &mctx->eccserverkey, &mctx->eccserverKEAType, -- mctx->model, mctx->enforce); -+ mctx->model, mctx->enforce, clist); - #endif - } - -@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server - static void nss_init_proxy_ctx(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -- SSLSrvConfigRec *sc) -+ SSLSrvConfigRec *sc, -+ const CERTCertList* clist) - { - nss_init_ctx(s, p, ptemp, sc->proxy); - -- nss_init_server_certs(s, p, ptemp, sc->proxy); -+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist); - } - - static void nss_init_server_ctx(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -- SSLSrvConfigRec *sc) -+ SSLSrvConfigRec *sc, -+ const CERTCertList* clist) - { - nss_init_server_check(s, p, ptemp, sc->server); - - nss_init_ctx(s, p, ptemp, sc->server); - -- nss_init_server_certs(s, p, ptemp, sc->server); -+ nss_init_server_certs(s, p, ptemp, sc->server, clist); - } - - /* -@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r - void nss_init_ConfigureServer(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -- SSLSrvConfigRec *sc) -+ SSLSrvConfigRec *sc, -+ const CERTCertList* clist) - { - if (sc->enabled == TRUE) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Configuring server for SSL protocol"); -- nss_init_server_ctx(s, p, ptemp, sc); -+ nss_init_server_ctx(s, p, ptemp, sc, clist); - } - - if (sc->proxy_enabled == TRUE) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Enabling proxy."); -- nss_init_proxy_ctx(s, p, ptemp, sc); -+ nss_init_proxy_ctx(s, p, ptemp, sc, clist); - } - } - -@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve - nss_init_SSLLibrary(base_server); - - /* Configure all virtual servers */ -+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); - for (s = base_server; s; s = s->next) { - sc = mySrvConfig(s); - if (sc->server->servercert == NULL && NSS_IsInitialized()) -- nss_init_ConfigureServer(s, p, mc->ptemp, sc); -+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); -+ } -+ if (clist) { -+ CERT_DestroyCertList(clist); - } - - /* -@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER - * newest, valid server certificate. - */ - static CERTCertificate* --FindServerCertFromNickname(const char* name) -+FindServerCertFromNickname(const char* name, const CERTCertList* clist) - { -- CERTCertList* clist; - CERTCertificate* bestcert = NULL; - - CERTCertListNode *cln; -@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n - if (name == NULL) - return NULL; - -- clist = PK11_ListCerts(PK11CertListUser, NULL); -- - for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist); - cln = CERT_LIST_NEXT(cln)) { - CERTCertificate* cert = cln->cert; -@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n - if (bestcert) { - bestcert = CERT_DupCertificate(bestcert); - } -- if (clist) { -- CERT_DestroyCertList(clist); -- } - return bestcert; - } - - diff --git a/mod_nss-add_support_for_enabling_TLS_v1.2.patch b/mod_nss-add_support_for_enabling_TLS_v1.2.patch deleted file mode 100644 index 8393563..0000000 --- a/mod_nss-add_support_for_enabling_TLS_v1.2.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 16 Oct 2014 14:05:05 -0400 -Subject: [PATCH] Add support for enabling TLS v1.2 - -If support is available in NSS then it is just a matter of including -TLS 1.2 in the protocol range. ---- - docs/mod_nss.html | 97 ++++++++++++++++++++++++++++--------------------------- - mod_nss.c | 4 +-- - nss.conf.in | 2 +- - nss_engine_init.c | 51 +++++++++++++++++------------ - nss_engine_vars.c | 3 ++ - 5 files changed, 86 insertions(+), 71 deletions(-) - -Index: mod_nss-1.0.8/nss.conf.in -=================================================================== ---- mod_nss-1.0.8.orig/nss.conf.in -+++ mod_nss-1.0.8/nss.conf.in -@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 - # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography - #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha - --NSSProtocol SSLv3,TLSv1 -+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 - - # SSL Certificate Nickname: - # The nickname of the RSA server certificate you are going to use. -Index: mod_nss-1.0.8/nss_engine_vars.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_vars.c -+++ mod_nss-1.0.8/nss_engine_vars.c -@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver - case SSL_LIBRARY_VERSION_TLS_1_1: - result = "TLSv1.1"; - break; -+ case SSL_LIBRARY_VERSION_TLS_1_2: -+ result = "TLSv1.2"; -+ break; - } - } - } -Index: mod_nss-1.0.8/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_init.c -+++ mod_nss-1.0.8/nss_engine_init.c -@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server - * cannot be excluded from this range. NSS will automatically negotiate - * to utilize the strongest acceptable protocol for a connection starting - * with the maximum specified protocol and downgrading as necessary to the -- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). -+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0). - */ - if (stat == SECSuccess) { - /* Set minimum protocol version (lowest -> highest) - * -- * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 - */ - if (ssl3 == 1) { - enabledVersions.min = SSL_LIBRARY_VERSION_3_0; diff --git a/mod_nss-array_overrun.patch b/mod_nss-array_overrun.patch deleted file mode 100644 index 10b84f8..0000000 --- a/mod_nss-array_overrun.patch +++ /dev/null @@ -1,16 +0,0 @@ -mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array -"child_argv", with 5 elements, at position 5 with index variable "5". - -https://bugzilla.redhat.com/show_bug.cgi?id=714154 -diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c ---- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400 -+++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400 -@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p - - /* Do we need to fire up our password helper? */ - if (mc->nInitCount == 1) { -- const char * child_argv[5]; -+ const char * child_argv[6]; - apr_status_t rv; - struct sembuf sb; - char sembuf[32]; diff --git a/mod_nss-bnc863518-reopen_dev_tty.diff b/mod_nss-bnc863518-reopen_dev_tty.diff index 8dad74b..0bc69d1 100644 --- a/mod_nss-bnc863518-reopen_dev_tty.diff +++ b/mod_nss-bnc863518-reopen_dev_tty.diff @@ -1,54 +1,8 @@ -diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c ---- ../mod_nss-1.0.8-o/nss_engine_pphrase.c 2014-07-24 12:23:30.000000000 +0200 -+++ ./nss_engine_pphrase.c 2014-07-24 13:54:23.000000000 +0200 -@@ -181,199 +181,218 @@ - * that may be done. - */ - static PRBool nss_check_password(unsigned char *cp) - { - int len; - unsigned char *end, ch; - - len = strlen((char *)cp); - if (len < 8) { - return PR_TRUE; - } - end = cp + len; - while (cp < end) { - ch = *cp++; - if (!((ch >= 'A') && (ch <= 'Z')) && - !((ch >= 'a') && (ch <= 'z'))) { - /* pass phrase has at least one non alphabetic in it */ - return PR_TRUE; - } - } - return PR_TRUE; - } - - /* - * Password callback so the user is not prompted to enter the password - * after the server starts. - */ - static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg) - { - return NULL; - } - - /* - * Password callback to prompt the user for a password. This requires - * twiddling with the tty. Alternatively, if the file password.conf - * exists then it may be used to store the token password(s). - */ - static char *nss_get_password(FILE *input, FILE *output, - PK11SlotInfo *slot, - PRBool (*ok)(unsigned char *), - pphrase_arg_t *parg) - { - char *pwdstr = NULL; - char *token_name = NULL; - int tmp; - FILE *pwd_fileptr; - char *ptr; +Index: nss_engine_pphrase.c +=================================================================== +--- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100 ++++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100 +@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu char line[1024]; unsigned char phrase[200]; int infd = fileno(input); @@ -56,103 +10,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c int isTTY = isatty(infd); token_name = PK11_GetTokenName(slot); - - if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE || - parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) { - /* Try to get the passwords from the password file if it exists. - * THIS IS UNSAFE and is provided for convenience only. Without this - * capability the server would have to be started in foreground mode. - */ - if ((*parg->mc->pphrase_dialog_path != '\0') && - ((pwd_fileptr = fopen(parg->mc->pphrase_dialog_path, "r")) != NULL)) { - while(fgets(line, 1024, pwd_fileptr)) { - if (PL_strstr(line, token_name) == line) { - tmp = PL_strlen(line) - 1; - while((line[tmp] == ' ') || (line[tmp] == '\n')) - tmp--; - line[tmp+1] = '\0'; - ptr = PL_strchr(line, ':'); - if (ptr == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Malformed password entry for token %s. Format should be token:password", token_name); - continue; - } - for(tmp=1; ptr[tmp] == ' '; tmp++) {} - pwdstr = strdup(&(ptr[tmp])); - } - } - fclose(pwd_fileptr); - } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to open password file %s", parg->mc->pphrase_dialog_path); - nss_die(); - } - } - - /* For SSL_PPTYPE_DEFER we only want to authenticate passwords found - * in the password file. - */ - if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) && - (pwdstr == NULL)) { - return NULL; - } - - /* This purposely comes after the file check because that is more - * authoritative. - */ - if (parg->mc->nInitCount > 1) { - char buf[1024]; - apr_status_t rv; - apr_size_t nBytes = 1024; - struct sembuf sb; - - /* lock the pipe */ - sb.sem_num = 0; - sb.sem_op = -1; - sb.sem_flg = SEM_UNDO; - if (semop(parg->mc->semid, &sb, 1) == -1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to reserve semaphore resource"); - } - - snprintf(buf, 1024, "RETR\t%s", token_name); - rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); - nss_die(); - } - - /* The helper just returns a token pw or "", so we don't have much - * to check for. - */ - memset(buf, 0, sizeof(buf)); - rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); - sb.sem_op = 1; - if (semop(parg->mc->semid, &sb, 1) == -1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to free semaphore resource"); - /* perror("semop free resource id"); */ - } - - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); - nss_die(); - } - - /* Just return what we got. If we got this far and we don't have a - * PIN then I/O is already shut down, so we can't do anything really - * clever. - */ - pwdstr = strdup(buf); - } - - /* If we got a password we're done */ +@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu if (pwdstr) return pwdstr; -- -+ + + /* It happens that stdin is not opened with O_RDONLY. Better make sure + * it is and re-open /dev/tty. + */ @@ -174,50 +35,3 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c for (;;) { /* Prompt for password */ if (isTTY) { - if (parg->retryCount > 0) { - fprintf(output, "Password incorrect. Please try again.\n"); - } - fprintf(output, "%s", prompt); - echoOff(infd); - } - fgets((char*) phrase, sizeof(phrase), input); - if (isTTY) { - fprintf(output, "\n"); - echoOn(infd); - } - /* stomp on newline */ - phrase[strlen((char*)phrase)-1] = 0; - - /* Validate password */ - if (!(*ok)(phrase)) { - /* Not weird enough */ - if (!isTTY) return 0; - fprintf(output, "Password must be at least 8 characters long with one or more\n"); - fprintf(output, "non-alphabetic characters\n"); - continue; - } - if (PK11_IsFIPS() && strlen(phrase) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "The FIPS security policy requires that a password be set."); - nss_die(); - } else - return (char*) PORT_Strdup((char*)phrase); - } - } - - /* - * Turn the echoing off on a tty. - */ - static void echoOff(int fd) - { - if (isatty(fd)) { - struct termios tio; - tcgetattr(fd, &tio); - tio.c_lflag &= ~ECHO; - tcsetattr(fd, TCSAFLUSH, &tio); - } - } - - /* - * Turn the echoing on on a tty. - */ diff --git a/mod_nss-cipherlist_update_for_tls12-doc.diff b/mod_nss-cipherlist_update_for_tls12-doc.diff deleted file mode 100644 index 0b132b0..0000000 --- a/mod_nss-cipherlist_update_for_tls12-doc.diff +++ /dev/null @@ -1,270 +0,0 @@ -diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html ---- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100 -+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100 -@@ -632,100 +632,135 @@ - - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fortezza_null
- - SSL_FORTEZZA_DMS_WITH_NULL_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fips_des_sha
- - SSL_RSA_FIPS_WITH_DES_CBC_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fips_3des_sha
- - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_des_56_sha - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_rc4_56_sha - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_aes_128_sha
- - TLS_RSA_WITH_AES_128_CBC_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_aes_256_sha
- - TLS_RSA_WITH_AES_256_CBC_SHA
- - SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - -+ -+ rsa_aes_128_sha256
-+ -+ TLS_RSA_WITH_AES_128_CBC_SHA256
-+ -+ TLSv1.2 -+ -+ -+ rsa_aes_128_gcm_sha
-+ -+ TLS_RSA_WITH_AES_128_GCM_SHA256
-+ -+ TLSv1.2 -+ -+ -+ rsa_camellia_128_sha
-+ -+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
-+ -+ TLSv1.0/TLSv1.1/TLSv1.2 -+ -+ -+ rsa_camellia_256_sha
-+ -+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
-+ -+ TLSv1.0/TLSv1.1/TLSv1.2 -+ -+ -+ rsa_aes_256_sha256
-+ -+ TLS_RSA_WITH_AES_256_CBC_SHA256
-+ -+ TLSv1.2 -+ - - -
- Additionally there are a number of ECC ciphers:
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -@@ -773,100 +794,130 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - -
Cipher Name
- 		NSS Cipher - Definition
- 		Protocol
-
ecdh_ecdsa_null_shaTLS_ECDH_ECDSA_WITH_NULL_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_rc4_128_shaTLS_ECDH_ECDSA_WITH_RC4_128_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_3des_shaTLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_aes_128_shaTLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_aes_256_shaTLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdhe_ecdsa_null_shaTLS_ECDHE_ECDSA_WITH_NULL_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdhe_ecdsa_rc4_128_shaTLS_ECDHE_ECDSA_WITH_RC4_128_SHATLSv1.0/TLSv1.1/TLSv1.2
echde_rsa_nullTLS_ECDHE_RSA_WITH_NULL_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_rc4_128_shaTLS_ECDHE_RSA_WITH_RC4_128_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_3des_shaTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_aes_128_shaTLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_aes_256_shaTLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_null_shaTLS_ECDH_anon_WITH_NULL_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_rc4_128shaTLS_ECDH_anon_WITH_RC4_128_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_3des_shaTLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_aes_128_shaTLS_ECDH_anon_WITH_AES_128_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_anon_aes_256_shaTLS_ECDH_anon_WITH_AES_256_CBC_SHATLSv1.0/TLSv1.1/TLSv1.2
ecdh_ecdsa_aes_128_sha256TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256TLSv1.2
ecdh_rsa_aes_128_sha256TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLSv1.2
ecdh_ecdsa_aes_128_gcm_shaTLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_ecdsa_aes_128_gcm_shaTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
ecdh_rsa_aes_128_gcm_shaTLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
ecdhe_rsa_aes_128_gcm_shaTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLSv1.0/TLSv1.1/TLSv1.2
-
- Example
-
- NSSCipherSuite - +rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,
- -rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,
- +fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha
-
- NSSProtocol
-
- A comma-separated string that lists the basic protocols that the server - can use (and clients may connect with). It doesn't enable a cipher - specifically but allows ciphers for that protocol to be used at all.
-
- Options are:
-
    -
  • SSLv3
    • -
  • TLSv1 (legacy only; replaced by TLSv1.0)
    • -
  • TLSv1.0
    • -
  • TLSv1.1
    • -
  • TLSv1.2
    • -
  • All
    • -
- Note that this differs from mod_ssl in that you can't add or subtract - protocols.
-
- If no NSSProtocol is specified, mod_nss will default to allowing the use of - the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the - minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol - allowed. -
- If values for NSSProtocol are specified, mod_nss will set both the minimum - and the maximum allowed protocols based upon these entries allowing for the - inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2 - are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes - protocol ranges to accept all protocols inclusively - (TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols - in the middle of a range (e. g. - TLS 1.0).
-
- Finally, NSS will always automatically negotiate the use of the strongest - possible protocol that has been specified which is acceptable to both sides of - a given connection.
- SSLv2 is not supported by default at this time.
-
- Example
-
- NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2
-
diff --git a/mod_nss-cipherlist_update_for_tls12.diff b/mod_nss-cipherlist_update_for_tls12.diff deleted file mode 100644 index 7bee592..0000000 --- a/mod_nss-cipherlist_update_for_tls12.diff +++ /dev/null @@ -1,247 +0,0 @@ -diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h ---- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100 -+++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100 -@@ -318,103 +318,103 @@ - - /* - * Define the mod_ssl per-directory configuration structure - * (i.e. the local configuration for all - * and .htaccess contexts) - */ - typedef struct { - BOOL bSSLRequired; - apr_array_header_t *aRequirement; - int nOptions; - int nOptionsAdd; - int nOptionsDel; - const char *szCipherSuite; - nss_verify_t nVerifyClient; - const char *szUserName; - } SSLDirConfigRec; - - /* - * Cipher definitions - */ - typedef struct - { - const char *name; - int num; - int fortezza_only; - PRInt32 version; /* protocol version valid for this cipher */ - } cipher_properties; - - /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of - * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it - * is the last version without this define. This is used for more than just - * the below defines. It also determines which API is used. - */ - #ifndef AP_SERVER_MAJORVERSION_NUMBER - #define AP_SERVER_MAJORVERSION_NUMBER 2 - #define AP_SERVER_MINORVERSION_NUMBER 0 - #define AP_SERVER_PATCHLEVEL_NUMBER 55 - #endif - - #if AP_SERVER_MINORVERSION_NUMBER < 2 - typedef struct regex_t ap_regex_t; - #define AP_REG_EXTENDED REG_EXTENDED - #define AP_REG_NOSUB REG_NOSUB - #define AP_REG_ICASE REG_ICASE - #endif - - enum sslversion { SSL2=1, SSL3=2, TLS=4}; - - /* the table itself is defined in nss_engine_init.c */ - #ifdef NSS_ENABLE_ECC --#define ciphernum 48 -+#define ciphernum 59 - #else --#define ciphernum 23 -+#define ciphernum 28 - #endif - - /* - * function prototypes - */ - - /* API glue structures */ - extern module AP_MODULE_DECLARE_DATA nss_module; - - /* configuration handling */ - SSLModConfigRec *nss_config_global_create(server_rec *); - void *nss_config_perdir_create(apr_pool_t *p, char *dir); - void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv); - void *nss_config_server_create(apr_pool_t *p, server_rec *s); - void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv); - const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int); - const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); - const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); - const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); - const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg); - const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg); - const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); - #ifdef SSL_ENABLE_RENEGOTIATION - const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); - const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); - #endif - #ifdef NSS_ENABLE_ECC - const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); - #endif - const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int); - const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); - const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *); - const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg); - const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *); - - const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag); - const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); - const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); - const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); -diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c ---- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100 -+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100 -@@ -15,122 +15,134 @@ - - #include "mod_nss.h" - #include "apr_thread_proc.h" - #include "ap_mpm.h" - #include "secmod.h" - #include "sslerr.h" - #include "pk11func.h" - #include "ocsp.h" - #include "keyhi.h" - #include "cert.h" - - static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); - static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); - static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); - static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); - SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); - - /* - * Global variables defined in this file. - */ - char* INTERNAL_TOKEN_NAME = "internal "; - - cipher_properties ciphers_def[ciphernum] = - { - /* SSL2 cipher suites */ - {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, - {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, - {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, - {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, - {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, - {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, - /* SSL3/TLS cipher suites */ - {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, - {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, - {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS}, - {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS}, - {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS}, - {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, - {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, - {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, - {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, - {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, - /* TLS 1.0: Exportable 56-bit Cipher Suites. */ - {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, - /* AES ciphers.*/ - {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, -+ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, -+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, -+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS}, - {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, -+ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS}, -+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, -+ - #ifdef NSS_ENABLE_ECC - /* ECC ciphers.*/ - {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS}, - {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS}, - {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, - {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, -+ {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS}, - {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, - {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS}, - {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS}, - {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, - {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, -+ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS}, -+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS}, - {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, - {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS}, - {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS}, - {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, - {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, -+ {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, - {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, - {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS}, - {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS}, - {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, - {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, -+ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, -+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, - {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, - {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS}, - {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS}, - {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS}, - {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS}, - {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS}, - #endif - }; - - static char *version_components[] = { - "SSL_VERSION_PRODUCT", - "SSL_VERSION_INTERFACE", - "SSL_VERSION_LIBRARY", - NULL - }; - - static char *nss_add_version_component(apr_pool_t *p, - server_rec *s, - char *name) - { - char *val = nss_var_lookup(p, s, NULL, NULL, name); - - if (val && *val) { - ap_add_version_component(p, val); - } - - return val; - } - - static void nss_add_version_components(apr_pool_t *p, - server_rec *s) - { - char *vals[sizeof(version_components)/sizeof(char *)]; - int i; - - for (i=0; version_components[i]; i++) { - vals[i] = nss_add_version_component(p, s, - version_components[i]); - } - - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Server: %s, Interface: %s, Library: %s", - AP_SERVER_BASEVERSION, - vals[1], /* SSL_VERSION_INTERFACE */ - vals[2]); /* SSL_VERSION_LIBRARY */ - } - - /* - * Initialize SSL library - * diff --git a/mod_nss-clientauth.patch b/mod_nss-clientauth.patch deleted file mode 100644 index 7a4c075..0000000 --- a/mod_nss-clientauth.patch +++ /dev/null @@ -1,50 +0,0 @@ -The first fix is to retrieve the full certificate subject instead of just the -CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL. - -The second always attempts to retrieve the client certificate in -nss_hook_ReadReq(). - -https://bugzilla.redhat.com/show_bug.cgi?id=702437 ---- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400 -+++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400 -@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes - - status = SSL_AuthCertificate(arg, socket, checksig, isServer); - -- if (status == SECSuccess) { -- conn_rec *c = filter_ctx->c; -- SSLConnRec *sslconn = myConnConfig(c); -- -- sslconn->client_cert = SSL_PeerCertificate(socket); -- sslconn->client_dn = NULL; -- } -+ /* The certificate is copied to sslconn->client_cert in -+ * nss_hook_ReadReq() -+ */ - - return status; - } ---- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400 -+++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400 -@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) - nss_util_vhostid(r->pool, r->server)); - } - -+ if (sslconn->client_cert != NULL) -+ CERT_DestroyCertificate(sslconn->client_cert); -+ sslconn->client_cert = SSL_PeerCertificate(ssl); -+ sslconn->client_dn = NULL; -+ - return DECLINED; - } - -@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) - } - - if (!sslconn->client_dn) { -- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); -- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); -+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); -+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); - PORT_Free(cp); - } diff --git a/mod_nss-compare_subject_CN_and_VS_hostname.patch b/mod_nss-compare_subject_CN_and_VS_hostname.patch deleted file mode 100644 index 4bfb530..0000000 --- a/mod_nss-compare_subject_CN_and_VS_hostname.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 -From: standa -Date: Wed, 22 Oct 2014 16:14:29 +0200 -Subject: [PATCH] Compare subject CN and VS hostname during server start up - ---- - nss_engine_init.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/nss_engine_init.c b/nss_engine_init.c -index d74f002..2569c8d 100644 ---- a/nss_engine_init.c -+++ b/nss_engine_init.c -@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, - - *KEAtype = NSS_FindCertKEAType(*servercert); - -+ /* Subject/hostname check */ -+ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); -+ if (secstatus != SECSuccess) { -+ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "Misconfiguration of certificate's CN and virtual name." -+ " The certificate CN has %s. We expected %s as virtual" -+ " name.", cert_dns, s->server_hostname); -+ PORT_Free(cert_dns); -+ } -+ - /* -- * Check for certs that are expired or not yet valid and WARN about it -- * no need to refuse working - the client gets a warning, but can work -- * with the server we could also verify if the certificate is made out -- * for the correct hostname but that would require a reverse DNS lookup -- * for every virtual server - too expensive? -+ * Check for certs that are expired or not yet valid and WARN about it. -+ * No need to refuse working - the client gets a warning. - */ - - certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); --- -1.9.3 - diff --git a/mod_nss-gencert.patch b/mod_nss-gencert.patch deleted file mode 100644 index 6f5ce8a..0000000 --- a/mod_nss-gencert.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400 -+++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400 -@@ -82,12 +82,11 @@ - - DEST=$1 - --echo "httptest" > $DEST/pw.txt -+echo -e "\n" > $DEST/pw.txt - - echo "" - echo "#####################################################################" --echo "Generating new server certificate and key database. The password" --echo "is httptest" -+echo "Generating new server certificate and key database." - echo "#####################################################################" - $CERTUTIL -N -d $DEST -f $DEST/pw.txt - -@@ -183,8 +182,4 @@ - rm $DEST/pw.txt - rm $DEST/noise - --echo "" --echo "The database password is httptest" --echo "" -- - exit 0 diff --git a/mod_nss-httpd24.patch b/mod_nss-httpd24.patch deleted file mode 100644 index 18abbcb..0000000 --- a/mod_nss-httpd24.patch +++ /dev/null @@ -1,142 +0,0 @@ -Index: mod_nss-1.0.8/mod_nss.c -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.c -+++ mod_nss-1.0.8/mod_nss.c -@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_ - ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, - "Connection to child %ld established " - "(server %s, client %s)", c->id, sc->vhost_id, -- c->remote_ip ? c->remote_ip : "unknown"); -+ c->client_ip ? c->client_ip : "unknown"); - - mctx = sslconn->is_proxy ? sc->proxy : sc->server; - -Index: mod_nss-1.0.8/mod_nss.h -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.h -+++ mod_nss-1.0.8/mod_nss.h -@@ -28,7 +28,6 @@ - #include "mod_ssl.h" - #include "util_script.h" - #include "util_filter.h" --#include "mpm.h" - #include "apr.h" - #include "apr_strings.h" - #define APR_WANT_STRFUNC -@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo - SECStatus nss_Init_Tokens(server_rec *s); - - /* Logging */ --void nss_log_nss_error(const char *file, int line, int level, server_rec *s); -+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s); - void nss_die(void); - - /* NSS callback */ -Index: mod_nss-1.0.8/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_init.c -+++ mod_nss-1.0.8/nss_engine_init.c -@@ -15,7 +15,7 @@ - - #include "mod_nss.h" - #include "apr_thread_proc.h" --#include "ap_mpm.h" -+#include "mpm_common.h" - #include "secmod.h" - #include "sslerr.h" - #include "pk11func.h" -Index: mod_nss-1.0.8/nss_engine_io.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_io.c -+++ mod_nss-1.0.8/nss_engine_io.c -@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo - PR_Close(ssl); - - /* log the fact that we've closed the connection */ -- if (c->base_server->loglevel >= APLOG_INFO) { -+ if (c->base_server->log.level >= APLOG_INFO) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, - "Connection to child %ld closed " - "(server %s, client %s)", - c->id, - nss_util_vhostid(c->pool, c->base_server), -- c->remote_ip ? c->remote_ip : "unknown"); -+ c->client_ip ? c->client_ip : "unknown"); - } - - /* deallocate the SSL connection */ -@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_ - filter_ctx = (nss_filter_ctx_t *)(fd->secret); - c = filter_ctx->c; - -- return PR_StringToNetAddr(c->remote_ip, addr); -+ return PR_StringToNetAddr(c->client_ip, addr); - } - - /* -Index: mod_nss-1.0.8/nss_engine_kernel.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_kernel.c -+++ mod_nss-1.0.8/nss_engine_kernel.c -@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r) - /* - * Log information about incoming HTTPS requests - */ -- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { -+ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "%s HTTPS request received for child %ld (server %s)", - (r->connection->keepalives <= 0 ? -@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r) - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Access to %s denied for %s " - "(requirement expression not fulfilled)", -- r->filename, r->connection->remote_ip); -+ r->filename, r->connection->client_ip); - - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Failed expression: %s", req->cpExpr); -Index: mod_nss-1.0.8/nss_engine_log.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_log.c -+++ mod_nss-1.0.8/nss_engine_log.c -@@ -321,7 +321,7 @@ void nss_die(void) - exit(1); - } - --void nss_log_nss_error(const char *file, int line, int level, server_rec *s) -+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s) - { - const char *err; - PRInt32 error; -@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file, - err = "Unknown"; - } - -- ap_log_error(file, line, level, 0, s, -+ ap_log_error(file, line, module_index, level, 0, s, - "SSL Library Error: %d %s", - error, err); - } -Index: mod_nss-1.0.8/nss_engine_vars.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_vars.c -+++ mod_nss-1.0.8/nss_engine_vars.c -@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv - && sslconn && sslconn->ssl) - result = nss_var_lookup_ssl(p, c, var+4); - else if (strcEQ(var, "REMOTE_ADDR")) -- result = c->remote_ip; -+ result = c->client_ip; - else if (strcEQ(var, "HTTPS")) { - if (sslconn && sslconn->ssl) - result = "on"; -@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv - if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) - result = nss_var_lookup_nss_version(p, var+12); - else if (strcEQ(var, "SERVER_SOFTWARE")) -- result = (char *)ap_get_server_version(); -+ result = (char *)ap_get_server_banner(); - else if (strcEQ(var, "API_VERSION")) { - result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER); - resdup = FALSE; diff --git a/mod_nss-lockpcache.patch b/mod_nss-lockpcache.patch deleted file mode 100644 index d7b4105..0000000 --- a/mod_nss-lockpcache.patch +++ /dev/null @@ -1,240 +0,0 @@ -diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c ---- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500 -+++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500 -@@ -152,6 +152,8 @@ - AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL, - "SSLLogLevel directive is no longer supported - use LogLevel."), - #endif -+ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF, -+ "Apache user. Comes from httpd.conf."), - - AP_END_CMD - }; -diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h ---- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500 -+++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500 -@@ -41,6 +41,9 @@ - #include "apr_shm.h" - #include "apr_global_mutex.h" - #include "apr_optional.h" -+#include -+#include -+#include - - #define MOD_NSS_VERSION AP_SERVER_BASEREVISION - -@@ -244,6 +247,9 @@ - struct { - void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; - } rCtx; -+ -+ int semid; -+ const char *user; - } SSLModConfigRec; - - typedef struct SSLSrvConfigRec SSLSrvConfigRec; -@@ -412,6 +418,7 @@ - const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); - const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); -+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg); - - /* module initialization */ - int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); -diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c ---- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500 -+++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500 -@@ -830,3 +830,12 @@ - - return NULL; - } -+ -+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg) -+{ -+ SSLModConfigRec *mc = myModConfig(cmd->server); -+ -+ mc->user = arg; -+ -+ return NULL; -+} -diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c ---- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500 -+++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500 -@@ -312,6 +312,7 @@ - int sslenabled = FALSE; - int fipsenabled = FALSE; - int threaded = 0; -+ struct semid_ds status; - - mc->nInitCount++; - -@@ -412,10 +413,26 @@ - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); - -+ /* The first pass through this function will create the semaphore that -+ * will be used to lock the pipe. The user is still root at that point -+ * so for any later calls the semaphore ops will fail with permission -+ * errors. So switch the user to the Apache user. -+ */ -+ if (mc->semid) { -+ uid_t user_id; -+ -+ user_id = ap_uname2id(mc->user); -+ semctl(mc->semid, 0, IPC_STAT, &status); -+ status.sem_perm.uid = user_id; -+ semctl(mc->semid,0,IPC_SET,&status); -+ } -+ - /* Do we need to fire up our password helper? */ - if (mc->nInitCount == 1) { - const char * child_argv[5]; - apr_status_t rv; -+ struct sembuf sb; -+ char sembuf[32]; - - if (mc->pphrase_dialog_helper == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -@@ -423,11 +440,31 @@ - nss_die(); - } - -+ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); -+ if (mc->semid == -1) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "Unable to obtain semaphore."); -+ nss_die(); -+ } -+ -+ /* Initialize the semaphore */ -+ sb.sem_num = 0; -+ sb.sem_op = 1; -+ sb.sem_flg = 0; -+ if ((semop(mc->semid, &sb, 1)) == -1) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "Unable to initialize semaphore."); -+ nss_die(); -+ } -+ -+ PR_snprintf(sembuf, 32, "%d", mc->semid); -+ - child_argv[0] = mc->pphrase_dialog_helper; -- child_argv[1] = fipsenabled ? "on" : "off"; -- child_argv[2] = mc->pCertificateDatabase; -- child_argv[3] = mc->pDBPrefix; -- child_argv[4] = NULL; -+ child_argv[1] = sembuf; -+ child_argv[2] = fipsenabled ? "on" : "off"; -+ child_argv[3] = mc->pCertificateDatabase; -+ child_argv[4] = mc->pDBPrefix; -+ child_argv[5] = NULL; - - rv = apr_procattr_create(&mc->procattr, mc->pPool); - -diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c ---- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400 -+++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500 -@@ -279,6 +279,16 @@ - char buf[1024]; - apr_status_t rv; - apr_size_t nBytes = 1024; -+ struct sembuf sb; -+ -+ /* lock the pipe */ -+ sb.sem_num = 0; -+ sb.sem_op = -1; -+ sb.sem_flg = SEM_UNDO; -+ if (semop(parg->mc->semid, &sb, 1) == -1) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -+ "Unable to reserve semaphore resource"); -+ } - - snprintf(buf, 1024, "RETR\t%s", token_name); - rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); -@@ -293,6 +303,13 @@ - */ - memset(buf, 0, sizeof(buf)); - rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); -+ sb.sem_op = 1; -+ if (semop(parg->mc->semid, &sb, 1) == -1) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -+ "Unable to free semaphore resource"); -+ /* perror("semop free resource id"); */ -+ } -+ - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); -diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c ---- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500 -+++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500 -@@ -21,6 +21,9 @@ - #include - #include - #include -+#include -+#include -+#include - #include "nss_pcache.h" - - static char * getstr(const char * cmd, int el); -@@ -70,6 +73,13 @@ - unsigned char *crypt; - }; - -+union semun { -+ int val; -+ struct semid_ds *buf; -+ unsigned short *array; -+ struct seminfo *__buf; -+}; -+ - /* - * Node - for maintaining link list of tokens with cached PINs - */ -@@ -304,15 +314,19 @@ - char * tokenName; - char * tokenpw; - int fipsmode = 0; -+ int semid = 0; -+ union semun semarg; - -- if (argc < 3 || argc > 4) { -- fprintf(stderr, "Usage: nss_pcache \n"); -+ if (argc < 4 || argc > 5) { -+ fprintf(stderr, "Usage: nss_pcache \n"); - exit(1); - } - - signal(SIGHUP, SIG_IGN); - -- if (!strcasecmp(argv[1], "on")) -+ semid = strtol(argv[1], NULL, 10); -+ -+ if (!strcasecmp(argv[2], "on")) - fipsmode = 1; - - /* Initialize NSPR */ -@@ -322,7 +336,7 @@ - PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); - - /* Initialize NSS and open the certificate database read-only. */ -- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); -+ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); - - if (rv != SECSuccess) { - fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); -@@ -437,6 +451,11 @@ - } - freeList(pinList); - PR_Close(in); -+ /* Remove the semaphore used for locking here. This is because this -+ * program only goes away when Apache shuts down so we don't have to -+ * worry about reloads. -+ */ -+ semctl(semid, 0, IPC_RMID, semarg); - return 0; - } - -Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig -Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej diff --git a/mod_nss-negotiate.patch b/mod_nss-negotiate.patch deleted file mode 100644 index 8f36996..0000000 --- a/mod_nss-negotiate.patch +++ /dev/null @@ -1,159 +0,0 @@ - -diff -up ./mod_nss.c.norego ./mod_nss.c ---- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 -+++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 -@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds - SSL_CMD_SRV(Nickname, TAKE1, - "SSL RSA Server Certificate nickname " - "(`Server-Cert'") -+#ifdef SSL_ENABLE_RENEGOTIATION -+ SSL_CMD_SRV(Renegotiation, FLAG, -+ "Enable SSL Renegotiation (default off) " -+ "(`on', `off')") -+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG, -+ "If Rengotiation is allowed, require safe negotiation (default off) " -+ "(`on', `off')") -+#endif - #ifdef NSS_ENABLE_ECC - SSL_CMD_SRV(ECCNickname, TAKE1, - "SSL ECC Server Certificate nickname " -diff -up ./mod_nss.h.norego ./mod_nss.h ---- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 -+++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 -@@ -269,6 +269,10 @@ typedef struct { - int tls; - int tlsrollback; - int enforce; -+#ifdef SSL_ENABLE_RENEGOTIATION -+ int enablerenegotiation; -+ int requiresafenegotiation; -+#endif - const char *nickname; - #ifdef NSS_ENABLE_ECC - const char *eccnickname; -@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p - const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); - const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); -+#ifdef SSL_ENABLE_RENEGOTIATION -+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); -+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); -+#endif - #ifdef NSS_ENABLE_ECC - const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); - #endif -diff -up ./nss_engine_config.c.norego ./nss_engine_config.c ---- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 -+++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 -@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t - mctx->tls = PR_FALSE; - mctx->tlsrollback = PR_FALSE; - -+#ifdef SSL_ENABLE_RENEGOTIATION -+ mctx->enablerenegotiation = PR_FALSE; -+ mctx->requiresafenegotiation = PR_FALSE; -+#endif - mctx->enforce = PR_TRUE; - mctx->nickname = NULL; - #ifdef NSS_ENABLE_ECC -@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ - cfgMerge(eccnickname, NULL); - #endif - cfgMerge(enforce, PR_TRUE); -+#ifdef SSL_ENABLE_RENEGOTIATION -+ cfgMerge(enablerenegotiation, PR_FALSE); -+ cfgMerge(requiresafenegotiation, PR_FALSE); -+#endif - } - - static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, -@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm - return NULL; - } - -+#ifdef SSL_ENABLE_RENEGOTIATION -+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ -+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; -+ -+ return NULL; -+} -+ -+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ -+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; -+ -+ return NULL; -+} -+#endif -+ - #ifdef NSS_ENABLE_ECC - const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, - void *dcfg, -diff -up ./nss_engine_init.c.norego ./nss_engine_init.c ---- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 -+++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 -@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r - nss_die(); - } - } -+#ifdef SSL_ENABLE_RENEGOTIATION -+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, -+ mctx->enablerenegotiation ? -+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER -+ ) != SECSuccess) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "Unable to set SSL renegotiation"); -+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); -+ nss_die(); -+ } -+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, -+ mctx->requiresafenegotiation) != SECSuccess) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "Unable to set SSL safe negotiation"); -+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); -+ nss_die(); -+ } -+#endif - } - - static void nss_init_ctx_protocol(server_rec *s, - - -diff -up ./nss_engine_log.c.norego ./nss_engine_log.c ---- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 -+++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 -@@ -27,7 +27,7 @@ - #define LIBSEC_ERROR_BASE (-8192) - #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) - #define LIBSSL_ERROR_BASE (-12288) --#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) -+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) - - typedef struct l_error_t { - int errorNumber; -@@ -296,7 +296,19 @@ - { 99, "Server requires ciphers more secure than those supported by client" }, - { 100, "Peer reports it experienced an internal error" }, - { 101, "Peer user canceled handshake" }, -- { 102, "Peer does not permit renegotiation of SSL security parameters" } -+ { 102, "Peer does not permit renegotiation of SSL security parameters" }, -+ { 103, "Server cache not configured" }, -+ { 104, "Unsupported extension" }, -+ { 105, "Certificate unobtainable" }, -+ { 106, "Unrecognized name" }, -+ { 107, "Bad certificate status" }, -+ { 108, "Bad certificate hash value" }, -+ { 109, "Unexpected new session ticket" }, -+ { 110, "Malformed new session ticket" }, -+ { 111, "Decompression failure" }, -+ { 112, "Renegotiation not allowed" }, -+ { 113, "Safe negotiation required but not provided by client" }, -+ { 114, "Unexpected uncompressed record" }, - }; - - void nss_die(void) diff --git a/mod_nss-no_shutdown_if_not_init_2.patch b/mod_nss-no_shutdown_if_not_init_2.patch deleted file mode 100644 index 2374820..0000000 --- a/mod_nss-no_shutdown_if_not_init_2.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c ---- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800 -+++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800 -@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da - server_rec *s; - int shutdown = 0; - -- /* Clear any client-side session cache data */ -- SSL_ClearSessionCache(); -- - /* - * Free the non-pool allocated structures - * in the per-server configurations -@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da - } - - if (shutdown) { -+ /* Clear any client-side session cache data */ -+ SSL_ClearSessionCache(); -+ - if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()) - != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, diff --git a/mod_nss-overlapping_memcpy.patch b/mod_nss-overlapping_memcpy.patch deleted file mode 100644 index 3e82f1b..0000000 --- a/mod_nss-overlapping_memcpy.patch +++ /dev/null @@ -1,24 +0,0 @@ -Bug 669118 - -memcpy of overlapping memory is no longer allowed by glibc. - -This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 - ---- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500 -+++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500 -@@ -123,13 +123,13 @@ - - if (buffer->length > inl) { - /* we have have enough to fill the caller's buffer */ -- memcpy(in, buffer->value, inl); -+ memmove(in, buffer->value, inl); - buffer->value += inl; - buffer->length -= inl; - } - else { - /* swallow remainder of the buffer */ -- memcpy(in, buffer->value, buffer->length); -+ memmove(in, buffer->value, buffer->length); - inl = buffer->length; - buffer->value = NULL; - buffer->length = 0; diff --git a/mod_nss-pcachesignal.h b/mod_nss-pcachesignal.h deleted file mode 100644 index ef167a6..0000000 --- a/mod_nss-pcachesignal.h +++ /dev/null @@ -1,21 +0,0 @@ -diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c ---- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400 -+++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400 -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include - #include "nss_pcache.h" - - static char * getstr(const char * cmd, int el); -@@ -309,6 +310,8 @@ - exit(1); - } - -+ signal(SIGHUP, SIG_IGN); -+ - if (!strcasecmp(argv[1], "on")) - fipsmode = 1; - -Only in mod_nss-1.0.8: nss_pcache.c.rej diff --git a/mod_nss-proxyvariables.patch b/mod_nss-proxyvariables.patch deleted file mode 100644 index 17090db..0000000 --- a/mod_nss-proxyvariables.patch +++ /dev/null @@ -1,83 +0,0 @@ -diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c ---- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700 -+++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700 -@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server - tls = 1; - } else { - if (mctx->auth.protocols == NULL) { -- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -- "NSSProtocols not set; using: SSLv3 and TLSv1"); -+ /* -+ * Since this routine will be invoked individually for every -+ * thread associated with each 'server' object as well as for -+ * every thread associated with each 'proxy' object, issue a -+ * single per-thread 'warning' message for either a 'server' -+ * or a 'proxy' based upon the thread's object type. -+ */ -+ if (mctx == mctx->sc->server) { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -+ "NSSProtocol value not set; using: SSLv3 and TLSv1"); -+ } else if (mctx == mctx->sc->proxy) { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -+ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); -+ } -+ - ssl3 = tls = 1; - } else { - lprotocols = strdup(mctx->auth.protocols); -@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se - * Configure SSL Cipher Suite - */ - if (!suite) { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "Required value NSSCipherSuite not set."); -+ /* -+ * Since this is a 'fatal' error, regardless of whether this -+ * particular invocation is from a 'server' object or a 'proxy' -+ * object, issue all error message(s) as appropriate. -+ */ -+ if ((mctx->sc->enabled == TRUE) && -+ (mctx->sc->server) && -+ (!mctx->sc->server->auth.cipher_suite)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "NSSEngine on; required value NSSCipherSuite not set."); -+ } -+ -+ if ((mctx->sc->proxy_enabled == TRUE) && -+ (mctx->sc->proxy) && -+ (!mctx->sc->proxy->auth.cipher_suite)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "NSSProxyEngine on; required value NSSProxyCipherSuite not set."); -+ } -+ - nss_die(); - } - ciphers = strdup(suite); -@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server - if (mctx->nickname == NULL) - #endif - { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "No certificate nickname provided."); -+ /* -+ * Since this is a 'fatal' error, regardless of whether this -+ * particular invocation is from a 'server' object or a 'proxy' -+ * object, issue all error message(s) as appropriate. -+ */ -+ if ((mctx->sc->enabled == TRUE) && -+ (mctx->sc->server) && -+ (mctx->sc->server->nickname == NULL)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "NSSEngine on; no certificate nickname provided by NSSNickname."); -+ } -+ -+ if ((mctx->sc->proxy_enabled == TRUE) && -+ (mctx->sc->proxy) && -+ (mctx->sc->proxy->nickname == NULL)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname."); -+ } -+ - nss_die(); - } - diff --git a/mod_nss-reseterror.patch b/mod_nss-reseterror.patch deleted file mode 100644 index ae483e5..0000000 --- a/mod_nss-reseterror.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400 -+++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400 -@@ -348,6 +348,7 @@ - break; - } - -+ PR_SetError(0, 0); - rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); - - if (rc > 0) { diff --git a/mod_nss-reverse_proxy_send_SNI.patch b/mod_nss-reverse_proxy_send_SNI.patch deleted file mode 100644 index a502ea1..0000000 --- a/mod_nss-reverse_proxy_send_SNI.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: mod_nss-1.0.8/nss_engine_io.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200 -+++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200 -@@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu - return APR_SUCCESS; - } - -+static apr_status_t nss_io_filter_handshake(ap_filter_t *f) -+{ -+ conn_rec *c = f->c; -+ SSLConnRec *sslconn = myConnConfig(c); -+ -+ /* -+ * Enable SNI for backend requests. Make sure we don't do it for -+ * pure SSLv3 connections -+ */ -+ if (sslconn->is_proxy) { -+ const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); -+ if (hostname_note) { -+ if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) { -+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, -+ "Error setting SNI extension for SSL Proxy request: %d", -+ PR_GetError()); -+ } else { -+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, -+ "SNI extension for SSL Proxy request set to '%s'", -+ hostname_note); -+ } -+ } -+ else { -+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, -+ "Can't set SNI extension: no hostname available"); -+ } -+ } -+ -+ return APR_SUCCESS; -+} -+ - static apr_status_t nss_io_filter_input(ap_filter_t *f, - apr_bucket_brigade *bb, - ap_input_mode_t mode, -@@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input( - inctx->mode = mode; - inctx->block = block; - -+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { -+ return nss_io_filter_error(f, bb, status); -+ } -+ - if (is_init) { - /* protocol module needs to handshake before sending - * data to client (e.g. NNTP or FTP) -@@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output - inctx->mode = AP_MODE_READBYTES; - inctx->block = APR_BLOCK_READ; - -+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { -+ return nss_io_filter_error(f, bb, status); -+ } -+ - while (!APR_BRIGADE_EMPTY(bb)) { - apr_bucket *bucket = APR_BRIGADE_FIRST(bb); - diff --git a/mod_nss-reverseproxy.patch b/mod_nss-reverseproxy.patch deleted file mode 100644 index a4e8608..0000000 --- a/mod_nss-reverseproxy.patch +++ /dev/null @@ -1,182 +0,0 @@ -mod_proxy now sets the requested remote host name. Use this to compare -to the CN value of the peer certificate and reject the request if they -do not match (and we are have NSSProxyCheckPeerCN set to on). - -diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html ---- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 -+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 -@@ -1028,7 +1028,21 @@ -
- Example
-
--NSSProxyNickname beta
-+NSSProxyNickname beta
-+
-+NSSProxyCheckPeerCN
-+
-+Compare the CN value of the peer certificate with the hostname being -+requested. If this is set to on, the default, then the request will -+fail if they do not match. If this is set to off then this comparison -+is not done. Note that this test is your only protection against a -+man-in-the-middle attack so leaving this as on is strongly recommended.
-+
-+Example
-+
-+NSSProcyCheckPeerCN -+on
-+
-

Environment Variables

- Quite a few environment variables (for CGI and SSI) may be set - depending on the NSSOptions configuration. It can be expensive to set -@@ -1435,42 +1449,9 @@ -

Frequently Asked Questions

- Q. Does mod_nss support mod_proxy?
-
--A. In order to use the mod_nss proxy support you will need to build --your own mod_proxy by applying a patch found in bug 36468. --The patch is needed so we can compare the hostname contained in the --remote certificate with the hostname you meant to visit. This prevents --man-in-the-middle attacks.
--
--You also have to change the SSL functions that mod_proxy looks to use. --You'll need to apply this patch:
--
--1038,1039c1038,1039
--< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
--< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
-----
--> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
--> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
--1041,1042c1041,1042
--< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = --NULL;
--< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable --= NULL;
-----
--> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = --NULL;
--> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable --= NULL;
--1069,1070c1069,1070
--<     proxy_ssl_enable = --APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
--<     proxy_ssl_disable = --APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
-----
-->     proxy_ssl_enable = --APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
-->     proxy_ssl_disable = --APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);
--
-+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy -+provides a single interface for SSL providers and mod_nss defers to -+mod_ssl -+if it is loaded. - - -diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c ---- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 -+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 -@@ -142,6 +142,8 @@ - SSL_CMD_SRV(ProxyNickname, TAKE1, - "SSL Proxy: client certificate Nickname to be for proxy connections " - "(`nickname')") -+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, -+ "SSL Proxy: check the peers certificate CN") - - #ifdef IGNORE - /* Deprecated directives. */ -@@ -238,23 +240,30 @@ - SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) - { - conn_rec *c = (conn_rec *)arg; -+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server); - PRErrorCode err = PR_GetError(); - SECStatus rv = SECFailure; - CERTCertificate *peerCert = SSL_PeerCertificate(socket); -+ const char *hostname_note; - - switch (err) { - case SSL_ERROR_BAD_CERT_DOMAIN: -- if (c->remote_host != NULL) { -- rv = CERT_VerifyCertName(peerCert, c->remote_host); -- if (rv != SECSuccess) { -- char *remote = CERT_GetCommonName(&peerCert->subject); -+ if (sc->proxy_ssl_check_peer_cn == TRUE) { -+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { -+ apr_table_unset(c->notes, "proxy-request-hostname"); -+ rv = CERT_VerifyCertName(peerCert, hostname_note); -+ if (rv != SECSuccess) { -+ char *remote = CERT_GetCommonName(&peerCert->subject); -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); -+ PORT_Free(remote); -+ } -+ } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); -- PORT_Free(remote); -+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); - } - } else { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); -+ rv = SECSuccess; - } - break; - default: -diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h ---- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 -+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 -@@ -306,6 +306,7 @@ - int vhost_id_len; - modnss_ctx_t *server; - modnss_ctx_t *proxy; -+ BOOL proxy_ssl_check_peer_cn; - }; - - /* -@@ -410,6 +411,7 @@ - const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); - const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); - const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); -+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); - - /* module initialization */ - int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); -diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c ---- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 -+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 -@@ -140,6 +140,7 @@ - sc->vhost_id_len = 0; /* set during module init */ - sc->proxy = NULL; - sc->server = NULL; -+ sc->proxy_ssl_check_peer_cn = TRUE; - - modnss_ctx_init_proxy(sc, p); - -@@ -214,6 +215,7 @@ - cfgMergeBool(fips); - cfgMergeBool(enabled); - cfgMergeBool(proxy_enabled); -+ cfgMergeBool(proxy_ssl_check_peer_cn); - - modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); - -@@ -544,6 +546,15 @@ - return NULL; - } - -+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ -+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; -+ -+ return NULL; -+} -+ - const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, - void *dcfg, - int flag) diff --git a/mod_nss-sslmultiproxy.patch b/mod_nss-sslmultiproxy.patch deleted file mode 100644 index 5bde820..0000000 --- a/mod_nss-sslmultiproxy.patch +++ /dev/null @@ -1,214 +0,0 @@ -Index: mod_nss-1.0.8/mod_nss.c -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.c -+++ mod_nss-1.0.8/mod_nss.c -@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c - return sslconn; - } - -+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; -+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; -+ - int nss_proxy_enable(conn_rec *c) - { - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); -@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c) - SSLConnRec *sslconn = nss_init_connection_ctx(c); - - if (!sc->proxy_enabled) { -+ if (othermod_proxy_enable) { -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ "mod_nss proxy not configured, passing through to mod_ssl module"); -+ return othermod_proxy_enable(c); -+ } -+ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, - "SSL Proxy requested for %s but not enabled " - "[Hint: NSSProxyEngine]", sc->vhost_id); -@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c) - return 1; - } - --int ssl_proxy_enable(conn_rec *c) { -+static int ssl_proxy_enable(conn_rec *c) { - return nss_proxy_enable(c); - } - -@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c) - - SSLConnRec *sslconn; - -+ if (othermod_engine_disable) { -+ othermod_engine_disable(c); -+ } -+ - if (sc->enabled == FALSE) { - return 0; - } -@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c) - return 1; - } - --int ssl_engine_disable(conn_rec *c) { -+static int ssl_engine_disable(conn_rec *c) { - return nss_engine_disable(c); - } - -@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_ - - nss_var_register(); - -+ /* Always register these mod_nss optional functions */ - APR_REGISTER_OPTIONAL_FN(nss_proxy_enable); - APR_REGISTER_OPTIONAL_FN(nss_engine_disable); - -- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */ -- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL) -- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); -- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL) -- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); -+ /* Save the state of any previously registered mod_ssl functions */ -+ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); -+ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); -+ -+ /* Always register these local mod_ssl optional functions */ -+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); -+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); - } - - module AP_MODULE_DECLARE_DATA nss_module = { -Index: mod_nss-1.0.8/mod_nss.h -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.h -+++ mod_nss-1.0.8/mod_nss.h -@@ -13,8 +13,8 @@ - * limitations under the License. - */ - --#ifndef __MOD_SSL_H__ --#define __MOD_SSL_H__ -+#ifndef __MOD_NSS_H__ -+#define __MOD_NSS_H__ - - /* Apache headers */ - #include "httpd.h" -@@ -25,6 +25,7 @@ - #include "http_connection.h" - #include "http_request.h" - #include "http_protocol.h" -+#include "mod_ssl.h" - #include "util_script.h" - #include "util_filter.h" - #include "mpm.h" -@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r); - /* Variables */ - void nss_var_register(void); - char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); --char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); - void nss_var_log_config_register(apr_pool_t *p); - - APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup, - (apr_pool_t *, server_rec *, - conn_rec *, request_rec *, - char *)); --APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, -- (apr_pool_t *, server_rec *, -- conn_rec *, request_rec *, -- char *)); - - /* An optional function which returns non-zero if the given connection - * is using SSL/TLS. */ - APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *)); --APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); - - /* Proxy Support */ - int nss_proxy_enable(conn_rec *c); - int nss_engine_disable(conn_rec *c); --int ssl_proxy_enable(conn_rec *c); --int ssl_engine_disable(conn_rec *c); - - APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *)); --APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); - - APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); --APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); - - /* I/O */ - PRFileDesc * nss_io_new_fd(); -@@ -495,4 +486,4 @@ void nss_die(void); - - /* NSS callback */ - SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); --#endif /* __MOD_SSL_H__ */ -+#endif /* __MOD_NSS_H__ */ -Index: mod_nss-1.0.8/nss_engine_vars.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_vars.c -+++ mod_nss-1.0.8/nss_engine_vars.c -@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver - static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var); - static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var); - static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c); -+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); -+ -+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; -+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; - - static int nss_is_https(conn_rec *c) - { - SSLConnRec *sslconn = myConnConfig(c); -- return sslconn && sslconn->ssl; -+ -+ return (sslconn && sslconn->ssl) -+ || (othermod_is_https && othermod_is_https(c)); - } - - static int ssl_is_https(conn_rec *c) { -@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) { - - void nss_var_register(void) - { -+ /* Always register these mod_nss optional functions */ - APR_REGISTER_OPTIONAL_FN(nss_is_https); - APR_REGISTER_OPTIONAL_FN(nss_var_lookup); - -- /* These can only be registered if mod_ssl is not loaded */ -- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL) -- APR_REGISTER_OPTIONAL_FN(ssl_is_https); -- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL) -- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); -+ /* Save the state of any previously registered mod_ssl functions */ -+ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); -+ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); -+ -+ /* Always register these local mod_ssl optional functions */ -+ APR_REGISTER_OPTIONAL_FN(ssl_is_https); -+ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); - - return; - } -@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv - */ - if (result == NULL && c != NULL) { - SSLConnRec *sslconn = myConnConfig(c); -+ -+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) -+ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { -+ /* If mod_ssl is registered for this connection, -+ * pass any SSL_* variable through to the mod_ssl module -+ */ -+ return othermod_var_lookup(p, s, c, r, var); -+ } -+ - if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) - && sslconn && sslconn->ssl) - result = nss_var_lookup_ssl(p, c, var+4); -@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv - return result; - } - --char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { -+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { - return nss_var_lookup(p, s, c, r, var); - } - diff --git a/mod_nss-tlsv1_1.patch b/mod_nss-tlsv1_1.patch deleted file mode 100644 index 2a33a4d..0000000 --- a/mod_nss-tlsv1_1.patch +++ /dev/null @@ -1,745 +0,0 @@ -Index: mod_nss-1.0.8/docs/mod_nss.html -=================================================================== ---- mod_nss-1.0.8.orig/docs/mod_nss.html -+++ mod_nss-1.0.8/docs/mod_nss.html -@@ -466,7 +466,7 @@ Example
SSL_RSA_WITH_3DES_EDE_CBC_SHA
- -- SSLv3/TLSv1
-+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2
- - - -@@ -578,106 +578,106 @@ definition
- - SSL_RSA_WITH_DES_CBC_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_null_md5
- - SSL_RSA_WITH_NULL_MD5
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_null_sha
- - SSL_RSA_WITH_NULL_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_rc2_40_md5 - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_rc4_128_md5 - SSL_RSA_WITH_RC4_128_MD5
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_rc4_128_sha - SSL_RSA_WITH_RC4_128_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_rc4_40_md5 - SSL_RSA_EXPORT_WITH_RC4_40_MD5
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fortezza
- - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fortezza_rc4_128_sha
- - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fortezza_null
- - SSL_FORTEZZA_DMS_WITH_NULL_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fips_des_sha
- - SSL_RSA_FIPS_WITH_DES_CBC_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - fips_3des_sha
- - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_des_56_sha - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- -- SSL3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_rc4_56_sha - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_aes_128_sha
- - TLS_RSA_WITH_AES_128_CBC_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - rsa_aes_256_sha
- - TLS_RSA_WITH_AES_256_CBC_SHA
- -- SSLv3/TLSv1 -+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 - - - -@@ -698,127 +698,127 @@ Definition
- - ecdh_ecdsa_null_sha - TLS_ECDH_ECDSA_WITH_NULL_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_ecdsa_rc4_128_sha - TLS_ECDH_ECDSA_WITH_RC4_128_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_ecdsa_3des_sha - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_ecdsa_aes_128_sha - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_ecdsa_aes_256_sha - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_ecdsa_null_sha - TLS_ECDHE_ECDSA_WITH_NULL_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_ecdsa_rc4_128_sha - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_ecdsa_3des_sha - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_ecdsa_aes_128_sha - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_ecdsa_aes_256_sha - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_rsa_null_sha - TLS_ECDH_RSA_WITH_NULL_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_rsa_128_sha - TLS_ECDH_RSA_WITH_RC4_128_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_rsa_3des_sha - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_rsa_aes_128_sha - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_rsa_aes_256_sha - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - echde_rsa_null - TLS_ECDHE_RSA_WITH_NULL_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_rsa_rc4_128_sha - TLS_ECDHE_RSA_WITH_RC4_128_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_rsa_3des_sha - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_rsa_aes_128_sha - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdhe_rsa_aes_256_sha - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_anon_null_sha - TLS_ECDH_anon_WITH_NULL_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_anon_rc4_128sha - TLS_ECDH_anon_WITH_RC4_128_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_anon_3des_sha - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_anon_aes_128_sha - TLS_ECDH_anon_WITH_AES_128_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - ecdh_anon_aes_256_sha - TLS_ECDH_anon_WITH_AES_256_CBC_SHA -- TLSv1 -+ TLSv1.0/TLSv1.1/TLSv1.2 - - - -@@ -839,16 +839,36 @@ specifically but allows ciphers for that - Options are:
-
    -
  • SSLv3
    • --
  • TLSv1
    • -+
  • TLSv1 (legacy only; replaced by TLSv1.0)
    • -+
  • TLSv1.0
    • -+
  • TLSv1.1
    • -+
  • TLSv1.2
    • -
  • All
    • -
- Note that this differs from mod_ssl in that you can't add or subtract - protocols.
-+
-+If no NSSProtocol is specified, mod_nss will default to allowing the use of -+the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the -+minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol -+allowed. -+
-+If values for NSSProtocol are specified, mod_nss will set both the minimum -+and the maximum allowed protocols based upon these entries allowing for the -+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2 -+are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes -+protocol ranges to accept all protocols inclusively -+(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols -+in the middle of a range (e. g. - TLS 1.0).
-+
-+Finally, NSS will always automatically negotiate the use of the strongest -+possible protocol that has been specified which is acceptable to both sides of -+a given connection.
- SSLv2 is not supported by default at this time.
-
- Example
-
--NSSProtocol SSLv3,TLSv1
-+NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2
-
- NSSNickname
-
-@@ -1101,7 +1121,7 @@ was compiled against.
- - SSL_PROTOCOL
- -- SSLv2, SSLv3 or TLSv1
-+ SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2
- - - -@@ -1443,7 +1463,7 @@ Opera, and - Safari) support SSL 3 and TLS so there is no need for a web server to - support - SSL 2. There are some known attacks against SSL 2 that are handled by --SSL 3/TLS. SSL2 also doesn't support useful features like client -+SSL 3/TLS. SSLv2 also doesn't support useful features like client - authentication. -
-

Frequently Asked Questions

-Index: mod_nss-1.0.8/mod_nss.c -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.c -+++ mod_nss-1.0.8/mod_nss.c -@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds - "(`[+-]XXX,...,[+-]XXX' - see manual)") - SSL_CMD_SRV(Protocol, RAW_ARGS, - "Enable the various SSL protocols" -- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)") -+ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)") - SSL_CMD_ALL(VerifyClient, TAKE1, - "SSL Client Authentication " - "(`none', `optional', `require'") -@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds - "(`on', `off')") - SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, - "SSL Proxy: enable or disable SSL protocol flavors " -- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") -+ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)") - SSL_CMD_SRV(ProxyCipherSuite, TAKE1, - "SSL Proxy: colon-delimited list of permitted SSL ciphers " - "(`XXX:...:XXX' - see manual)") -Index: mod_nss-1.0.8/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_init.c -+++ mod_nss-1.0.8/nss_engine_init.c -@@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server - apr_pool_t *ptemp, - modnss_ctx_t *mctx) - { -- int ssl2, ssl3, tls; -+ int ssl2, ssl3, tls, tls1_1, tls1_2; -+ char *protocol_marker = NULL; - char *lprotocols = NULL; - SECStatus stat; -+ SSLVersionRange enabledVersions; - -- ssl2 = ssl3 = tls = 0; -+ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0; -+ -+ /* -+ * Since this routine will be invoked individually for every thread -+ * associated with each 'server' object as well as for every thread -+ * associated with each 'proxy' object, identify the protocol marker -+ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy') -+ * via each thread's object type and apply this useful information to -+ * all log messages. -+ */ -+ if (mctx == mctx->sc->server) { -+ protocol_marker = "NSSProtocol"; -+ } else if (mctx == mctx->sc->proxy) { -+ protocol_marker = "NSSProxyProtocol"; -+ } - - if (mctx->sc->fips) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, -- "In FIPS mode, enabling TLSv1"); -- tls = 1; -+ "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2", -+ protocol_marker); -+ tls = tls1_1 = tls1_2 = 1; - } else { - if (mctx->auth.protocols == NULL) { -- /* -- * Since this routine will be invoked individually for every -- * thread associated with each 'server' object as well as for -- * every thread associated with each 'proxy' object, issue a -- * single per-thread 'warning' message for either a 'server' -- * or a 'proxy' based upon the thread's object type. -- */ -- if (mctx == mctx->sc->server) { -- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -- "NSSProtocol value not set; using: SSLv3 and TLSv1"); -- } else if (mctx == mctx->sc->proxy) { -- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); -- } -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -+ "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2", -+ protocol_marker); - -- ssl3 = tls = 1; -+ ssl3 = tls = tls1_1 = tls1_2 = 1; - } else { - lprotocols = strdup(mctx->auth.protocols); - ap_str_tolower(lprotocols); - - if (strstr(lprotocols, "all") != NULL) { - #ifdef WANT_SSL2 -- ssl2 = ssl3 = tls = 1; -+ ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1; - #else -- ssl3 = tls = 1; -+ ssl3 = tls = tls1_1 = tls1_2 = 1; - #endif - } else { -- if (strstr(lprotocols, "sslv2") != NULL) { -+ char *protocol_list = NULL; -+ char *saveptr = NULL; -+ char *token = NULL; -+ -+ for (protocol_list = lprotocols; ; protocol_list = NULL) { -+ token = strtok_r(protocol_list, ",", &saveptr); -+ if (token == NULL) { -+ break; -+ } else if (strcmp(token, "sslv2") == 0) { - #ifdef WANT_SSL2 -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2"); -- ssl2 = 1; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Enabling SSL2", -+ protocol_marker); -+ ssl2 = 1; - #else -- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported"); -+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, -+ "%s: SSL2 is not supported", -+ protocol_marker); - #endif -- } -- -- if (strstr(lprotocols, "sslv3") != NULL) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3"); -- ssl3 = 1; -- } -- -- if (strstr(lprotocols, "tlsv1") != NULL) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS"); -- tls = 1; -+ } else if (strcmp(token, "sslv3") == 0) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Enabling SSL3", -+ protocol_marker); -+ ssl3 = 1; -+ } else if (strcmp(token, "tlsv1") == 0) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Enabling TLSv1.0 via TLSv1", -+ protocol_marker); -+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, -+ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.", -+ protocol_marker); -+ tls = 1; -+ } else if (strcmp(token, "tlsv1.0") == 0) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Enabling TLSv1.0", -+ protocol_marker); -+ tls = 1; -+ } else if (strcmp(token, "tlsv1.1") == 0) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Enabling TLSv1.1", -+ protocol_marker); -+ tls1_1 = 1; -+ } else if (strcmp(token, "tlsv1.2") == 0) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Enabling TLSv1.2", -+ protocol_marker); -+ tls1_2 = 1; -+ } else { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -+ "%s: Unknown protocol '%s' not supported", -+ protocol_marker, token); -+ } - } - } - free(lprotocols); -@@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); - } - -+ /* Set protocol version ranges: -+ * -+ * (1) Set the minimum protocol accepted -+ * (2) Set the maximum protocol accepted -+ * (3) Protocol ranges extend from maximum down to minimum protocol -+ * (4) All protocol ranges are completely inclusive; -+ * no protocol in the middle of a range may be excluded -+ * (5) NSS automatically negotiates the use of the strongest protocol -+ * for a connection starting with the maximum specified protocol -+ * and downgrading as necessary to the minimum specified protocol -+ * -+ * For example, if SSL 3.0 is chosen as the minimum protocol, and -+ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and -+ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and -+ * cannot be excluded from this range. NSS will automatically negotiate -+ * to utilize the strongest acceptable protocol for a connection starting -+ * with the maximum specified protocol and downgrading as necessary to the -+ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). -+ */ - if (stat == SECSuccess) { -+ /* Set minimum protocol version (lowest -> highest) -+ * -+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -+ */ - if (ssl3 == 1) { -- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE); -+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [SSL 3.0] (minimum)", -+ protocol_marker); -+ } else if (tls == 1) { -+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.0] (minimum)", -+ protocol_marker); -+ } else if (tls1_1 == 1) { -+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.1] (minimum)", -+ protocol_marker); -+ } else if (tls1_2 == 1) { -+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.2] (minimum)", -+ protocol_marker); - } else { -- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE); -+ /* Set default minimum protocol version to SSL 3.0 */ -+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [SSL 3.0] (default minimum)", -+ protocol_marker); - } -- } -- if (stat == SECSuccess) { -- if (tls == 1) { -- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE); -+ -+ /* Set maximum protocol version (highest -> lowest) -+ * -+ * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0 -+ */ -+ if (tls1_2 == 1) { -+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.2] (maximum)", -+ protocol_marker); -+ } else if (tls1_1 == 1) { -+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.1] (maximum)", -+ protocol_marker); -+ } else if (tls == 1) { -+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.0] (maximum)", -+ protocol_marker); -+ } else if (ssl3 == 1) { -+ enabledVersions.max = SSL_LIBRARY_VERSION_3_0; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [SSL 3.0] (maximum)", -+ protocol_marker); - } else { -- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE); -+ /* Set default maximum protocol version to TLS 1.2 */ -+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: [TLS 1.2] (default maximum)", -+ protocol_marker); - } -+ -+ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions); - } - - if (stat != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "SSL protocol initialization failed."); -+ "%s: SSL/TLS protocol initialization failed.", -+ protocol_marker); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); - } - - mctx->ssl2 = ssl2; - mctx->ssl3 = ssl3; -- mctx->tls = tls; -+ if (tls1_2 == 1) { -+ mctx->tls = tls1_2; -+ } else if (tls1_1 == 1) { -+ mctx->tls = tls1_1; -+ } else { -+ mctx->tls = tls; -+ } - } - - static void nss_init_ctx_session_cache(server_rec *s, -@@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se - PRBool cipher_state[ciphernum]; - PRBool fips_state[ciphernum]; - const char *suite = mctx->auth.cipher_suite; -+ char * object_type = NULL; -+ char * cipher_suite_marker = NULL; - char * ciphers; - char * fipsciphers = NULL; - int i; -@@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se - - nss_die(); - } -+ -+ /* -+ * Since this routine will be invoked individually for every thread -+ * associated with each 'server' object as well as for every thread -+ * associated with each 'proxy' object, identify the cipher suite markers -+ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy') -+ * via each thread's object type and apply this useful information to -+ * all log messages. -+ */ -+ if (mctx == mctx->sc->server) { -+ object_type = "server"; -+ cipher_suite_marker = "NSSCipherSuite"; -+ } else if (mctx == mctx->sc->proxy) { -+ object_type = "proxy"; -+ cipher_suite_marker = "NSSProxyCipherSuite"; -+ } -+ - ciphers = strdup(suite); - - #define CIPHERSIZE 2048 -@@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se - } - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "FIPS mode enabled, permitted SSL ciphers are: [%s]", -- fipsciphers); -+ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]", -+ object_type, fipsciphers); - } - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "Configuring permitted SSL ciphers [%s]", -- suite); -+ "%s: Configuring permitted SSL ciphers [%s]", -+ cipher_suite_marker, suite); - - /* Disable all NSS supported cipher suites. This is to prevent any new - * NSS cipher suites from getting automatically and unintentionally -@@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se - for (i=0; issl2 && countciphers(cipher_state, SSL2) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "SSL2 is enabled but no SSL2 ciphers are enabled."); -+ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.", -+ cipher_suite_marker); - nss_die(); - } - - if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "SSL3 is enabled but no SSL3 ciphers are enabled."); -+ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.", -+ cipher_suite_marker); - nss_die(); - } - - if (mctx->tls && countciphers(cipher_state, TLS) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -- "TLS is enabled but no TLS ciphers are enabled."); -+ "%s: TLS is enabled but no TLS ciphers are enabled.", -+ cipher_suite_marker); - nss_die(); - } - -Index: mod_nss-1.0.8/nss_engine_vars.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_vars.c -+++ mod_nss-1.0.8/nss_engine_vars.c -@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver - case SSL_LIBRARY_VERSION_3_0: - result = "SSLv3"; - break; -- case SSL_LIBRARY_VERSION_3_1_TLS: -+ case SSL_LIBRARY_VERSION_TLS_1_0: -+ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */ - result = "TLSv1"; - break; -+ case SSL_LIBRARY_VERSION_TLS_1_1: -+ result = "TLSv1.1"; -+ break; - } - } - } diff --git a/mod_nss-wouldblock.patch b/mod_nss-wouldblock.patch deleted file mode 100644 index 4053715..0000000 --- a/mod_nss-wouldblock.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400 -+++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500 -@@ -259,7 +259,8 @@ - */ - if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) - || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { -- return 0; -+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0); -+ return -1; - } - - if (inctx->rc != APR_SUCCESS) { diff --git a/mod_nss_migrate.pl b/mod_nss_migrate.pl index 88457d8..1f7f6f1 100644 --- a/mod_nss_migrate.pl +++ b/mod_nss_migrate.pl @@ -6,7 +6,7 @@ use Cwd; use Getopt::Std; BEGIN { -# $NSSDir = cwd(); + #$NSSDir = cwd(); $NSSDir = "/etc/apache2/mod_nss.d"; $SSLCACertificatePath = ""; @@ -18,21 +18,34 @@ BEGIN { $passphrase = 0; } -%skip = ( "SSLRandomSeed" => "", - "SSLSessionCache" => "", - "SSLMutex" => "", - "SSLCertificateChainFile" => "", - "SSLVerifyDepth" => "" , - "SSLCryptoDevice" => "" , - "LoadModule" => "" , - ); +# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13 +%keep = ( "SSLCipherSuite" => "", + "SSLEngine" => "", + "SSLFIPS" => "", + "SSLOptions" => "", + "SSLPassPhraseDialog" => "", + "SSLProtocol" => "", + "SSLProxyCipherSuite" => "", + "SSLProxyEngine" => "", + "SSLProxyCheckPeerCN" => "", + "SSLProxyProtocol" => "", + "SSLRandomSeed" => "", + "SSLRenegBufferSize" => "", + "SSLRequire" => "", + "SSLRequireSSL" => "", + "SSLSessionCacheTimeout" => "", + "SSLSessionTickets" => "", + "SSLStrictSNIVHostCheck" => "", + "SSLUserName" => "", + "SSLVerifyClient" => "", +); -%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); +%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); getopts('chr:w:' , \%opt ); sub usage() { - print STDERR "Usage: mod_nss_migrate.pl [-c] -r -w \n"; + print STDERR "Usage: migrate.pl [-c] -r -w \n"; print STDERR "\t-c converts the certificates\n"; print STDERR "This conversion script is not aware of apache's configuration blocks\n"; print STDERR "and nestable conditional directives. Please check the output of the\n"; @@ -40,27 +53,22 @@ sub usage() { exit(); } -usage() if ( $opt{h} || !$opt{r} || !$opt{w} ) ; - - +usage() if ($opt{h} || !$opt{r} || !$opt{w}); print STDERR "input: $opt{r} output: $opt{w}\n"; open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n"; open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n"; - -print NSS "## This is a conversion of mod_ssl specific options by /usr/sbin/mod_nss_migrate.pl\n"; +print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n"; print NSS "## Most of the comments in the original .conf file have been omitted here, as\n"; print NSS "## the comments may not be valid for mod_nss, too.\n"; print NSS "## \n"; print NSS "## Please read through this configuration and verify the individual options!\n\n"; - while () { my $comment = 0; - # write through even if in comment before comments are stripped below. if(/(ServerName|ServerAlias)/) { print NSS $_; @@ -68,9 +76,8 @@ while () { } # skip blank lines and comments - if (/^#/ || /^\s*#/ || /^\s*$/) { -# do not copy them; they may not be useful anyway. -# print NSS $_; + if (/^\s*#/ || /^\s*$/) { + print NSS $_; next; } @@ -93,19 +100,15 @@ while () { next; } - if ($stmt eq "SSLCipherSuite") { - print NSS "## original SSLCipherSuite config line: $_"; - print NSS "NSSCipherSuite ", get_ciphers($val), "\n\n"; - next; - } elsif ($stmt eq "SSLEngine" ) { - print NSS "##$_"; - print NSS "NSSEngine $value\n\n"; - next; - } elsif ($stmt eq "SSLProtocol" ) { + # we support OpenSSL cipher strings now, keeping the string as is + #if ($stmt eq "SSLCipherSuite") { + #print NSS "NSSCipherSuite ", get_ciphers($val), "\n"; + #print NSS "NSSProtocol SSLv3,TLSv1\n"; + #$comment = 1; + if ($stmt eq "SSLProtocol" ) { print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n"; print NSS "##$_"; print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n"; - print NSS "## You may also specify SSLv3 at the beginning of the range. Not done here:\n"; print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n"; next; } elsif ($stmt eq "SSLCACertificatePath") { @@ -129,25 +132,27 @@ while () { $SSLCARevocationFile = $value; $comment = 1; } elsif ($stmt eq "SSLPassPhraseDialog") { - print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; + print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n"; $passphrase = 1; $comment = 1; } - if (exists($skip{$stmt})) { - print NSS "# Skipping, not applicable in mod_nss\n"; - print NSS "##$_"; + + if (exists($insert{$stmt})) { + #print NSS "$_"; + print NSS $insert{$stmt}; next; } - # Fix up any remaining directive names - s/SSL/NSS/; - - - if (exists($insert{$stmt})) { - print NSS "$_"; - print NSS $insert{$stmt}; - next; + if (m/^\s*SSL/) { + if (!exists($keep{$stmt})) { + print NSS "# Skipping, not applicable in mod_nss\n"; + print NSS "##$_"; + next; + } else { + # Fix up any remaining directive names + s/^(\s*)SSL/\1NSS/; + } } # Fall-through to print whatever is left @@ -157,11 +162,11 @@ while () { } else { print NSS $_; } - } if ($passphrase == 0) { - print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; + # NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.9'. + print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n"; } close(NSS); @@ -179,15 +184,15 @@ if ($opt{c}) { if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") { my $subject = get_cert_subject($SSLCertificateFile); print STDERR "Importing certificate $subject as \"Server-Cert\".\n"; - run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo "); - run_command("pk12util -i server.p12 -d $NSSDir -W foo "); + run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo"); + run_command("pk12util -i server.p12 -d $NSSDir -W foo"); } if ($SSLCACertificateFile ne "") { my $subject = get_cert_subject($SSLCACertificateFile); if ($subject ne "") { print STDERR "Importing CA certificate $subject\n"; - run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile "); + run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile"); } } @@ -202,7 +207,7 @@ if ($opt{c}) { my $subject = get_cert_subject("$SSLCACertificatePath/$file"); if ($subject ne "") { print STDERR "Importing CA certificate $subject\n"; - run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file "); + run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file"); } } } @@ -258,7 +263,7 @@ sub get_ciphers { my $str = shift; %cipher_list = ( - "rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:", + "rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:", "rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:", "rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:", "rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:", @@ -281,21 +286,21 @@ sub get_ciphers { for ($i = 0; $i < $NUM_CIPHERS; $i++) { $selected[$i] = 0; } - + # Don't need to worry about the ordering properties of "+" because # NSS always chooses the "best" cipher anyway. You can't specify # preferred order. - + # -1: this cipher is completely out # 0: this cipher is currently unselected, but maybe added later # 1: this cipher is selected - + @s = split(/:/, $str); - + for ($i = 0; $i <= $#s; $i++) { $j = 0; $val = 1; - + # ! means this cipher is disabled forever if ($s[$i] =~ /^!/) { $val = -1; @@ -306,10 +311,10 @@ sub get_ciphers { } elsif ($s[$i] =~ /^+/) { ($s[$i] =~ s/^+//); } - + for $cipher (sort keys %cipher_list) { $match = 0; - + # For embedded + we do an AND for all options if ($s[$i] =~ m/(\w+\+)+/) { @sub = split(/^\+/, $s[$i]); @@ -324,22 +329,22 @@ sub get_ciphers { $match = 1; } } - + if ($match && $selected[$j] != -1) { $selected[$j] = $val; } $j++; } } - + # NSS doesn't honor the order of a cipher list, it uses the "strongest" # cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and # the NSS ciphers not available in OpenSSL. $str = "SSLv2:SSLv3"; @s = split(/:/, $str); - + $ciphersuite = ""; - + for ($i = 0; $i <= $#s; $i++) { $j = 0; for $cipher (sort keys %cipher_list) { @@ -354,9 +359,9 @@ sub get_ciphers { $j++; } } - + $ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha"; - + return $ciphersuite; } @@ -385,7 +390,7 @@ sub get_cert_subject { sub run_command { my @args = shift; my $status = 0; - + $status = 0xffff & system(@args); return if ($status == 0); diff --git a/update-ciphers.patch b/update-ciphers.patch deleted file mode 100644 index 64c4f9d..0000000 --- a/update-ciphers.patch +++ /dev/null @@ -1,69 +0,0 @@ -Index: mod_nss-1.0.8/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200 -+++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200 -@@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc - */ - char* INTERNAL_TOKEN_NAME = "internal "; - -+/* When adding or removing ciphers from this table, -+ remember to adjust the ciphernum constant in mod_nss.h -+*/ - cipher_properties ciphers_def[ciphernum] = - { -- /* SSL2 cipher suites */ -- {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, -- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, -- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, -- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, -- {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, -- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, - /* SSL3/TLS cipher suites */ - {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, - {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, -@@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum] - {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, - {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, - {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, -- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, -- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, -- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, - /* TLS 1.0: Exportable 56-bit Cipher Suites. */ - {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, -Index: mod_nss-1.0.8/mod_nss.h -=================================================================== ---- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200 -+++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200 -@@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4} - - /* the table itself is defined in nss_engine_init.c */ - #ifdef NSS_ENABLE_ECC --#define ciphernum 59 -+#define ciphernum 50 - #else --#define ciphernum 28 -+#define ciphernum 19 - #endif - - /* -Index: mod_nss-1.0.8/nss.conf.in -=================================================================== ---- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200 -+++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200 -@@ -90,13 +90,13 @@ NSSEngine on - # See the mod_nss documentation for a complete list. - - # SSL 3 ciphers. SSL 2 is disabled by default. --NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha -+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha - - # SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. - # - # Comment out the NSSCipherSuite line above and use the one below if you have - # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography --#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha -+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha - - NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 -