pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 381888 from Apache:Modules

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/381888
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=19
This commit is contained in:
Dominique Leuenberger 2016-03-31 11:03:40 +00:00 committed by Git OBS Bridge
commit 5b2cc4633c
30 changed files with 158 additions and 4076 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

534
0001-SNI-check-with-NameVirtualHosts.patch
View File

@ -1,534 +0,0 @@
From 1b4116cce21ab58e7a1b9f6ff46de0adce6b9ff0 Mon Sep 17 00:00:00 2001
From: standa <standa@papaya.suse.cz>
Date: Thu, 25 Jun 2015 17:14:56 +0200
Subject: [PATCH] SNI check with NameVirtualHosts
---
docs/mod_nss.html | 14 ++++-
mod_nss.c | 3 ++
mod_nss.h | 21 ++++++++
nss_engine_config.c | 11 ++++
nss_engine_init.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++------
nss_engine_kernel.c | 51 ++++++++++++++++++
nss_util.c | 72 ++++++++++++++++++++++++-
7 files changed, 303 insertions(+), 18 deletions(-)
Index: mod_nss-1.0.8/docs/mod_nss.html
===================================================================
--- mod_nss-1.0.8.orig/docs/mod_nss.html
+++ mod_nss-1.0.8/docs/mod_nss.html
@@ -195,7 +195,9 @@ following line to httpd.conf (location r
</code><br>
This has Apache load the mod_nss configuration file, <code>nss.conf</code>.
It is here that you will setup your VirtualServer entries to and
-configure your SSL servers.<br>
+configure your SSL servers. If you have a certificate with the Subject
+Alternative Names then you will set up these names like ServerAlias for your virtual host.<br>
+
<h1><a name="Generation"></a>Certificate Generation</h1>
A ksh script, <code>gencert</code>, is included to automatically
generate a self-signed CA plus one server certificate. This is fine for
@@ -1079,6 +1081,16 @@ components of the client certificate, th
<br>
<code>NSSRequire<br>
</code><br>
+<big><big>NSSSNI</big></big><br>
+<br>
+Enables or disables Server Name Identification(SNI) extension check for
+SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header.
+<br>
+<br>
+<span style="font-weight: bold;">Example</span><br>
+<br>
+<code>NSSSNI off</code><br>
+<br>
<big><big>NSSProxyEngine</big></big><br>
<br>
Enables or disables mod_nss HTTPS support for mod_proxy.<br>
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -85,6 +85,9 @@ static const command_rec nss_config_cmds
SSL_CMD_SRV(FIPS, FLAG,
"FIPS 140-1 mode "
"(`on', `off')")
+ SSL_CMD_SRV(SNI, FLAG,
+ "SNI"
+ "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable "
"(`[+-]XXX,...,[+-]XXX' - see manual)")
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -308,6 +308,7 @@ struct SSLSrvConfigRec {
const char *ocsp_name;
BOOL ocsp;
BOOL enabled;
+ BOOL sni;
BOOL proxy_enabled;
const char *vhost_id;
int vhost_id_len;
@@ -343,6 +344,20 @@ typedef struct
PRInt32 version; /* protocol version valid for this cipher */
} cipher_properties;
+typedef struct {
+ enum {
+ PW_NONE = 0,
+ PW_FROMFILE = 1,
+ PW_PLAINTEXT = 2,
+ PW_EXTERNAL = 3
+ } source;
+ char *data;
+} secuPWData;
+
+/* pool and hash which will contain ServerName and NSSNickname */
+apr_pool_t *mp;
+apr_hash_t *ht;
+
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
* is the last version without this define. This is used for more than just
@@ -384,6 +399,7 @@ void *nss_config_perdir_merge(apr_pool_t
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
+const char *nss_cmd_NSSSNI(cmd_parms *, void *, int);
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
@@ -471,6 +487,9 @@ apr_file_t *nss_util_ppopen(server_rec
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
+char *searchHashVhostNick(char *vhost_id);
+char *searchHashVhostNick_match(char *vhost_id);
+void addHashVhostNick(char *vhost_id, char *nickname);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
int nss_io_buffer_fill(request_rec *r);
Index: mod_nss-1.0.8/nss_engine_config.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_config.c
+++ mod_nss-1.0.8/nss_engine_config.c
@@ -135,6 +135,7 @@ static SSLSrvConfigRec *nss_config_serve
sc->ocsp_name = NULL;
sc->fips = UNSET;
sc->enabled = UNSET;
+ sc->sni = TRUE;
sc->proxy_enabled = UNSET;
sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */
@@ -214,6 +215,7 @@ void *nss_config_server_merge(apr_pool_t
cfgMerge(ocsp_name, NULL);
cfgMergeBool(fips);
cfgMergeBool(enabled);
+ cfgMergeBool(sni);
cfgMergeBool(proxy_enabled);
cfgMergeBool(proxy_ssl_check_peer_cn);
@@ -321,6 +323,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c
return NULL;
}
+const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->sni = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -28,6 +28,8 @@ static SECStatus ownHandshakeCallback(PR
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
+ PRUint32 sniNameArrSize, void *arg);
/*
* Global variables defined in this file.
@@ -222,11 +224,10 @@ static void nss_init_SSLLibrary(server_r
NSS_Shutdown();
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration");
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
+ "Please check access rights for user:%s!!!", mc->user);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- if (mc->nInitCount == 1)
- nss_die();
- else
- return;
+ nss_die();
}
if (fipsenabled) {
@@ -325,6 +326,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
int fipsenabled = FALSE;
int threaded = 0;
struct semid_ds status;
+ char *split_vhost_id = NULL;
+ char *last1;
mc->nInitCount++;
@@ -381,6 +384,12 @@ int nss_init_Module(apr_pool_t *p, apr_p
*/
sc->vhost_id = nss_util_vhostid(p, s);
sc->vhost_id_len = strlen(sc->vhost_id);
+
+ if (sc->server->nickname != NULL && sc->vhost_id != NULL) {
+ split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1);
+ ap_str_tolower(split_vhost_id);
+ addHashVhostNick(split_vhost_id, (char *)sc->server->nickname);
+ }
/* Fix up stuff that may not have been set */
if (sc->fips == UNSET) {
@@ -534,7 +543,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL);
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
@@ -547,7 +556,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
/*
* Read the server certificate and key
*/
- nss_init_ConfigureServer(s, p, ptemp, sc, clist);
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
}
if (clist) {
@@ -1132,6 +1141,12 @@ static void nss_init_certificate(server_
SECStatus secstatus;
PK11SlotInfo* slot = NULL;
+ CERTCertNicknames *certNickDNS = NULL;
+ char **nnptr = NULL;
+ int nn = 0;
+ apr_array_header_t *names = NULL;
+ apr_array_header_t *wild_names = NULL;
+ int i, j;
if (nickname == NULL) {
return;
@@ -1198,17 +1213,52 @@ static void nss_init_certificate(server_
*KEAtype = NSS_FindCertKEAType(*servercert);
+ /* get ServerAlias entries to hash */
+ names = s->names;
+ if (names) {
+ char **name = (char **)names->elts;
+ for (i = 0; i < names->nelts; ++i) {
+ ap_str_tolower(name[i]);
+ addHashVhostNick(name[i], (char *)nickname);
+ }
+ }
+
+ /* get ServerAlias entries with wildcards */
+ wild_names = s->wild_names;
+ if (wild_names) {
+ char **wild_name = (char **)wild_names->elts;
+ for (j = 0; j < wild_names->nelts; ++j) {
+ ap_str_tolower(wild_name[j]);
+ addHashVhostNick(wild_name[j], (char *)nickname);
+ }
+ }
+
+ /* get valid DNS names from certificate to hash */
+ certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert);
+
+ if (certNickDNS) {
+ nnptr = certNickDNS->nicknames;
+ nn = certNickDNS->numnicknames;
+
+ while ( nn > 0 ) {
+ ap_str_tolower(*nnptr);
+ addHashVhostNick(*nnptr, (char *)nickname);
+ nnptr++;
+ nn--;
+ }
+
+ }
+
/* Subject/hostname check */
secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
if (secstatus != SECSuccess) {
char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Misconfiguration of certificate's CN and virtual name."
- " The certificate CN has %s. We expected %s as virtual"
- " name.", cert_dns, s->server_hostname);
+ "Misconfiguration of certificate's CN and virtual name."
+ " The certificate CN has %s. We expected %s as virtual"
+ " name.", cert_dns, s->server_hostname);
PORT_Free(cert_dns);
}
-
/*
* Check for certs that are expired or not yet valid and WARN about it.
* No need to refuse working - the client gets a warning.
@@ -1233,13 +1283,21 @@ static void nss_init_certificate(server_
break;
}
- secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
+ secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
if (secstatus != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"SSL error configuring server: '%s'", nickname);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
- }
+ }
+
+ /* SNI */
+ if (SSL_SNISocketConfigHook(model, (SSLSNISocketConfig) ownSSLSNISocketConfig, (void*) s) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "SSL_SNISocketConfigHook failed");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
}
@@ -1308,6 +1366,7 @@ static void nss_init_server_certs(server
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
+
}
static void nss_init_proxy_ctx(server_rec *s,
@@ -1374,7 +1433,6 @@ void nss_init_Child(apr_pool_t *p, serve
/* If any servers have SSL, we want sslenabled set so we
* can perform further initialization
*/
-
if (sc->enabled == UNSET) {
sc->enabled = FALSE;
}
@@ -1404,11 +1462,12 @@ void nss_init_Child(apr_pool_t *p, serve
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL);
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
- if (sc->server->servercert == NULL && NSS_IsInitialized())
- nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
+ if (sc->server->servercert == NULL && NSS_IsInitialized()) {
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
+ }
}
if (clist) {
CERT_DestroyCertList(clist);
@@ -1741,3 +1800,67 @@ int nss_parse_ciphers(server_rec *s, cha
return 0;
}
+
+PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
+ PRUint32 sniNameArrSize, void *arg)
+{
+ server_rec *s = (server_rec *)arg;
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "start function ownSSLSNISocketConfig for SNI");
+
+ secuPWData *pwdata;
+ CERTCertificate * cert = NULL;
+ SECKEYPrivateKey * privKey = NULL;
+ char *nickName = NULL;
+ char *vhost = NULL;
+ apr_pool_t *str_p;
+
+ PORT_Assert(fd && sniNameArr);
+ if (!fd || !sniNameArr) {
+ nss_die();
+ }
+ apr_pool_create(&str_p, NULL);
+ vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len);
+
+ /* rfc6125 - Checking of Traditional Domain Names*/
+ ap_str_tolower(vhost);
+
+ nickName = searchHashVhostNick(vhost);
+ if (nickName == NULL) {
+ /* search wild_names in serverAlises */
+ nickName = searchHashVhostNick_match(vhost);
+ if (nickName == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search [val = %s] failed, unrecognized name.", vhost);
+ nss_die();
+ }
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search passed [value = %s] for key:%s", nickName, vhost);
+
+ pwdata = SSL_RevealPinArg(fd);
+
+ /* if pwdata is NULL, then we would not get the key and
+ * return an error status. */
+ cert = PK11_FindCertFromNickname(nickName, &pwdata);
+ if (cert == NULL) {
+ nss_die();
+ }
+ privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
+ if (privKey == NULL) {
+ nss_die();
+ }
+ SSLKEAType certKEA = NSS_FindCertKEAType(cert);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "start configure vhost:%s", vhost);
+ if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) {
+ nss_die();
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "successfull setting vhost with nick:%s", nickName);
+ SECKEY_DestroyPrivateKey(privKey);
+ CERT_DestroyCertificate(cert);
+ apr_pool_destroy(str_p);
+ return 0;
+
+}
Index: mod_nss-1.0.8/nss_engine_kernel.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
+++ mod_nss-1.0.8/nss_engine_kernel.c
@@ -71,6 +71,59 @@ int nss_hook_ReadReq(request_rec *r)
}
/*
+ * SNI check is default on. In same cases you switch of by NSSSNI off
+ * sc->sni parameter gets vhost from HTTPS header
+ */
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
+
+ SECItem *hostInfo = NULL;
+ hostInfo = SSL_GetNegotiatedHostInfo(ssl);
+ if (hostInfo != NULL && sc->sni) {
+ if (ap_is_initial_req(r) && (hostInfo->len != 0)) {
+ char *servername = NULL;
+ char *host, *scope_id;
+ apr_port_t port;
+ apr_status_t rv;
+ apr_pool_t *s_p;
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d"
+ ,(char *) hostInfo->data, hostInfo->len);
+
+ apr_pool_create(&s_p, NULL);
+ servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "SNI hostInfo servername:%s, lenght:%d"
+ , servername, (unsigned)strlen(servername));
+
+ if (!r->hostname) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Hostname %s provided via SNI, but no hostname"
+ " provided in HTTP request", servername);
+ return HTTP_BAD_REQUEST;
+ }
+
+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+ if (rv != APR_SUCCESS || scope_id) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ if (strcasecmp(host, servername)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Hostname %s provided via SNI and hostname %s provided"
+ " via HTTP are different", servername, host);
+
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
+ apr_pool_destroy(s_p);
+ return HTTP_BAD_REQUEST;
+ } else {
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
+ apr_pool_destroy(s_p);
+ }
+ }
+ }
+ /*
* Log information about incoming HTTPS requests
*/
if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
Index: mod_nss-1.0.8/nss_util.c
===================================================================
--- mod_nss-1.0.8.orig/nss_util.c
+++ mod_nss-1.0.8/nss_util.c
@@ -13,7 +13,6 @@
* limitations under the License.
*/
-
#include "mod_nss.h"
#include "ap_mpm.h"
#include "apr_thread_mutex.h"
@@ -100,3 +99,47 @@ char *nss_util_readfilter(server_rec *s,
return buf;
}
+
+static void initializeHashVhostNick() {
+ apr_pool_create(&mp, NULL);
+ ht = apr_hash_make(mp);
+}
+
+char *searchHashVhostNick(char *vhost_id) {
+ char *searchVal = NULL;
+
+ searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING);
+
+ return searchVal;
+}
+
+char *searchHashVhostNick_match(char *vhost_id)
+{
+ char *searchValReg = NULL;
+ apr_hash_index_t *hi;
+ for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) {
+ const char *k = NULL;
+ const char *v = NULL;
+
+ apr_hash_this(hi, (const void**)&k, NULL, (void**)&v);
+ if (!ap_strcasecmp_match(vhost_id, k)) {
+ searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING);
+ return searchValReg;
+ }
+ }
+ return NULL;
+}
+
+void addHashVhostNick(char *vhost_id, char *nickname) {
+
+ if (ht == NULL) {
+ initializeHashVhostNick();
+ }
+
+ if(searchHashVhostNick(vhost_id) == NULL) {
+ apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING,
+ apr_pstrdup(mp, nickname));
+ }
+ return;
+}
+

68
apache2-mod_nss.changes
View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Thu Mar 17 16:27:13 UTC 2016 - vcizek@suse.com
- use a whitelist approach for keeping directives in the migration
script (bsc#961907)
* modify mod_nss_migrate.pl
-------------------------------------------------------------------
Wed Mar 16 14:45:24 UTC 2016 - pgajdos@suse.com
- fix test: add NSSPassPhraseDialog, point it to plain file
-------------------------------------------------------------------
Mon Mar 14 12:27:37 UTC 2016 - vcizek@suse.com
- update to 1.0.13
Update default ciphers to something more modern and secure
Check for host and netstat commands in gencert before trying to use them
Add server support for DHE ciphers
Extract SAN from server/client certificates into env
Fix memory leaks and other coding issues caught by clang analyzer
Add support for Server Name Indication (SNI) (#1010751)
Add support for SNI for reverse proxy connections
Add RenegBufferSize? option
Add support for TLS Session Tickets (RFC 5077)
Fix logical AND support in OpenSSL cipher compatibility
Correctly handle disabled ciphers (CVE-2015-5244)
Implement a slew more OpenSSL cipher macros
Fix a number of illegal memory accesses and memory leaks
Support for SHA384 ciphers if they are available in NSS
Add compatibility for mod_ssl-style cipher definitions (#862938)
Add TLSv1.2-specific ciphers
Completely remove support for SSLv2
Add support for sqlite NSS databases (#1057650)
Compare subject CN and VS hostname during server start up
Add support for enabling TLS v1.2
Don't enable SSL 3 by default (CVE-2014-3566)
Fix CVE-2013-4566
Move nss_pcache to /usr/libexec
Support httpd 2.4+
- drop almost all our patches (upstream)
* 0001-SNI-check-with-NameVirtualHosts.patch
* mod_nss-CVE-2013-4566-NSSVerifyClient.diff
* mod_nss-PK11_ListCerts_2.patch
* mod_nss-add_support_for_enabling_TLS_v1.2.patch
* mod_nss-array_overrun.patch
* mod_nss-cipherlist_update_for_tls12-doc.diff
* mod_nss-cipherlist_update_for_tls12.diff
* mod_nss-clientauth.patch
* mod_nss-compare_subject_CN_and_VS_hostname.patch
* mod_nss-gencert.patch
* mod_nss-httpd24.patch
* mod_nss-lockpcache.patch
* mod_nss-negotiate.patch
* mod_nss-no_shutdown_if_not_init_2.patch
* mod_nss-overlapping_memcpy.patch
* mod_nss-pcachesignal.h
* mod_nss-proxyvariables.patch
* mod_nss-reseterror.patch
* mod_nss-reverse_proxy_send_SNI.patch
* mod_nss-reverseproxy.patch
* mod_nss-sslmultiproxy.patch
* mod_nss-tlsv1_1.patch
* mod_nss-wouldblock.patch
* update-ciphers.patch
- add automake and libtool to BuildRequires
- temporarily comment out %check
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 12 08:31:19 UTC 2016 - pgajdos@suse.com Tue Jan 12 08:31:19 UTC 2016 - pgajdos@suse.com

73
apache2-mod_nss.spec
View File

@ -20,7 +20,7 @@ Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0 License: Apache-2.0
Group: Productivity/Networking/Web/Servers Group: Productivity/Networking/Web/Servers
Version: 1.0.8 Version: 1.0.13
Release: 0.4.8 Release: 0.4.8
Url: https://fedorahosted.org/mod_nss Url: https://fedorahosted.org/mod_nss
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
@ -38,6 +38,7 @@ Requires: mozilla-nss >= 3.15.1
PreReq: mozilla-nss-tools PreReq: mozilla-nss-tools
BuildRequires: apache-rpm-macros BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apache2-devel >= 2.2.12
BuildRequires: automake
BuildRequires: bison BuildRequires: bison
BuildRequires: curl BuildRequires: curl
BuildRequires: findutils BuildRequires: findutils
@ -45,43 +46,13 @@ BuildRequires: flex
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libapr-util1-devel BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel BuildRequires: libapr1-devel
BuildRequires: libtool
BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
#Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
Patch6: mod_nss-pcachesignal.h
Patch7: mod_nss-reseterror.patch
Patch8: mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9: mod_nss-httpd24.patch
Patch10: mod_nss-proxyvariables.patch
Patch11: mod_nss-tlsv1_1.patch
Patch12: mod_nss-array_overrun.patch
Patch13: mod_nss-clientauth.patch
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
Patch15: mod_nss-PK11_ListCerts_2.patch
Patch16: mod_nss-sslmultiproxy.patch
Patch17: mod_nss-overlapping_memcpy.patch
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19: mod_nss-cipherlist_update_for_tls12.diff
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
Patch26: 0001-SNI-check-with-NameVirtualHosts.patch
Patch27: update-ciphers.patch
Patch28: mod_nss-reverse_proxy_send_SNI.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2 %define apxs /usr/sbin/apxs2
@ -101,36 +72,7 @@ security library.
%prep %prep
%setup -q -n mod_nss-%{version} %setup -q -n mod_nss-%{version}
##%patch1 -p1 -b .conf.rpmpatch
%patch2 -p1 -b .gencert.rpmpatch
%patch3 -p1 -b .wouldblock.rpmpatch
%patch4 -p1 -b .negotiate.rpmpatch
%patch5 -p1 -b .reverseproxy.rpmpatch
%patch6 -p1 -b .pcachesignal.h.rpmpatch
%patch7 -p1 -b .reseterror.rpmpatch
%patch8 -p1 -b .lockpcache.rpmpatch
%patch10 -p1 -b .proxyvariables.rpmpatch
%patch11 -p1 -b .tlsv1_1.rpmpatch
%patch12 -p1 -b .array_overrun.rpmpatch
%patch13 -p1 -b .clientauth.rpmpatch
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
%patch16 -p1 -b .sslmultiproxy.rpmpatch
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
%patch26 -p1 -b .SNI_support.rpmpatch
%patch27 -p1 -b .update-ciphers.rpmpatch
%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if %{apache_branch} >= 204
%patch9 -p1 -b .http24
%endif
# Touch expression parser sources to prevent regenerating it # Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl] touch nss_expr_*.[chyl]
@ -150,7 +92,7 @@ export C_INCLUDE_PATH
cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} . cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in chmod 644 ./nss.conf.in
#autoreconf -fvi autoreconf -fvi
%configure \ %configure \
--with-nss-lib=$NSS_LIB_DIR \ --with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \
@ -193,11 +135,18 @@ perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
%check %check
set +x set +x
mkdir -p %{apache_test_module_dir} mkdir -p %{apache_test_module_dir}
# create password file including internal token to suppress
# apache 'builtin dialog', see NSSPassPhraseDialog below
# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
cat << EOF > %{apache_test_module_dir}/password.conf
internal:httptest
EOF
# create test configuration # create test configuration
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
NSSEngine on NSSEngine on
NSSNickname Server-Cert NSSNickname Server-Cert
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

3
mod_nss-1.0.13.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:244afe11101bf75d85562fadf7b5e4292f8de634446414c268b4b4636cc88817
size 177668

3
mod_nss-1.0.8.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f8477dfc432033738ee1aad5e010e9f0429eb1c1debd273a05fed6316d50a801
size 405061

319
mod_nss-CVE-2013-4566-NSSVerifyClient.diff
View File

@ -1,319 +0,0 @@
This is CVE-2013-4566:
The flaw is in the NSSVerifyClient (which is equivalent to mod_ssl's
SSLVerifyClient) setting enforcement. If 'NSSVerifyClient none' is set
in the server / vhost context (i.e. when server is configured to not
request or require client certificate authentication on the initial
connection), and client certificate authentication is expected to be
required for a specific directory via 'NSSVerifyClient require'
setting, mod_nss fails to properly require certificate authentication.
Remote attacker can use this to access content of the restricted
directories.
Reported by Thomas Hoger <thoger@redhat.com>.
diff -rNU 150 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c
--- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2013-11-29 16:09:37.000000000 +0100
+++ ./nss_engine_kernel.c 2013-11-29 16:12:20.000000000 +0100
@@ -133,301 +133,301 @@
/*
* Check to see if SSL protocol is enabled. If it's not then
* no further access control checks are relevant. The test for
* sc->enabled is probably strictly unnecessary
*/
if (!((sc->enabled == TRUE) || !ssl)) {
return DECLINED;
}
/*
* Support for per-directory reconfigured SSL connection parameters.
*
* This is implemented by forcing an SSL renegotiation with the
* reconfigured parameter suite. But Apache's internal API processing
* makes our life very hard here, because when internal sub-requests occur
* we nevertheless should avoid multiple unnecessary SSL handshakes (they
* require extra network I/O and especially time to perform).
*
* But the optimization for filtering out the unnecessary handshakes isn't
* obvious and trivial. Especially because while Apache is in its
* sub-request processing the client could force additional handshakes,
* too. And these take place perhaps without our notice. So the only
* possibility is to explicitly _ask_ OpenSSL whether the renegotiation
* has to be performed or not. It has to performed when some parameters
* which were previously known (by us) are not those we've now
* reconfigured (as known by OpenSSL) or (in optimized way) at least when
* the reconfigured parameter suite is stronger (more restrictions) than
* the currently active one.
*/
/*
* Override of NSSCipherSuite
*
* We provide two options here:
*
* o The paranoid and default approach where we force a renegotiation when
* the cipher suite changed in _any_ way (which is straight-forward but
* often forces renegotiations too often and is perhaps not what the
* user actually wanted).
*
* o The optimized and still secure way where we force a renegotiation
* only if the currently active cipher is no longer contained in the
* reconfigured/new cipher suite. Any other changes are not important
* because it's the servers choice to select a cipher from the ones the
* client supports. So as long as the current cipher is still in the new
* cipher suite we're happy. Because we can assume we would have
* selected it again even when other (better) ciphers exists now in the
* new cipher suite. This approach is fine because the user explicitly
* has to enable this via ``NSSOptions +OptRenegotiate''. So we do no
* implicit optimizations.
*/
if (dc->szCipherSuite) {
/* remember old state */
for (i=0; i < ciphernum; i++) {
SSL_CipherPrefGet(ssl, ciphers_def[i].num, &ciphers_old[i]);
}
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
int on, keySize, secretKeySize;
char *issuer, *subject;
SSL_SecurityStatus(ssl, &on, &cipher,
&keySize, &secretKeySize, &issuer,
&subject);
}
/* configure new state */
ciphers = strdup(dc->szCipherSuite);
if (nss_parse_ciphers(r->server, ciphers, ciphers_new) < 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
r->server,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, r->server);
free(ciphers);
return HTTP_FORBIDDEN;
}
free(ciphers);
/* Actually enable the selected ciphers. Also check to
see if the existing cipher is in the new list for
a possible optimization later. */
for (i=0; i<ciphernum;i++) {
if (cipher && !strcasecmp(cipher, ciphers_def[i].name)) {
if (ciphers_new[i] == PR_TRUE)
cipher_in_list = PR_TRUE;
}
SSL_CipherPrefSet(ssl, ciphers_def[i].num, ciphers_new[i]);
}
/* determine whether a renegotiation has to be forced */
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
if (cipher_in_list != PR_TRUE)
renegotiate = TRUE;
}
else {
/* paranoid way */
for (i=0; i<ciphernum;i++) {
if (ciphers_new[i] != ciphers_old[i]) {
renegotiate = TRUE;
break;
}
}
}
/* tracing */
if (renegotiate) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Reconfigured cipher suite will force renegotiation");
}
}
/*
* override of SSLVerifyClient
*
* We force a renegotiation if the reconfigured/new verify type is
* stronger than the currently active verify type.
*
* The order is: none << optional_no_ca << optional << require
*
* Additionally the following optimization is possible here: When the
* currently active verify type is "none" but a client certificate is
* already known/present, it's enough to manually force a client
* verification but at least skip the I/O-intensive renegotation
* handshake.
*/
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
PRInt32 on;
/* remember old state */
SSL_OptionGet(ssl, SSL_REQUIRE_CERTIFICATE, &on);
if (on == PR_TRUE) {
verify_old = SSL_CVERIFY_REQUIRE;
} else {
SSL_OptionGet(ssl, SSL_REQUEST_CERTIFICATE, &on);
if (on == PR_TRUE)
verify_old = SSL_CVERIFY_OPTIONAL;
else
verify_old = SSL_CVERIFY_NONE;
}
/* configure new state */
verify = dc->nVerifyClient;
if (verify == SSL_CVERIFY_REQUIRE) {
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
} else if (verify == SSL_CVERIFY_OPTIONAL) {
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
} else {
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_FALSE);
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
}
/* determine whether we've to force a renegotiation */
if (!renegotiate && verify != verify_old) {
if (((verify_old == SSL_CVERIFY_NONE) &&
(verify != SSL_CVERIFY_NONE)) ||
(!(verify_old & SSL_CVERIFY_OPTIONAL) &&
(verify & SSL_CVERIFY_OPTIONAL)) ||
(!(verify_old & SSL_CVERIFY_REQUIRE) &&
(verify & SSL_CVERIFY_REQUIRE)))
{
renegotiate = TRUE;
/* optimization */
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
(verify_old == SSL_CVERIFY_NONE) &&
((peercert = SSL_PeerCertificate(ssl)) != NULL))
{
renegotiate_quick = TRUE;
CERT_DestroyCertificate(peercert);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
r->server,
"Changed client verification type will force "
"%srenegotiation",
renegotiate_quick ? "quick " : "");
}
}
}
/* If a renegotiation is now required for this location, and the
* request includes a message body (and the client has not
* requested a "100 Continue" response), then the client will be
* streaming the request body over the wire already. In that
* case, it is not possible to stop and perform a new SSL
* handshake immediately; once the SSL library moves to the
* "accept" state, it will reject the SSL packets which the client
* is sending for the request body.
*
* To allow authentication to complete in this auth hook, the
* solution used here is to fill a (bounded) buffer with the
* request body, and then to reinject that request body later.
*/
if (renegotiate && !renegotiate_quick
&& (apr_table_get(r->headers_in, "transfer-encoding")
|| (apr_table_get(r->headers_in, "content-length")
&& strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
&& !r->expecting_100) {
int rv;
/* Fill the I/O buffer with the request body if possible. */
rv = nss_io_buffer_fill(r);
if (rv) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"could not buffer message body to allow "
"SSL renegotiation to proceed");
return rv;
}
}
/*
* now do the renegotiation if anything was actually reconfigured
*/
if (renegotiate) {
/*
* Now we force the SSL renegotation by sending the Hello Request
* message to the client. Here we have to do a workaround: Actually
* OpenSSL returns immediately after sending the Hello Request (the
* intent AFAIK is because the SSL/TLS protocol says it's not a must
* that the client replies to a Hello Request). But because we insist
* on a reply (anything else is an error for us) we have to go to the
* ACCEPT state manually. Using SSL_set_accept_state() doesn't work
* here because it resets too much of the connection. So we set the
* state explicitly and continue the handshake manually.
*/
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Requesting connection re-negotiation");
if (renegotiate_quick) {
SECStatus rv;
CERTCertificate *peerCert;
void *pinArg;
/* perform just a manual re-verification of the peer */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Performing quick renegotiation: "
"just re-verifying the peer");
peerCert = SSL_PeerCertificate(sslconn->ssl);
pinArg = SSL_RevealPinArg(sslconn->ssl);
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(),
peerCert,
PR_TRUE,
certUsageSSLClient,
pinArg);
CERT_DestroyCertificate(peerCert);
if (rv != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Re-negotiation handshake failed: "
"Client verification failed");
return HTTP_FORBIDDEN;
}
/* The cert is ok, fall through to the check SSLRequires */
}
else {
int handshake_done = 0;
int result = 0;
/* do a full renegotiation */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Performing full renegotiation: "
"complete handshake protocol");
/* Do NOT call SSL_ResetHandshake as this will tear down the
* existing connection.
*/
if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) {
int errCode = PR_GetError();
if (errCode == SEC_ERROR_INVALID_ARGS) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Re-negotation request failed: "
"trying to do client authentication on a non-SSL3 connection");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Re-negotation request failed: "
"returned error %d", errCode);
}
r->connection->aborted = 1;
return HTTP_FORBIDDEN;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Awaiting re-negotiation handshake");

201
mod_nss-PK11_ListCerts_2.patch
View File

@ -1,201 +0,0 @@
diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800
+++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800
@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void nss_init_Child(apr_pool_t *, server_rec *);
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
apr_status_t nss_init_ModuleKill(void *data);
apr_status_t nss_init_ChildKill(void *data);
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800
+++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800
@@ -26,7 +26,7 @@
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
-static CERTCertificate* FindServerCertFromNickname(const char* name);
+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
/*
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
/*
* Read the server certificate and key
*/
- nss_init_ConfigureServer(s, p, ptemp, sc);
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
+ }
+
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
}
@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
SECKEYPrivateKey **serverkey,
SSLKEAType *KEAtype,
PRFileDesc *model,
- int enforce)
+ int enforce,
+ const CERTCertList* clist)
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Using nickname %s.", nickname);
- *servercert = FindServerCertFromNickname(nickname);
+ *servercert = FindServerCertFromNickname(nickname, clist);
/* Verify the certificate chain. */
if (*servercert != NULL) {
SECCertificateUsage usage = certificateUsageSSLServer;
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified: '%s'", nickname);
+ if (enforce) {
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
- if (enforce) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
nss_die();
@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
static void nss_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+ modnss_ctx_t *mctx,
+ const CERTCertList* clist)
{
SECStatus secstatus;
@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
nss_init_certificate(s, mctx->nickname, &mctx->servercert,
&mctx->serverkey, &mctx->serverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#ifdef NSS_ENABLE_ECC
nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
&mctx->eccserverkey, &mctx->eccserverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#endif
}
@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
static void nss_init_proxy_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_ctx(s, p, ptemp, sc->proxy);
- nss_init_server_certs(s, p, ptemp, sc->proxy);
+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
}
static void nss_init_server_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_server_check(s, p, ptemp, sc->server);
nss_init_ctx(s, p, ptemp, sc->server);
- nss_init_server_certs(s, p, ptemp, sc->server);
+ nss_init_server_certs(s, p, ptemp, sc->server, clist);
}
/*
@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
void nss_init_ConfigureServer(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
if (sc->enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Configuring server for SSL protocol");
- nss_init_server_ctx(s, p, ptemp, sc);
+ nss_init_server_ctx(s, p, ptemp, sc, clist);
}
if (sc->proxy_enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Enabling proxy.");
- nss_init_proxy_ctx(s, p, ptemp, sc);
+ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
}
}
@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server->servercert == NULL && NSS_IsInitialized())
- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
+ }
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
/*
@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
* newest, valid server certificate.
*/
static CERTCertificate*
-FindServerCertFromNickname(const char* name)
+FindServerCertFromNickname(const char* name, const CERTCertList* clist)
{
- CERTCertList* clist;
CERTCertificate* bestcert = NULL;
CERTCertListNode *cln;
@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
if (name == NULL)
return NULL;
- clist = PK11_ListCerts(PK11CertListUser, NULL);
-
for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
cln = CERT_LIST_NEXT(cln)) {
CERTCertificate* cert = cln->cert;
@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
if (bestcert) {
bestcert = CERT_DupCertificate(bestcert);
}
- if (clist) {
- CERT_DestroyCertList(clist);
- }
return bestcert;
}

61
mod_nss-add_support_for_enabling_TLS_v1.2.patch
View File

@ -1,61 +0,0 @@
From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 16 Oct 2014 14:05:05 -0400
Subject: [PATCH] Add support for enabling TLS v1.2
If support is available in NSS then it is just a matter of including
TLS 1.2 in the protocol range.
---
docs/mod_nss.html | 97 ++++++++++++++++++++++++++++---------------------------
mod_nss.c | 4 +--
nss.conf.in | 2 +-
nss_engine_init.c | 51 +++++++++++++++++------------
nss_engine_vars.c | 3 ++
5 files changed, 86 insertions(+), 71 deletions(-)
Index: mod_nss-1.0.8/nss.conf.in
===================================================================
--- mod_nss-1.0.8.orig/nss.conf.in
+++ mod_nss-1.0.8/nss.conf.in
@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
-NSSProtocol SSLv3,TLSv1
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver
case SSL_LIBRARY_VERSION_TLS_1_1:
result = "TLSv1.1";
break;
+ case SSL_LIBRARY_VERSION_TLS_1_2:
+ result = "TLSv1.2";
+ break;
}
}
}
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server
* cannot be excluded from this range. NSS will automatically negotiate
* to utilize the strongest acceptable protocol for a connection starting
* with the maximum specified protocol and downgrading as necessary to the
- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
*/
if (stat == SECSuccess) {
/* Set minimum protocol version (lowest -> highest)
*
- * SSL 3.0 -> TLS 1.0 -> TLS 1.1
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
*/
if (ssl3 == 1) {
enabledVersions.min = SSL_LIBRARY_VERSION_3_0;

16
mod_nss-array_overrun.patch
View File

@ -1,16 +0,0 @@
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
"child_argv", with 5 elements, at position 5 with index variable "5".
https://bugzilla.redhat.com/show_bug.cgi?id=714154
diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400
+++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400
@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
/* Do we need to fire up our password helper? */
if (mc->nInitCount == 1) {
- const char * child_argv[5];
+ const char * child_argv[6];
apr_status_t rv;
struct sembuf sb;
char sembuf[32];

200
mod_nss-bnc863518-reopen_dev_tty.diff
View File

@ -1,54 +1,8 @@
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c Index: nss_engine_pphrase.c
--- ../mod_nss-1.0.8-o/nss_engine_pphrase.c 2014-07-24 12:23:30.000000000 +0200 ===================================================================
+++ ./nss_engine_pphrase.c 2014-07-24 13:54:23.000000000 +0200 --- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100
@@ -181,199 +181,218 @@ +++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100
* that may be done. @@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu
*/
static PRBool nss_check_password(unsigned char *cp)
{
int len;
unsigned char *end, ch;
len = strlen((char *)cp);
if (len < 8) {
return PR_TRUE;
}
end = cp + len;
while (cp < end) {
ch = *cp++;
if (!((ch >= 'A') && (ch <= 'Z')) &&
!((ch >= 'a') && (ch <= 'z'))) {
/* pass phrase has at least one non alphabetic in it */
return PR_TRUE;
}
}
return PR_TRUE;
}
/*
* Password callback so the user is not prompted to enter the password
* after the server starts.
*/
static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg)
{
return NULL;
}
/*
* Password callback to prompt the user for a password. This requires
* twiddling with the tty. Alternatively, if the file password.conf
* exists then it may be used to store the token password(s).
*/
static char *nss_get_password(FILE *input, FILE *output,
PK11SlotInfo *slot,
PRBool (*ok)(unsigned char *),
pphrase_arg_t *parg)
{
char *pwdstr = NULL;
char *token_name = NULL;
int tmp;
FILE *pwd_fileptr;
char *ptr;
char line[1024]; char line[1024];
unsigned char phrase[200]; unsigned char phrase[200];
int infd = fileno(input); int infd = fileno(input);
@ -56,103 +10,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c
int isTTY = isatty(infd); int isTTY = isatty(infd);
token_name = PK11_GetTokenName(slot); token_name = PK11_GetTokenName(slot);
@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu
if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE ||
parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) {
/* Try to get the passwords from the password file if it exists.
* THIS IS UNSAFE and is provided for convenience only. Without this
* capability the server would have to be started in foreground mode.
*/
if ((*parg->mc->pphrase_dialog_path != '\0') &&
((pwd_fileptr = fopen(parg->mc->pphrase_dialog_path, "r")) != NULL)) {
while(fgets(line, 1024, pwd_fileptr)) {
if (PL_strstr(line, token_name) == line) {
tmp = PL_strlen(line) - 1;
while((line[tmp] == ' ') || (line[tmp] == '\n'))
tmp--;
line[tmp+1] = '\0';
ptr = PL_strchr(line, ':');
if (ptr == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Malformed password entry for token %s. Format should be token:password", token_name);
continue;
}
for(tmp=1; ptr[tmp] == ' '; tmp++) {}
pwdstr = strdup(&(ptr[tmp]));
}
}
fclose(pwd_fileptr);
} else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to open password file %s", parg->mc->pphrase_dialog_path);
nss_die();
}
}
/* For SSL_PPTYPE_DEFER we only want to authenticate passwords found
* in the password file.
*/
if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) &&
(pwdstr == NULL)) {
return NULL;
}
/* This purposely comes after the file check because that is more
* authoritative.
*/
if (parg->mc->nInitCount > 1) {
char buf[1024];
apr_status_t rv;
apr_size_t nBytes = 1024;
struct sembuf sb;
/* lock the pipe */
sb.sem_num = 0;
sb.sem_op = -1;
sb.sem_flg = SEM_UNDO;
if (semop(parg->mc->semid, &sb, 1) == -1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to reserve semaphore resource");
}
snprintf(buf, 1024, "RETR\t%s", token_name);
rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
nss_die();
}
/* The helper just returns a token pw or "", so we don't have much
* to check for.
*/
memset(buf, 0, sizeof(buf));
rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
sb.sem_op = 1;
if (semop(parg->mc->semid, &sb, 1) == -1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to free semaphore resource");
/* perror("semop free resource id"); */
}
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
nss_die();
}
/* Just return what we got. If we got this far and we don't have a
* PIN then I/O is already shut down, so we can't do anything really
* clever.
*/
pwdstr = strdup(buf);
}
/* If we got a password we're done */
if (pwdstr) if (pwdstr)
return pwdstr; return pwdstr;
-
+
+ /* It happens that stdin is not opened with O_RDONLY. Better make sure + /* It happens that stdin is not opened with O_RDONLY. Better make sure
+ * it is and re-open /dev/tty. + * it is and re-open /dev/tty.
+ */ + */
@ -174,50 +35,3 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c
for (;;) { for (;;) {
/* Prompt for password */ /* Prompt for password */
if (isTTY) { if (isTTY) {
if (parg->retryCount > 0) {
fprintf(output, "Password incorrect. Please try again.\n");
}
fprintf(output, "%s", prompt);
echoOff(infd);
}
fgets((char*) phrase, sizeof(phrase), input);
if (isTTY) {
fprintf(output, "\n");
echoOn(infd);
}
/* stomp on newline */
phrase[strlen((char*)phrase)-1] = 0;
/* Validate password */
if (!(*ok)(phrase)) {
/* Not weird enough */
if (!isTTY) return 0;
fprintf(output, "Password must be at least 8 characters long with one or more\n");
fprintf(output, "non-alphabetic characters\n");
continue;
}
if (PK11_IsFIPS() && strlen(phrase) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"The FIPS security policy requires that a password be set.");
nss_die();
} else
return (char*) PORT_Strdup((char*)phrase);
}
}
/*
* Turn the echoing off on a tty.
*/
static void echoOff(int fd)
{
if (isatty(fd)) {
struct termios tio;
tcgetattr(fd, &tio);
tio.c_lflag &= ~ECHO;
tcsetattr(fd, TCSAFLUSH, &tio);
}
}
/*
* Turn the echoing on on a tty.
*/

270
mod_nss-cipherlist_update_for_tls12-doc.diff
View File

@ -1,270 +0,0 @@
diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100
+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100
@@ -632,100 +632,135 @@
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_null<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_3des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_des_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_128_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_256_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_sha256<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_camellia_128_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_camellia_256_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_256_sha256<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.2</td>
+ </tr>
</tbody>
</table>
<br>
Additionally there are a number of ECC ciphers:<br>
<br>
<table style="width: 70%;" border="1" cellpadding="2" cellspacing="2">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">Cipher Name<br>
</td>
<td style="vertical-align: top; font-weight: bold;">NSS Cipher
Definition<br>
</td>
<td style="vertical-align: top; font-weight: bold;">Protocol<br>
</td>
</tr>
<tr>
<td>ecdh_ecdsa_null_sha</td>
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_rc4_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_3des_sha</td>
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_256_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_null_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_rc4_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
@@ -773,100 +794,130 @@
<tr>
<td>echde_rsa_null</td>
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_rc4_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_3des_sha</td>
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_256_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_null_sha</td>
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_rc4_128sha</td>
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_3des_sha</td>
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_128_sha</td>
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_256_sha</td>
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_sha256</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</td>
+ <td>TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_128_sha256</td>
+ <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</td>
+ <td>TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
</tbody>
</table>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
<code>NSSCipherSuite
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,<br>
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,<br>
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha</code><br>
<br>
<big><big>NSSProtocol<br>
</big></big><br>
A comma-separated string that lists the basic protocols that the server
can use (and clients may connect with). It doesn't enable a cipher
specifically but allows ciphers for that protocol to be used at all.<br>
<br>
Options are:<br>
<ul>
<li><code>SSLv3</code></li>
<li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
<li><code>TLSv1.0</code></li>
<li><code>TLSv1.1</code></li>
<li><code>TLSv1.2</code></li>
<li><code>All</code></li>
</ul>
Note that this differs from mod_ssl in that you can't add or subtract
protocols.<br>
<br>
If no NSSProtocol is specified, mod_nss will default to allowing the use of
the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
allowed.
<br>
If values for NSSProtocol are specified, mod_nss will set both the minimum
and the maximum allowed protocols based upon these entries allowing for the
inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
protocol ranges to accept all protocols inclusively
(TLS 1.2 -&gt;TLS 1.1 -&gt; TLS 1.0 -&gt; SSL 3.0), and does not allow exclusion of any protocols
in the middle of a range (e. g. - TLS 1.0).<br>
<br>
Finally, NSS will always automatically negotiate the use of the strongest
possible protocol that has been specified which is acceptable to both sides of
a given connection.<br>
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
<br>

247
mod_nss-cipherlist_update_for_tls12.diff
View File

@ -1,247 +0,0 @@
diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
--- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100
+++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100
@@ -318,103 +318,103 @@
/*
* Define the mod_ssl per-directory configuration structure
* (i.e. the local configuration for all <Directory>
* and .htaccess contexts)
*/
typedef struct {
BOOL bSSLRequired;
apr_array_header_t *aRequirement;
int nOptions;
int nOptionsAdd;
int nOptionsDel;
const char *szCipherSuite;
nss_verify_t nVerifyClient;
const char *szUserName;
} SSLDirConfigRec;
/*
* Cipher definitions
*/
typedef struct
{
const char *name;
int num;
int fortezza_only;
PRInt32 version; /* protocol version valid for this cipher */
} cipher_properties;
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
* is the last version without this define. This is used for more than just
* the below defines. It also determines which API is used.
*/
#ifndef AP_SERVER_MAJORVERSION_NUMBER
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 0
#define AP_SERVER_PATCHLEVEL_NUMBER 55
#endif
#if AP_SERVER_MINORVERSION_NUMBER < 2
typedef struct regex_t ap_regex_t;
#define AP_REG_EXTENDED REG_EXTENDED
#define AP_REG_NOSUB REG_NOSUB
#define AP_REG_ICASE REG_ICASE
#endif
enum sslversion { SSL2=1, SSL3=2, TLS=4};
/* the table itself is defined in nss_engine_init.c */
#ifdef NSS_ENABLE_ECC
-#define ciphernum 48
+#define ciphernum 59
#else
-#define ciphernum 23
+#define ciphernum 28
#endif
/*
* function prototypes
*/
/* API glue structures */
extern module AP_MODULE_DECLARE_DATA nss_module;
/* configuration handling */
SSLModConfigRec *nss_config_global_create(server_rec *);
void *nss_config_perdir_create(apr_pool_t *p, char *dir);
void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#ifdef SSL_ENABLE_RENEGOTIATION
const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100
+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100
@@ -15,122 +15,134 @@
#include "mod_nss.h"
#include "apr_thread_proc.h"
#include "ap_mpm.h"
#include "secmod.h"
#include "sslerr.h"
#include "pk11func.h"
#include "ocsp.h"
#include "keyhi.h"
#include "cert.h"
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
* Global variables defined in this file.
*/
char* INTERNAL_TOKEN_NAME = "internal ";
cipher_properties ciphers_def[ciphernum] =
{
/* SSL2 cipher suites */
{"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
{"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
{"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
{"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
{"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
{"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
/* SSL3/TLS cipher suites */
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
{"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
{"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
{"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
/* AES ciphers.*/
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
+ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
+ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
+
#ifdef NSS_ENABLE_ECC
/* ECC ciphers.*/
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
{"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
{"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
#endif
};
static char *version_components[] = {
"SSL_VERSION_PRODUCT",
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
NULL
};
static char *nss_add_version_component(apr_pool_t *p,
server_rec *s,
char *name)
{
char *val = nss_var_lookup(p, s, NULL, NULL, name);
if (val && *val) {
ap_add_version_component(p, val);
}
return val;
}
static void nss_add_version_components(apr_pool_t *p,
server_rec *s)
{
char *vals[sizeof(version_components)/sizeof(char *)];
int i;
for (i=0; version_components[i]; i++) {
vals[i] = nss_add_version_component(p, s,
version_components[i]);
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Server: %s, Interface: %s, Library: %s",
AP_SERVER_BASEVERSION,
vals[1], /* SSL_VERSION_INTERFACE */
vals[2]); /* SSL_VERSION_LIBRARY */
}
/*
* Initialize SSL library
*

50
mod_nss-clientauth.patch
View File

@ -1,50 +0,0 @@
The first fix is to retrieve the full certificate subject instead of just the
CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
The second always attempts to retrieve the client certificate in
nss_hook_ReadReq().
https://bugzilla.redhat.com/show_bug.cgi?id=702437
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
+++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
status = SSL_AuthCertificate(arg, socket, checksig, isServer);
- if (status == SECSuccess) {
- conn_rec *c = filter_ctx->c;
- SSLConnRec *sslconn = myConnConfig(c);
-
- sslconn->client_cert = SSL_PeerCertificate(socket);
- sslconn->client_dn = NULL;
- }
+ /* The certificate is copied to sslconn->client_cert in
+ * nss_hook_ReadReq()
+ */
return status;
}
--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
+++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
nss_util_vhostid(r->pool, r->server));
}
+ if (sslconn->client_cert != NULL)
+ CERT_DestroyCertificate(sslconn->client_cert);
+ sslconn->client_cert = SSL_PeerCertificate(ssl);
+ sslconn->client_dn = NULL;
+
return DECLINED;
}
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
}
if (!sslconn->client_dn) {
- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
PORT_Free(cp);
}

42
mod_nss-compare_subject_CN_and_VS_hostname.patch
View File

@ -1,42 +0,0 @@
From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001
From: standa <stokos@suse.de>
Date: Wed, 22 Oct 2014 16:14:29 +0200
Subject: [PATCH] Compare subject CN and VS hostname during server start up
---
nss_engine_init.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index d74f002..2569c8d 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
*KEAtype = NSS_FindCertKEAType(*servercert);
+ /* Subject/hostname check */
+ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
+ if (secstatus != SECSuccess) {
+ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Misconfiguration of certificate's CN and virtual name."
+ " The certificate CN has %s. We expected %s as virtual"
+ " name.", cert_dns, s->server_hostname);
+ PORT_Free(cert_dns);
+ }
+
/*
- * Check for certs that are expired or not yet valid and WARN about it
- * no need to refuse working - the client gets a warning, but can work
- * with the server we could also verify if the certificate is made out
- * for the correct hostname but that would require a reverse DNS lookup
- * for every virtual server - too expensive?
+ * Check for certs that are expired or not yet valid and WARN about it.
+ * No need to refuse working - the client gets a warning.
*/
certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
--
1.9.3

26
mod_nss-gencert.patch
View File

@ -1,26 +0,0 @@
--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400
+++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400
@@ -82,12 +82,11 @@
DEST=$1
-echo "httptest" > $DEST/pw.txt
+echo -e "\n" > $DEST/pw.txt
echo ""
echo "#####################################################################"
-echo "Generating new server certificate and key database. The password"
-echo "is httptest"
+echo "Generating new server certificate and key database."
echo "#####################################################################"
$CERTUTIL -N -d $DEST -f $DEST/pw.txt
@@ -183,8 +182,4 @@
rm $DEST/pw.txt
rm $DEST/noise
-echo ""
-echo "The database password is httptest"
-echo ""
-
exit 0

142
mod_nss-httpd24.patch
View File

@ -1,142 +0,0 @@
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
- c->remote_ip ? c->remote_ip : "unknown");
+ c->client_ip ? c->client_ip : "unknown");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -28,7 +28,6 @@
#include "mod_ssl.h"
#include "util_script.h"
#include "util_filter.h"
-#include "mpm.h"
#include "apr.h"
#include "apr_strings.h"
#define APR_WANT_STRFUNC
@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo
SECStatus nss_Init_Tokens(server_rec *s);
/* Logging */
-void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s);
void nss_die(void);
/* NSS callback */
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -15,7 +15,7 @@
#include "mod_nss.h"
#include "apr_thread_proc.h"
-#include "ap_mpm.h"
+#include "mpm_common.h"
#include "secmod.h"
#include "sslerr.h"
#include "pk11func.h"
Index: mod_nss-1.0.8/nss_engine_io.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_io.c
+++ mod_nss-1.0.8/nss_engine_io.c
@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo
PR_Close(ssl);
/* log the fact that we've closed the connection */
- if (c->base_server->loglevel >= APLOG_INFO) {
+ if (c->base_server->log.level >= APLOG_INFO) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld closed "
"(server %s, client %s)",
c->id,
nss_util_vhostid(c->pool, c->base_server),
- c->remote_ip ? c->remote_ip : "unknown");
+ c->client_ip ? c->client_ip : "unknown");
}
/* deallocate the SSL connection */
@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_
filter_ctx = (nss_filter_ctx_t *)(fd->secret);
c = filter_ctx->c;
- return PR_StringToNetAddr(c->remote_ip, addr);
+ return PR_StringToNetAddr(c->client_ip, addr);
}
/*
Index: mod_nss-1.0.8/nss_engine_kernel.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
+++ mod_nss-1.0.8/nss_engine_kernel.c
@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r)
/*
* Log information about incoming HTTPS requests
*/
- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
+ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r)
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Access to %s denied for %s "
"(requirement expression not fulfilled)",
- r->filename, r->connection->remote_ip);
+ r->filename, r->connection->client_ip);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Failed expression: %s", req->cpExpr);
Index: mod_nss-1.0.8/nss_engine_log.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_log.c
+++ mod_nss-1.0.8/nss_engine_log.c
@@ -321,7 +321,7 @@ void nss_die(void)
exit(1);
}
-void nss_log_nss_error(const char *file, int line, int level, server_rec *s)
+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s)
{
const char *err;
PRInt32 error;
@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file,
err = "Unknown";
}
- ap_log_error(file, line, level, 0, s,
+ ap_log_error(file, line, module_index, level, 0, s,
"SSL Library Error: %d %s",
error, err);
}
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
&& sslconn && sslconn->ssl)
result = nss_var_lookup_ssl(p, c, var+4);
else if (strcEQ(var, "REMOTE_ADDR"))
- result = c->remote_ip;
+ result = c->client_ip;
else if (strcEQ(var, "HTTPS")) {
if (sslconn && sslconn->ssl)
result = "on";
@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
result = nss_var_lookup_nss_version(p, var+12);
else if (strcEQ(var, "SERVER_SOFTWARE"))
- result = (char *)ap_get_server_version();
+ result = (char *)ap_get_server_banner();
else if (strcEQ(var, "API_VERSION")) {
result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
resdup = FALSE;

240
mod_nss-lockpcache.patch
View File

@ -1,240 +0,0 @@
diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c
--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500
+++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500
@@ -152,6 +152,8 @@
AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
#endif
+ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
+ "Apache user. Comes from httpd.conf."),
AP_END_CMD
};
diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h
--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500
+++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500
@@ -41,6 +41,9 @@
#include "apr_shm.h"
#include "apr_global_mutex.h"
#include "apr_optional.h"
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
#define MOD_NSS_VERSION AP_SERVER_BASEREVISION
@@ -244,6 +247,9 @@
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
+
+ int semid;
+ const char *user;
} SSLModConfigRec;
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
@@ -412,6 +418,7 @@
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c
--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500
+++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500
@@ -830,3 +830,12 @@
return NULL;
}
+
+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg)
+{
+ SSLModConfigRec *mc = myModConfig(cmd->server);
+
+ mc->user = arg;
+
+ return NULL;
+}
diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c
--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500
+++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500
@@ -312,6 +312,7 @@
int sslenabled = FALSE;
int fipsenabled = FALSE;
int threaded = 0;
+ struct semid_ds status;
mc->nInitCount++;
@@ -412,10 +413,26 @@
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i");
+ /* The first pass through this function will create the semaphore that
+ * will be used to lock the pipe. The user is still root at that point
+ * so for any later calls the semaphore ops will fail with permission
+ * errors. So switch the user to the Apache user.
+ */
+ if (mc->semid) {
+ uid_t user_id;
+
+ user_id = ap_uname2id(mc->user);
+ semctl(mc->semid, 0, IPC_STAT, &status);
+ status.sem_perm.uid = user_id;
+ semctl(mc->semid,0,IPC_SET,&status);
+ }
+
/* Do we need to fire up our password helper? */
if (mc->nInitCount == 1) {
const char * child_argv[5];
apr_status_t rv;
+ struct sembuf sb;
+ char sembuf[32];
if (mc->pphrase_dialog_helper == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
@@ -423,11 +440,31 @@
nss_die();
}
+ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
+ if (mc->semid == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to obtain semaphore.");
+ nss_die();
+ }
+
+ /* Initialize the semaphore */
+ sb.sem_num = 0;
+ sb.sem_op = 1;
+ sb.sem_flg = 0;
+ if ((semop(mc->semid, &sb, 1)) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to initialize semaphore.");
+ nss_die();
+ }
+
+ PR_snprintf(sembuf, 32, "%d", mc->semid);
+
child_argv[0] = mc->pphrase_dialog_helper;
- child_argv[1] = fipsenabled ? "on" : "off";
- child_argv[2] = mc->pCertificateDatabase;
- child_argv[3] = mc->pDBPrefix;
- child_argv[4] = NULL;
+ child_argv[1] = sembuf;
+ child_argv[2] = fipsenabled ? "on" : "off";
+ child_argv[3] = mc->pCertificateDatabase;
+ child_argv[4] = mc->pDBPrefix;
+ child_argv[5] = NULL;
rv = apr_procattr_create(&mc->procattr, mc->pPool);
diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c
--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400
+++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500
@@ -279,6 +279,16 @@
char buf[1024];
apr_status_t rv;
apr_size_t nBytes = 1024;
+ struct sembuf sb;
+
+ /* lock the pipe */
+ sb.sem_num = 0;
+ sb.sem_op = -1;
+ sb.sem_flg = SEM_UNDO;
+ if (semop(parg->mc->semid, &sb, 1) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "Unable to reserve semaphore resource");
+ }
snprintf(buf, 1024, "RETR\t%s", token_name);
rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
@@ -293,6 +303,13 @@
*/
memset(buf, 0, sizeof(buf));
rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
+ sb.sem_op = 1;
+ if (semop(parg->mc->semid, &sb, 1) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "Unable to free semaphore resource");
+ /* perror("semop free resource id"); */
+ }
+
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c
--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500
+++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500
@@ -21,6 +21,9 @@
#include <pk11func.h>
#include <secmod.h>
#include <signal.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
#include "nss_pcache.h"
static char * getstr(const char * cmd, int el);
@@ -70,6 +73,13 @@
unsigned char *crypt;
};
+union semun {
+ int val;
+ struct semid_ds *buf;
+ unsigned short *array;
+ struct seminfo *__buf;
+};
+
/*
* Node - for maintaining link list of tokens with cached PINs
*/
@@ -304,15 +314,19 @@
char * tokenName;
char * tokenpw;
int fipsmode = 0;
+ int semid = 0;
+ union semun semarg;
- if (argc < 3 || argc > 4) {
- fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n");
+ if (argc < 4 || argc > 5) {
+ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
exit(1);
}
signal(SIGHUP, SIG_IGN);
- if (!strcasecmp(argv[1], "on"))
+ semid = strtol(argv[1], NULL, 10);
+
+ if (!strcasecmp(argv[2], "on"))
fipsmode = 1;
/* Initialize NSPR */
@@ -322,7 +336,7 @@
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
/* Initialize NSS and open the certificate database read-only. */
- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY);
+ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
if (rv != SECSuccess) {
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
@@ -437,6 +451,11 @@
}
freeList(pinList);
PR_Close(in);
+ /* Remove the semaphore used for locking here. This is because this
+ * program only goes away when Apache shuts down so we don't have to
+ * worry about reloads.
+ */
+ semctl(semid, 0, IPC_RMID, semarg);
return 0;
}
Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig
Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej

159
mod_nss-negotiate.patch
View File

@ -1,159 +0,0 @@
diff -up ./mod_nss.c.norego ./mod_nss.c
--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+ SSL_CMD_SRV(Renegotiation, FLAG,
+ "Enable SSL Renegotiation (default off) "
+ "(`on', `off')")
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+ "If Rengotiation is allowed, require safe negotiation (default off) "
+ "(`on', `off')")
+#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
diff -up ./mod_nss.h.norego ./mod_nss.h
--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100
@@ -269,6 +269,10 @@ typedef struct {
int tls;
int tlsrollback;
int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ int enablerenegotiation;
+ int requiresafenegotiation;
+#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
mctx->tls = PR_FALSE;
mctx->tlsrollback = PR_FALSE;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ mctx->enablerenegotiation = PR_FALSE;
+ mctx->requiresafenegotiation = PR_FALSE;
+#endif
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
#ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
cfgMerge(eccnickname, NULL);
#endif
cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+ cfgMerge(enablerenegotiation, PR_FALSE);
+ cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
}
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
return NULL;
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+#endif
+
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
void *dcfg,
diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
nss_die();
}
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+ mctx->enablerenegotiation ?
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+ ) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL renegotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+ mctx->requiresafenegotiation) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL safe negotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+#endif
}
static void nss_init_ctx_protocol(server_rec *s,
diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
+++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000
@@ -27,7 +27,7 @@
#define LIBSEC_ERROR_BASE (-8192)
#define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
#define LIBSSL_ERROR_BASE (-12288)
-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
typedef struct l_error_t {
int errorNumber;
@@ -296,7 +296,19 @@
{ 99, "Server requires ciphers more secure than those supported by client" },
{ 100, "Peer reports it experienced an internal error" },
{ 101, "Peer user canceled handshake" },
- { 102, "Peer does not permit renegotiation of SSL security parameters" }
+ { 102, "Peer does not permit renegotiation of SSL security parameters" },
+ { 103, "Server cache not configured" },
+ { 104, "Unsupported extension" },
+ { 105, "Certificate unobtainable" },
+ { 106, "Unrecognized name" },
+ { 107, "Bad certificate status" },
+ { 108, "Bad certificate hash value" },
+ { 109, "Unexpected new session ticket" },
+ { 110, "Malformed new session ticket" },
+ { 111, "Decompression failure" },
+ { 112, "Renegotiation not allowed" },
+ { 113, "Safe negotiation required but not provided by client" },
+ { 114, "Unexpected uncompressed record" },
};
void nss_die(void)

23
mod_nss-no_shutdown_if_not_init_2.patch
View File

@ -1,23 +0,0 @@
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800
+++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800
@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da
server_rec *s;
int shutdown = 0;
- /* Clear any client-side session cache data */
- SSL_ClearSessionCache();
-
/*
* Free the non-pool allocated structures
* in the per-server configurations
@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da
}
if (shutdown) {
+ /* Clear any client-side session cache data */
+ SSL_ClearSessionCache();
+
if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
!= SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,

24
mod_nss-overlapping_memcpy.patch
View File

@ -1,24 +0,0 @@
Bug 669118
memcpy of overlapping memory is no longer allowed by glibc.
This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500
+++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500
@@ -123,13 +123,13 @@
if (buffer->length > inl) {
/* we have have enough to fill the caller's buffer */
- memcpy(in, buffer->value, inl);
+ memmove(in, buffer->value, inl);
buffer->value += inl;
buffer->length -= inl;
}
else {
/* swallow remainder of the buffer */
- memcpy(in, buffer->value, buffer->length);
+ memmove(in, buffer->value, buffer->length);
inl = buffer->length;
buffer->value = NULL;
buffer->length = 0;

21
mod_nss-pcachesignal.h
View File

@ -1,21 +0,0 @@
diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400
+++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400
@@ -20,6 +20,7 @@
#include <seccomon.h>
#include <pk11func.h>
#include <secmod.h>
+#include <signal.h>
#include "nss_pcache.h"
static char * getstr(const char * cmd, int el);
@@ -309,6 +310,8 @@
exit(1);
}
+ signal(SIGHUP, SIG_IGN);
+
if (!strcasecmp(argv[1], "on"))
fipsmode = 1;
Only in mod_nss-1.0.8: nss_pcache.c.rej

83
mod_nss-proxyvariables.patch
View File

@ -1,83 +0,0 @@
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
+++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
tls = 1;
} else {
if (mctx->auth.protocols == NULL) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "NSSProtocols not set; using: SSLv3 and TLSv1");
+ /*
+ * Since this routine will be invoked individually for every
+ * thread associated with each 'server' object as well as for
+ * every thread associated with each 'proxy' object, issue a
+ * single per-thread 'warning' message for either a 'server'
+ * or a 'proxy' based upon the thread's object type.
+ */
+ if (mctx == mctx->sc->server) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "NSSProtocol value not set; using: SSLv3 and TLSv1");
+ } else if (mctx == mctx->sc->proxy) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
+ }
+
ssl3 = tls = 1;
} else {
lprotocols = strdup(mctx->auth.protocols);
@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
* Configure SSL Cipher Suite
*/
if (!suite) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Required value NSSCipherSuite not set.");
+ /*
+ * Since this is a 'fatal' error, regardless of whether this
+ * particular invocation is from a 'server' object or a 'proxy'
+ * object, issue all error message(s) as appropriate.
+ */
+ if ((mctx->sc->enabled == TRUE) &&
+ (mctx->sc->server) &&
+ (!mctx->sc->server->auth.cipher_suite)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "NSSEngine on; required value NSSCipherSuite not set.");
+ }
+
+ if ((mctx->sc->proxy_enabled == TRUE) &&
+ (mctx->sc->proxy) &&
+ (!mctx->sc->proxy->auth.cipher_suite)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
+ }
+
nss_die();
}
ciphers = strdup(suite);
@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
if (mctx->nickname == NULL)
#endif
{
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "No certificate nickname provided.");
+ /*
+ * Since this is a 'fatal' error, regardless of whether this
+ * particular invocation is from a 'server' object or a 'proxy'
+ * object, issue all error message(s) as appropriate.
+ */
+ if ((mctx->sc->enabled == TRUE) &&
+ (mctx->sc->server) &&
+ (mctx->sc->server->nickname == NULL)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "NSSEngine on; no certificate nickname provided by NSSNickname.");
+ }
+
+ if ((mctx->sc->proxy_enabled == TRUE) &&
+ (mctx->sc->proxy) &&
+ (mctx->sc->proxy->nickname == NULL)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
+ }
+
nss_die();
}

10
mod_nss-reseterror.patch
View File

@ -1,10 +0,0 @@
--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400
+++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400
@@ -348,6 +348,7 @@
break;
}
+ PR_SetError(0, 0);
rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes);
if (rc > 0) {

64
mod_nss-reverse_proxy_send_SNI.patch
View File

@ -1,64 +0,0 @@
Index: mod_nss-1.0.8/nss_engine_io.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200
+++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200
@@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu
return APR_SUCCESS;
}
+static apr_status_t nss_io_filter_handshake(ap_filter_t *f)
+{
+ conn_rec *c = f->c;
+ SSLConnRec *sslconn = myConnConfig(c);
+
+ /*
+ * Enable SNI for backend requests. Make sure we don't do it for
+ * pure SSLv3 connections
+ */
+ if (sslconn->is_proxy) {
+ const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname");
+ if (hostname_note) {
+ if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
+ "Error setting SNI extension for SSL Proxy request: %d",
+ PR_GetError());
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
+ "SNI extension for SSL Proxy request set to '%s'",
+ hostname_note);
+ }
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
+ "Can't set SNI extension: no hostname available");
+ }
+ }
+
+ return APR_SUCCESS;
+}
+
static apr_status_t nss_io_filter_input(ap_filter_t *f,
apr_bucket_brigade *bb,
ap_input_mode_t mode,
@@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input(
inctx->mode = mode;
inctx->block = block;
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
+ return nss_io_filter_error(f, bb, status);
+ }
+
if (is_init) {
/* protocol module needs to handshake before sending
* data to client (e.g. NNTP or FTP)
@@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output
inctx->mode = AP_MODE_READBYTES;
inctx->block = APR_BLOCK_READ;
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
+ return nss_io_filter_error(f, bb, status);
+ }
+
while (!APR_BRIGADE_EMPTY(bb)) {
apr_bucket *bucket = APR_BRIGADE_FIRST(bb);

182
mod_nss-reverseproxy.patch
View File

@ -1,182 +0,0 @@
mod_proxy now sets the requested remote host name. Use this to compare
to the CN value of the peer certificate and reject the request if they
do not match (and we are have NSSProxyCheckPeerCN set to on).
diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
@@ -1028,7 +1028,21 @@
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
-<code>NSSProxyNickname beta</code><br>
+<code>NSSProxyNickname beta<br>
+<br>
+</code><big><big>NSSProxyCheckPeerCN</big></big><br>
+<br>
+Compare the CN value of the peer certificate with the hostname being
+requested. If this is set to on, the default, then the request will
+fail if they do not match. If this is set to off then this comparison
+is not done. Note that this test is your only protection against a
+man-in-the-middle attack so leaving this as on is strongly recommended.<br>
+<br>
+<span style="font-weight: bold;">Example</span><br>
+<br>
+<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code>
+on<br>
+</code><br>
<h1><a name="Environment"></a>Environment Variables</h1>
Quite a few environment variables (for CGI and SSI) may be set
depending on the NSSOptions configuration. It can be expensive to set
@@ -1435,42 +1449,9 @@
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
Q. Does mod_nss support mod_proxy?<br>
<br>
-A. In order to use the mod_nss proxy support you will need to build
-your own mod_proxy by applying a patch found in bug <a
- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>.
-The patch is needed so we can compare the hostname contained in the
-remote certificate with the hostname you meant to visit. This prevents
-man-in-the-middle attacks.<br>
-<br>
-You also have to change the SSL functions that mod_proxy looks to use.
-You'll need to apply this patch:<br>
-<br>
-<code>1038,1039c1038,1039<br>
-&lt; APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br>
-&lt; APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br>
----<br>
-&gt; APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br>
-&gt; APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br>
-1041,1042c1041,1042<br>
-&lt; static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
-NULL;<br>
-&lt; static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
-= NULL;<br>
----<br>
-&gt; static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
-NULL;<br>
-&gt; static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
-= NULL;<br>
-1069,1070c1069,1070<br>
-&lt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br>
-&lt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br>
----<br>
-&gt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br>
-&gt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br>
-</code><br>
+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
+provides a single interface for SSL providers and mod_nss defers to
+mod_ssl
+if it is loaded.
</body>
</html>
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
@@ -142,6 +142,8 @@
SSL_CMD_SRV(ProxyNickname, TAKE1,
"SSL Proxy: client certificate Nickname to be for proxy connections "
"(`nickname')")
+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
+ "SSL Proxy: check the peers certificate CN")
#ifdef IGNORE
/* Deprecated directives. */
@@ -238,23 +240,30 @@
SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
{
conn_rec *c = (conn_rec *)arg;
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
PRErrorCode err = PR_GetError();
SECStatus rv = SECFailure;
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
+ const char *hostname_note;
switch (err) {
case SSL_ERROR_BAD_CERT_DOMAIN:
- if (c->remote_host != NULL) {
- rv = CERT_VerifyCertName(peerCert, c->remote_host);
- if (rv != SECSuccess) {
- char *remote = CERT_GetCommonName(&peerCert->subject);
+ if (sc->proxy_ssl_check_peer_cn == TRUE) {
+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
+ apr_table_unset(c->notes, "proxy-request-hostname");
+ rv = CERT_VerifyCertName(peerCert, hostname_note);
+ if (rv != SECSuccess) {
+ char *remote = CERT_GetCommonName(&peerCert->subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
+ PORT_Free(remote);
+ }
+ } else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
- PORT_Free(remote);
+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
}
} else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
+ rv = SECSuccess;
}
break;
default:
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
@@ -306,6 +306,7 @@
int vhost_id_len;
modnss_ctx_t *server;
modnss_ctx_t *proxy;
+ BOOL proxy_ssl_check_peer_cn;
};
/*
@@ -410,6 +411,7 @@
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
@@ -140,6 +140,7 @@
sc->vhost_id_len = 0; /* set during module init */
sc->proxy = NULL;
sc->server = NULL;
+ sc->proxy_ssl_check_peer_cn = TRUE;
modnss_ctx_init_proxy(sc, p);
@@ -214,6 +215,7 @@
cfgMergeBool(fips);
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
+ cfgMergeBool(proxy_ssl_check_peer_cn);
modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -544,6 +546,15 @@
return NULL;
}
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
void *dcfg,
int flag)

214
mod_nss-sslmultiproxy.patch
View File

@ -1,214 +0,0 @@
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
return sslconn;
}
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
+
int nss_proxy_enable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
SSLConnRec *sslconn = nss_init_connection_ctx(c);
if (!sc->proxy_enabled) {
+ if (othermod_proxy_enable) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+ "mod_nss proxy not configured, passing through to mod_ssl module");
+ return othermod_proxy_enable(c);
+ }
+
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"SSL Proxy requested for %s but not enabled "
"[Hint: NSSProxyEngine]", sc->vhost_id);
@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
return 1;
}
-int ssl_proxy_enable(conn_rec *c) {
+static int ssl_proxy_enable(conn_rec *c) {
return nss_proxy_enable(c);
}
@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
SSLConnRec *sslconn;
+ if (othermod_engine_disable) {
+ othermod_engine_disable(c);
+ }
+
if (sc->enabled == FALSE) {
return 0;
}
@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
return 1;
}
-int ssl_engine_disable(conn_rec *c) {
+static int ssl_engine_disable(conn_rec *c) {
return nss_engine_disable(c);
}
@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
nss_var_register();
+ /* Always register these mod_nss optional functions */
APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ /* Save the state of any previously registered mod_ssl functions */
+ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+
+ /* Always register these local mod_ssl optional functions */
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
}
module AP_MODULE_DECLARE_DATA nss_module = {
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -13,8 +13,8 @@
* limitations under the License.
*/
-#ifndef __MOD_SSL_H__
-#define __MOD_SSL_H__
+#ifndef __MOD_NSS_H__
+#define __MOD_NSS_H__
/* Apache headers */
#include "httpd.h"
@@ -25,6 +25,7 @@
#include "http_connection.h"
#include "http_request.h"
#include "http_protocol.h"
+#include "mod_ssl.h"
#include "util_script.h"
#include "util_filter.h"
#include "mpm.h"
@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
/* Variables */
void nss_var_register(void);
char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
void nss_var_log_config_register(apr_pool_t *p);
APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
(apr_pool_t *, server_rec *,
conn_rec *, request_rec *,
char *));
-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
- (apr_pool_t *, server_rec *,
- conn_rec *, request_rec *,
- char *));
/* An optional function which returns non-zero if the given connection
* is using SSL/TLS. */
APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
/* Proxy Support */
int nss_proxy_enable(conn_rec *c);
int nss_engine_disable(conn_rec *c);
-int ssl_proxy_enable(conn_rec *c);
-int ssl_engine_disable(conn_rec *c);
APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
/* I/O */
PRFileDesc * nss_io_new_fd();
@@ -495,4 +486,4 @@ void nss_die(void);
/* NSS callback */
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
-#endif /* __MOD_SSL_H__ */
+#endif /* __MOD_NSS_H__ */
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
+
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
static int nss_is_https(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
- return sslconn && sslconn->ssl;
+
+ return (sslconn && sslconn->ssl)
+ || (othermod_is_https && othermod_is_https(c));
}
static int ssl_is_https(conn_rec *c) {
@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
void nss_var_register(void)
{
+ /* Always register these mod_nss optional functions */
APR_REGISTER_OPTIONAL_FN(nss_is_https);
APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
- /* These can only be registered if mod_ssl is not loaded */
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+ /* Save the state of any previously registered mod_ssl functions */
+ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+
+ /* Always register these local mod_ssl optional functions */
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
return;
}
@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
*/
if (result == NULL && c != NULL) {
SSLConnRec *sslconn = myConnConfig(c);
+
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
+ /* If mod_ssl is registered for this connection,
+ * pass any SSL_* variable through to the mod_ssl module
+ */
+ return othermod_var_lookup(p, s, c, r, var);
+ }
+
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
&& sslconn && sslconn->ssl)
result = nss_var_lookup_ssl(p, c, var+4);
@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
return result;
}
-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
return nss_var_lookup(p, s, c, r, var);
}

745
mod_nss-tlsv1_1.patch
View File

@ -1,745 +0,0 @@
Index: mod_nss-1.0.8/docs/mod_nss.html
===================================================================
--- mod_nss-1.0.8.orig/docs/mod_nss.html
+++ mod_nss-1.0.8/docs/mod_nss.html
@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bo
<br>
Enables or disables FIPS 140 mode. This replaces the standard
internal PKCS#11 module with a FIPS-enabled one. It also forces the
-enabled protocols to TLSv1 and disables all ciphers but the
+enabled protocols to TLSv1.2 - TLS v1.0 and disables all ciphers but the
FIPS ones. You may still select which ciphers you would like
limited to those that are FIPS-certified. Any non-FIPS that are
included in the NSSCipherSuite entry are automatically disabled.
@@ -570,7 +570,7 @@ definition<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1<br>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br>
</td>
</tr>
<tr>
@@ -578,106 +578,106 @@ definition<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_null_md5<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_null_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc2_40_md5</td>
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_128_md5</td>
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_128_sha</td>
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_40_md5</td>
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_rc4_128_sha<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_null<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_3des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_des_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSL3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_128_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_256_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
</tbody>
</table>
@@ -698,127 +698,127 @@ Definition<br>
<tr>
<td>ecdh_ecdsa_null_sha</td>
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_rc4_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_3des_sha</td>
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_256_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_null_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_rc4_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_3des_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_aes_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_aes_256_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_null_sha</td>
<td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_128_sha</td>
<td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_3des_sha</td>
<td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_aes_128_sha</td>
<td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_aes_256_sha</td>
<td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>echde_rsa_null</td>
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_rc4_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_3des_sha</td>
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_256_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_null_sha</td>
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_rc4_128sha</td>
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_3des_sha</td>
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_128_sha</td>
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_256_sha</td>
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
</tbody>
</table>
@@ -839,16 +839,36 @@ specifically but allows ciphers for that
Options are:<br>
<ul>
<li><code>SSLv3</code></li>
- <li><code>TLSv1</code></li>
+ <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
+ <li><code>TLSv1.0</code></li>
+ <li><code>TLSv1.1</code></li>
+ <li><code>TLSv1.2</code></li>
<li><code>All</code></li>
</ul>
Note that this differs from mod_ssl in that you can't add or subtract
protocols.<br>
+<br>
+If no NSSProtocol is specified, mod_nss will default to allowing the use of
+the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
+minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
+allowed.
+<br>
+If values for NSSProtocol are specified, mod_nss will set both the minimum
+and the maximum allowed protocols based upon these entries allowing for the
+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
+are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
+protocol ranges to accept all protocols inclusively
+(TLS 1.2 -&gt;TLS 1.1 -&gt; TLS 1.0 -&gt; SSL 3.0), and does not allow exclusion of any protocols
+in the middle of a range (e. g. - TLS 1.0).<br>
+<br>
+Finally, NSS will always automatically negotiate the use of the strongest
+possible protocol that has been specified which is acceptable to both sides of
+a given connection.<br>
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
-<code>NSSProtocol SSLv3,TLSv1</code><br>
+<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
<br>
<big><big>NSSNickname<br>
</big></big><br>
@@ -1101,7 +1121,7 @@ was compiled against.<br>
<tr>
<td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
</code></td>
- <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
+ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2<br>
</td>
</tr>
<tr>
@@ -1443,7 +1463,7 @@ Opera, and
Safari) support SSL 3 and TLS so there is no need for a web server to
support
SSL 2. There are some known attacks against SSL 2 that are handled by
-SSL 3/TLS. SSL2 also doesn't support useful features like client
+SSL 3/TLS. SSLv2 also doesn't support useful features like client
authentication.
<br>
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
"(`[+-]XXX,...,[+-]XXX' - see manual)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable the various SSL protocols"
- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
+ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client Authentication "
"(`none', `optional', `require'")
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
"(`on', `off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)")
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"(`XXX:...:XXX' - see manual)")
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
- int ssl2, ssl3, tls;
+ int ssl2, ssl3, tls, tls1_1, tls1_2;
+ char *protocol_marker = NULL;
char *lprotocols = NULL;
SECStatus stat;
+ SSLVersionRange enabledVersions;
- ssl2 = ssl3 = tls = 0;
+ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
+
+ /*
+ * Since this routine will be invoked individually for every thread
+ * associated with each 'server' object as well as for every thread
+ * associated with each 'proxy' object, identify the protocol marker
+ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
+ * via each thread's object type and apply this useful information to
+ * all log messages.
+ */
+ if (mctx == mctx->sc->server) {
+ protocol_marker = "NSSProtocol";
+ } else if (mctx == mctx->sc->proxy) {
+ protocol_marker = "NSSProxyProtocol";
+ }
if (mctx->sc->fips) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "In FIPS mode, enabling TLSv1");
- tls = 1;
+ "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2",
+ protocol_marker);
+ tls = tls1_1 = tls1_2 = 1;
} else {
if (mctx->auth.protocols == NULL) {
- /*
- * Since this routine will be invoked individually for every
- * thread associated with each 'server' object as well as for
- * every thread associated with each 'proxy' object, issue a
- * single per-thread 'warning' message for either a 'server'
- * or a 'proxy' based upon the thread's object type.
- */
- if (mctx == mctx->sc->server) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "NSSProtocol value not set; using: SSLv3 and TLSv1");
- } else if (mctx == mctx->sc->proxy) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
- }
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2",
+ protocol_marker);
- ssl3 = tls = 1;
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
} else {
lprotocols = strdup(mctx->auth.protocols);
ap_str_tolower(lprotocols);
if (strstr(lprotocols, "all") != NULL) {
#ifdef WANT_SSL2
- ssl2 = ssl3 = tls = 1;
+ ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1;
#else
- ssl3 = tls = 1;
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
#endif
} else {
- if (strstr(lprotocols, "sslv2") != NULL) {
+ char *protocol_list = NULL;
+ char *saveptr = NULL;
+ char *token = NULL;
+
+ for (protocol_list = lprotocols; ; protocol_list = NULL) {
+ token = strtok_r(protocol_list, ",", &saveptr);
+ if (token == NULL) {
+ break;
+ } else if (strcmp(token, "sslv2") == 0) {
#ifdef WANT_SSL2
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
- ssl2 = 1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling SSL2",
+ protocol_marker);
+ ssl2 = 1;
#else
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "%s: SSL2 is not supported",
+ protocol_marker);
#endif
- }
-
- if (strstr(lprotocols, "sslv3") != NULL) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
- ssl3 = 1;
- }
-
- if (strstr(lprotocols, "tlsv1") != NULL) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
- tls = 1;
+ } else if (strcmp(token, "sslv3") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling SSL3",
+ protocol_marker);
+ ssl3 = 1;
+ } else if (strcmp(token, "tlsv1") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.0 via TLSv1",
+ protocol_marker);
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
+ protocol_marker);
+ tls = 1;
+ } else if (strcmp(token, "tlsv1.0") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.0",
+ protocol_marker);
+ tls = 1;
+ } else if (strcmp(token, "tlsv1.1") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.1",
+ protocol_marker);
+ tls1_1 = 1;
+ } else if (strcmp(token, "tlsv1.2") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.2",
+ protocol_marker);
+ tls1_2 = 1;
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "%s: Unknown protocol '%s' not supported",
+ protocol_marker, token);
+ }
}
}
free(lprotocols);
@@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server
stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
}
+ /* Set protocol version ranges:
+ *
+ * (1) Set the minimum protocol accepted
+ * (2) Set the maximum protocol accepted
+ * (3) Protocol ranges extend from maximum down to minimum protocol
+ * (4) All protocol ranges are completely inclusive;
+ * no protocol in the middle of a range may be excluded
+ * (5) NSS automatically negotiates the use of the strongest protocol
+ * for a connection starting with the maximum specified protocol
+ * and downgrading as necessary to the minimum specified protocol
+ *
+ * For example, if SSL 3.0 is chosen as the minimum protocol, and
+ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
+ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
+ * cannot be excluded from this range. NSS will automatically negotiate
+ * to utilize the strongest acceptable protocol for a connection starting
+ * with the maximum specified protocol and downgrading as necessary to the
+ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+ */
if (stat == SECSuccess) {
+ /* Set minimum protocol version (lowest -> highest)
+ *
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
+ */
if (ssl3 == 1) {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [SSL 3.0] (minimum)",
+ protocol_marker);
+ } else if (tls == 1) {
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.0] (minimum)",
+ protocol_marker);
+ } else if (tls1_1 == 1) {
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.1] (minimum)",
+ protocol_marker);
+ } else if (tls1_2 == 1) {
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.2] (minimum)",
+ protocol_marker);
} else {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
+ /* Set default minimum protocol version to SSL 3.0 */
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [SSL 3.0] (default minimum)",
+ protocol_marker);
}
- }
- if (stat == SECSuccess) {
- if (tls == 1) {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
+
+ /* Set maximum protocol version (highest -> lowest)
+ *
+ * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
+ */
+ if (tls1_2 == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.2] (maximum)",
+ protocol_marker);
+ } else if (tls1_1 == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.1] (maximum)",
+ protocol_marker);
+ } else if (tls == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.0] (maximum)",
+ protocol_marker);
+ } else if (ssl3 == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [SSL 3.0] (maximum)",
+ protocol_marker);
} else {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
+ /* Set default maximum protocol version to TLS 1.2 */
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.2] (default maximum)",
+ protocol_marker);
}
+
+ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
}
if (stat != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "SSL protocol initialization failed.");
+ "%s: SSL/TLS protocol initialization failed.",
+ protocol_marker);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
mctx->ssl2 = ssl2;
mctx->ssl3 = ssl3;
- mctx->tls = tls;
+ if (tls1_2 == 1) {
+ mctx->tls = tls1_2;
+ } else if (tls1_1 == 1) {
+ mctx->tls = tls1_1;
+ } else {
+ mctx->tls = tls;
+ }
}
static void nss_init_ctx_session_cache(server_rec *s,
@@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se
PRBool cipher_state[ciphernum];
PRBool fips_state[ciphernum];
const char *suite = mctx->auth.cipher_suite;
+ char * object_type = NULL;
+ char * cipher_suite_marker = NULL;
char * ciphers;
char * fipsciphers = NULL;
int i;
@@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se
nss_die();
}
+
+ /*
+ * Since this routine will be invoked individually for every thread
+ * associated with each 'server' object as well as for every thread
+ * associated with each 'proxy' object, identify the cipher suite markers
+ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
+ * via each thread's object type and apply this useful information to
+ * all log messages.
+ */
+ if (mctx == mctx->sc->server) {
+ object_type = "server";
+ cipher_suite_marker = "NSSCipherSuite";
+ } else if (mctx == mctx->sc->proxy) {
+ object_type = "proxy";
+ cipher_suite_marker = "NSSProxyCipherSuite";
+ }
+
ciphers = strdup(suite);
#define CIPHERSIZE 2048
@@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
- fipsciphers);
+ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
+ object_type, fipsciphers);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "Configuring permitted SSL ciphers [%s]",
- suite);
+ "%s: Configuring permitted SSL ciphers [%s]",
+ cipher_suite_marker, suite);
/* Disable all NSS supported cipher suites. This is to prevent any new
* NSS cipher suites from getting automatically and unintentionally
@@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se
for (i=0; i<ciphernum; i++) {
if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
+ "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
cipher_state[i] = PR_FALSE;
}
}
@@ -902,19 +1041,22 @@ static void nss_init_ctx_cipher_suite(se
/* See if any ciphers have been enabled for a given protocol */
if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "SSL2 is enabled but no SSL2 ciphers are enabled.");
+ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
+ cipher_suite_marker);
nss_die();
}
if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "SSL3 is enabled but no SSL3 ciphers are enabled.");
+ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
+ cipher_suite_marker);
nss_die();
}
if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "TLS is enabled but no TLS ciphers are enabled.");
+ "%s: TLS is enabled but no TLS ciphers are enabled.",
+ cipher_suite_marker);
nss_die();
}
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
case SSL_LIBRARY_VERSION_3_0:
result = "SSLv3";
break;
- case SSL_LIBRARY_VERSION_3_1_TLS:
+ case SSL_LIBRARY_VERSION_TLS_1_0:
+ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
result = "TLSv1";
break;
+ case SSL_LIBRARY_VERSION_TLS_1_1:
+ result = "TLSv1.1";
+ break;
}
}
}

12
mod_nss-wouldblock.patch
View File

@ -1,12 +0,0 @@
--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400
+++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500
@@ -259,7 +259,8 @@
*/
if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
|| (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
- return 0;
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return -1;
}
if (inctx->rc != APR_SUCCESS) {

103
mod_nss_migrate.pl
View File

@ -6,7 +6,7 @@ use Cwd;
use Getopt::Std; use Getopt::Std;
BEGIN { BEGIN {
# $NSSDir = cwd(); #$NSSDir = cwd();
$NSSDir = "/etc/apache2/mod_nss.d"; $NSSDir = "/etc/apache2/mod_nss.d";
$SSLCACertificatePath = ""; $SSLCACertificatePath = "";
@ -18,21 +18,34 @@ BEGIN {
$passphrase = 0; $passphrase = 0;
} }
%skip = ( "SSLRandomSeed" => "", # these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13
"SSLSessionCache" => "", %keep = ( "SSLCipherSuite" => "",
"SSLMutex" => "", "SSLEngine" => "",
"SSLCertificateChainFile" => "", "SSLFIPS" => "",
"SSLVerifyDepth" => "" , "SSLOptions" => "",
"SSLCryptoDevice" => "" , "SSLPassPhraseDialog" => "",
"LoadModule" => "" , "SSLProtocol" => "",
); "SSLProxyCipherSuite" => "",
"SSLProxyEngine" => "",
"SSLProxyCheckPeerCN" => "",
"SSLProxyProtocol" => "",
"SSLRandomSeed" => "",
"SSLRenegBufferSize" => "",
"SSLRequire" => "",
"SSLRequireSSL" => "",
"SSLSessionCacheTimeout" => "",
"SSLSessionTickets" => "",
"SSLStrictSNIVHostCheck" => "",
"SSLUserName" => "",
"SSLVerifyClient" => "",
);
%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); %insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
getopts('chr:w:' , \%opt ); getopts('chr:w:' , \%opt );
sub usage() { sub usage() {
print STDERR "Usage: mod_nss_migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n"; print STDERR "Usage: migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n";
print STDERR "\t-c converts the certificates\n"; print STDERR "\t-c converts the certificates\n";
print STDERR "This conversion script is not aware of apache's configuration blocks\n"; print STDERR "This conversion script is not aware of apache's configuration blocks\n";
print STDERR "and nestable conditional directives. Please check the output of the\n"; print STDERR "and nestable conditional directives. Please check the output of the\n";
@ -40,27 +53,22 @@ sub usage() {
exit(); exit();
} }
usage() if ( $opt{h} || !$opt{r} || !$opt{w} ) ; usage() if ($opt{h} || !$opt{r} || !$opt{w});
print STDERR "input: $opt{r} output: $opt{w}\n"; print STDERR "input: $opt{r} output: $opt{w}\n";
open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n"; open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n";
open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n"; open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n";
print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n";
print NSS "## This is a conversion of mod_ssl specific options by /usr/sbin/mod_nss_migrate.pl\n";
print NSS "## Most of the comments in the original .conf file have been omitted here, as\n"; print NSS "## Most of the comments in the original .conf file have been omitted here, as\n";
print NSS "## the comments may not be valid for mod_nss, too.\n"; print NSS "## the comments may not be valid for mod_nss, too.\n";
print NSS "## \n"; print NSS "## \n";
print NSS "## Please read through this configuration and verify the individual options!\n\n"; print NSS "## Please read through this configuration and verify the individual options!\n\n";
while (<SSL>) { while (<SSL>) {
my $comment = 0; my $comment = 0;
# write through even if in comment before comments are stripped below. # write through even if in comment before comments are stripped below.
if(/(ServerName|ServerAlias)/) { if(/(ServerName|ServerAlias)/) {
print NSS $_; print NSS $_;
@ -68,9 +76,8 @@ while (<SSL>) {
} }
# skip blank lines and comments # skip blank lines and comments
if (/^#/ || /^\s*#/ || /^\s*$/) { if (/^\s*#/ || /^\s*$/) {
# do not copy them; they may not be useful anyway. print NSS $_;
# print NSS $_;
next; next;
} }
@ -93,19 +100,15 @@ while (<SSL>) {
next; next;
} }
if ($stmt eq "SSLCipherSuite") { # we support OpenSSL cipher strings now, keeping the string as is
print NSS "## original SSLCipherSuite config line: $_"; #if ($stmt eq "SSLCipherSuite") {
print NSS "NSSCipherSuite ", get_ciphers($val), "\n\n"; #print NSS "NSSCipherSuite ", get_ciphers($val), "\n";
next; #print NSS "NSSProtocol SSLv3,TLSv1\n";
} elsif ($stmt eq "SSLEngine" ) { #$comment = 1;
print NSS "##$_"; if ($stmt eq "SSLProtocol" ) {
print NSS "NSSEngine $value\n\n";
next;
} elsif ($stmt eq "SSLProtocol" ) {
print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n"; print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n";
print NSS "##$_"; print NSS "##$_";
print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n"; print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n";
print NSS "## You may also specify SSLv3 at the beginning of the range. Not done here:\n";
print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n"; print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n";
next; next;
} elsif ($stmt eq "SSLCACertificatePath") { } elsif ($stmt eq "SSLCACertificatePath") {
@ -129,25 +132,27 @@ while (<SSL>) {
$SSLCARevocationFile = $value; $SSLCARevocationFile = $value;
$comment = 1; $comment = 1;
} elsif ($stmt eq "SSLPassPhraseDialog") { } elsif ($stmt eq "SSLPassPhraseDialog") {
print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
$passphrase = 1; $passphrase = 1;
$comment = 1; $comment = 1;
} }
if (exists($skip{$stmt})) {
print NSS "# Skipping, not applicable in mod_nss\n"; if (exists($insert{$stmt})) {
print NSS "##$_"; #print NSS "$_";
print NSS $insert{$stmt};
next; next;
} }
# Fix up any remaining directive names if (m/^\s*SSL/) {
s/SSL/NSS/; if (!exists($keep{$stmt})) {
print NSS "# Skipping, not applicable in mod_nss\n";
print NSS "##$_";
if (exists($insert{$stmt})) { next;
print NSS "$_"; } else {
print NSS $insert{$stmt}; # Fix up any remaining directive names
next; s/^(\s*)SSL/\1NSS/;
}
} }
# Fall-through to print whatever is left # Fall-through to print whatever is left
@ -157,11 +162,11 @@ while (<SSL>) {
} else { } else {
print NSS $_; print NSS $_;
} }
} }
if ($passphrase == 0) { if ($passphrase == 0) {
print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; # NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.9'.
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
} }
close(NSS); close(NSS);
@ -179,15 +184,15 @@ if ($opt{c}) {
if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") { if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") {
my $subject = get_cert_subject($SSLCertificateFile); my $subject = get_cert_subject($SSLCertificateFile);
print STDERR "Importing certificate $subject as \"Server-Cert\".\n"; print STDERR "Importing certificate $subject as \"Server-Cert\".\n";
run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo "); run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo");
run_command("pk12util -i server.p12 -d $NSSDir -W foo "); run_command("pk12util -i server.p12 -d $NSSDir -W foo");
} }
if ($SSLCACertificateFile ne "") { if ($SSLCACertificateFile ne "") {
my $subject = get_cert_subject($SSLCACertificateFile); my $subject = get_cert_subject($SSLCACertificateFile);
if ($subject ne "") { if ($subject ne "") {
print STDERR "Importing CA certificate $subject\n"; print STDERR "Importing CA certificate $subject\n";
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile "); run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile");
} }
} }
@ -202,7 +207,7 @@ if ($opt{c}) {
my $subject = get_cert_subject("$SSLCACertificatePath/$file"); my $subject = get_cert_subject("$SSLCACertificatePath/$file");
if ($subject ne "") { if ($subject ne "") {
print STDERR "Importing CA certificate $subject\n"; print STDERR "Importing CA certificate $subject\n";
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file "); run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file");
} }
} }
} }

69
update-ciphers.patch
View File

@ -1,69 +0,0 @@
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200
+++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200
@@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc
*/
char* INTERNAL_TOKEN_NAME = "internal ";
+/* When adding or removing ciphers from this table,
+ remember to adjust the ciphernum constant in mod_nss.h
+*/
cipher_properties ciphers_def[ciphernum] =
{
- /* SSL2 cipher suites */
- {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
- {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
/* SSL3/TLS cipher suites */
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
@@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum]
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200
+++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200
@@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4}
/* the table itself is defined in nss_engine_init.c */
#ifdef NSS_ENABLE_ECC
-#define ciphernum 59
+#define ciphernum 50
#else
-#define ciphernum 28
+#define ciphernum 19
#endif
/*
Index: mod_nss-1.0.8/nss.conf.in
===================================================================
--- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200
+++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200
@@ -90,13 +90,13 @@ NSSEngine on
# See the mod_nss documentation for a complete list.
# SSL 3 ciphers. SSL 2 is disabled by default.
-NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
#
# Comment out the NSSCipherSuite line above and use the one below if you have
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
-#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2