pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 390637 from Apache:Modules

Browse Source 
- update to 1.0.14 (fixes boo#973996)
  * OpenSSL ciphers stopped parsing at +, CVE-2016-3099
  * Created valgrind suppression files to ease debugging
  * Implement SSL_PPTYPE_FILTER to call executables to get
    the key password pins. Can be used to prompt with systemd.
  * Improvements to migrate.pl
- drop mod_nss_migrate.pl and use upstream migrate script instead
  * add mod_nss-migrate.patch (forwarded request 390295 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/390637
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=20
This commit is contained in:
Dominique Leuenberger 2016-04-28 14:54:54 +00:00 committed by Git OBS Bridge
commit 959f7a554c
7 changed files with 38 additions and 413 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apache2-mod_nss.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Sat Apr 16 09:12:29 UTC 2016 - vcizek@suse.com
- update to 1.0.14 (fixes boo#973996)
* OpenSSL ciphers stopped parsing at +, CVE-2016-3099
* Created valgrind suppression files to ease debugging
* Implement SSL_PPTYPE_FILTER to call executables to get
the key password pins. Can be used to prompt with systemd.
* Improvements to migrate.pl
- drop mod_nss_migrate.pl and use upstream migrate script instead
* add mod_nss-migrate.patch
-------------------------------------------------------------------
Thu Mar 17 16:27:13 UTC 2016 - vcizek@suse.com

11
apache2-mod_nss.spec
View File

@ -20,13 +20,12 @@ Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
Version: 1.0.13
Version: 1.0.14
Release: 0.4.8
Url: https://fedorahosted.org/mod_nss
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1: mod_nss.conf.in
Source2: listen_nss.conf
Source3: mod_nss_migrate.pl
Source4: README-SUSE.txt
Source5: vhost-nss.template
Provides: mod_nss
@ -52,7 +51,8 @@ BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
Patch0: mod_nss-bnc863518-reopen_dev_tty.diff
Patch1: mod_nss-migrate.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
@ -72,7 +72,8 @@ security library.
%prep
%setup -q -n mod_nss-%{version}
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch1 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@ -123,7 +124,7 @@ install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db

3
mod_nss-1.0.13.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:244afe11101bf75d85562fadf7b5e4292f8de634446414c268b4b4636cc88817
size 177668

3
mod_nss-1.0.14.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b5d148314d28dc47028b22944769de26fb553f08888d3f9a41e3621f4bcfb16c
size 179628

8
mod_nss-bnc863518-reopen_dev_tty.diff
View File

@ -1,8 +1,8 @@
Index: nss_engine_pphrase.c
===================================================================
--- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100
+++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100
@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu
--- nss_engine_pphrase.c.orig 2016-04-15 20:27:59.000000000 +0200
+++ nss_engine_pphrase.c 2016-04-16 11:11:49.472862662 +0200
@@ -230,6 +230,7 @@ static char *nss_get_password(FILE *inpu
char line[1024];
unsigned char phrase[200];
int infd = fileno(input);
@ -10,7 +10,7 @@ Index: nss_engine_pphrase.c
int isTTY = isatty(infd);
token_name = PK11_GetTokenName(slot);
@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu
@@ -351,6 +352,24 @@ static char *nss_get_password(FILE *inpu
if (pwdstr)
return pwdstr;

13
mod_nss-migrate.patch Normal file
View File

@ -0,0 +1,13 @@
Index: mod_nss-1.0.14/migrate.pl
===================================================================
--- mod_nss-1.0.14.orig/migrate.pl 2016-04-15 20:27:59.000000000 +0200
+++ mod_nss-1.0.14/migrate.pl 2016-04-16 11:50:59.588366719 +0200
@@ -6,7 +6,7 @@ use Cwd;
use Getopt::Std;
BEGIN {
- $NSSDir = cwd();
+ $NSSDir = "/etc/apache2/mod_nss.d";
$SSLCACertificatePath = "";
$SSLCACertificateFile = "";

401
mod_nss_migrate.pl
View File

@ -1,401 +0,0 @@
#!/usr/bin/perl
#
# Migrate configuration from OpenSSL to NSS
use Cwd;
use Getopt::Std;
BEGIN {
#$NSSDir = cwd();
$NSSDir = "/etc/apache2/mod_nss.d";
$SSLCACertificatePath = "";
$SSLCACertificateFile = "";
$SSLCertificateFile = "";
$SSLCARevocationPath = "";
$SSLCARevocationFile = "";
$SSLCertificateKeyFile = "";
$passphrase = 0;
}
# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13
%keep = ( "SSLCipherSuite" => "",
"SSLEngine" => "",
"SSLFIPS" => "",
"SSLOptions" => "",
"SSLPassPhraseDialog" => "",
"SSLProtocol" => "",
"SSLProxyCipherSuite" => "",
"SSLProxyEngine" => "",
"SSLProxyCheckPeerCN" => "",
"SSLProxyProtocol" => "",
"SSLRandomSeed" => "",
"SSLRenegBufferSize" => "",
"SSLRequire" => "",
"SSLRequireSSL" => "",
"SSLSessionCacheTimeout" => "",
"SSLSessionTickets" => "",
"SSLStrictSNIVHostCheck" => "",
"SSLUserName" => "",
"SSLVerifyClient" => "",
);
%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
getopts('chr:w:' , \%opt );
sub usage() {
print STDERR "Usage: migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n";
print STDERR "\t-c converts the certificates\n";
print STDERR "This conversion script is not aware of apache's configuration blocks\n";
print STDERR "and nestable conditional directives. Please check the output of the\n";
print STDERR "conversion and adjust manually if necessary!\n";
exit();
}
usage() if ($opt{h} || !$opt{r} || !$opt{w});
print STDERR "input: $opt{r} output: $opt{w}\n";
open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n";
open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n";
print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n";
print NSS "## Most of the comments in the original .conf file have been omitted here, as\n";
print NSS "## the comments may not be valid for mod_nss, too.\n";
print NSS "## \n";
print NSS "## Please read through this configuration and verify the individual options!\n\n";
while (<SSL>) {
my $comment = 0;
# write through even if in comment before comments are stripped below.
if(/(ServerName|ServerAlias)/) {
print NSS $_;
next;
}
# skip blank lines and comments
if (/^\s*#/ || /^\s*$/) {
print NSS $_;
next;
}
s/mod_ssl\.c/mod_nss.c/;
# write through nestable apache configuration block directives:
if (/^</ || /^\s</) {
print NSS $_;
next;
}
m/(\w+)\s+(.+)/;
$stmt = $1;
$value = $2;
# Handle the special cases
if ($stmt eq "SSLVerifyClient" && $value eq "optional_no_ca") {
print NSS "# Replaced optional_no_ca with optional\n";
print NSS "SSLVerifyClient optional\n";
next;
}
# we support OpenSSL cipher strings now, keeping the string as is
#if ($stmt eq "SSLCipherSuite") {
#print NSS "NSSCipherSuite ", get_ciphers($val), "\n";
#print NSS "NSSProtocol SSLv3,TLSv1\n";
#$comment = 1;
if ($stmt eq "SSLProtocol" ) {
print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n";
print NSS "##$_";
print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n";
print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n";
next;
} elsif ($stmt eq "SSLCACertificatePath") {
$SSLCACertificatePath = $value;
$comment = 1;
} elsif ($stmt eq "SSLCACertificateFile") {
$SSLCACertificateFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLCertificateFile") {
print NSS "NSSCertificateDatabase $NSSDir\n";
print NSS "NSSNickName Server-Cert\n";
$SSLCertificateFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLCertificateKeyFile") {
$SSLCertificateKeyFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLCARevocationPath") {
$SSLCARevocationPath = $value;
$comment = 1;
} elsif ($stmt eq "SSLCARevocationFile") {
$SSLCARevocationFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLPassPhraseDialog") {
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
$passphrase = 1;
$comment = 1;
}
if (exists($insert{$stmt})) {
#print NSS "$_";
print NSS $insert{$stmt};
next;
}
if (m/^\s*SSL/) {
if (!exists($keep{$stmt})) {
print NSS "# Skipping, not applicable in mod_nss\n";
print NSS "##$_";
next;
} else {
# Fix up any remaining directive names
s/^(\s*)SSL/\1NSS/;
}
}
# Fall-through to print whatever is left
if ($comment) {
print NSS "##$_";
$comment = 0;
} else {
print NSS $_;
}
}
if ($passphrase == 0) {
# NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.9'.
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
}
close(NSS);
close(SSL);
#
# Create NSS certificate database and import any existing certificates
#
if ($opt{c}) {
print STDERR "Creating NSS certificate database.\n";
run_command("certutil -N -d $NSSDir");
# Convert the certificate into pkcs12 format
if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") {
my $subject = get_cert_subject($SSLCertificateFile);
print STDERR "Importing certificate $subject as \"Server-Cert\".\n";
run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo");
run_command("pk12util -i server.p12 -d $NSSDir -W foo");
}
if ($SSLCACertificateFile ne "") {
my $subject = get_cert_subject($SSLCACertificateFile);
if ($subject ne "") {
print STDERR "Importing CA certificate $subject\n";
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile");
}
}
if ($SSLCACertificatePath ne "") {
opendir(DIR, $SSLCACertificatePath) or die "can't opendir $SSLCACertificatePath: $!";
while (defined($file = readdir(DIR))) {
next if -d $file;
# we can operate directly on the hash files so don't have to worry
# about any SKIPME's.
if ($file =~ /hash.*/) {
my $subject = get_cert_subject("$SSLCACertificatePath/$file");
if ($subject ne "") {
print STDERR "Importing CA certificate $subject\n";
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file");
}
}
}
closedir(DIR);
}
if ($SSLCARevocationFile ne "") {
print STDERR "Importing CRL file $CARevocationFile\n";
# Convert to DER format
run_command("openssl crl -in $SSLCARevocationFile -out /root/crl.tmp -inform PEM -outform DER");
run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp");
unlink("/root/crl.tmp");
}
if ($SSLCARevocationPath ne "") {
opendir(DIR, $SSLCARevocationPath) or die "can't opendir $SSLCARevocationPath: $!";
while (defined($file = readdir(DIR))) {
next if -d $file;
# we can operate directly on the hash files so don't have to worry
# about any SKIPME's.
if ($file =~ /hash.*/) {
my $subject = get_cert_subject("$SSLCARevocationPath/$file");
if ($subject ne "") {
print STDERR "Importing CRL file $file\n";
# Convert to DER format
run_command("openssl crl -in $SSLCARevocationPath/$file -out /root/crl.tmp -inform PEM -outform DER");
run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp");
unlink("/root/crl.tmp");
}
}
}
closedir(DIR);
}
}
print STDERR "\n\nConversion complete.\n";
print STDERR "The output file should contain a valid mod_nss configuration based on\n";
print STDERR "the mod_ssl directives from the input file.\n";
print STDERR "Recommended directory: /etc/apache2/mod_nss.d , suffix .conf!\n";
print STDERR "Also make sure to edit /etc/apache2/conf.d/mod_nss.conf and to remove the\n";
print STDERR "<VirtualHost> section if you do not need it.\n\n";
print STDERR "Also, do not forget to rename the ssl based apache config file";
print STDERR "(our example: myhost-ssl.conf) to a file that does not end in .conf\n";
print STDERR "(our example: myhost-ssl.conf-disabled-for-nss)\n\n";
print STDERR "Then, restart apache (rcapache2 restart) and have a look into the error logs.\n";
exit(0);
# Migrate configuration from OpenSSL to NSS
sub get_ciphers {
my $str = shift;
%cipher_list = (
"rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:",
"rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:",
"rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:",
"rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:",
"des" => ":ALL:SSLv2:RSA:EXP:EXPORT56:MD5:DES:LOW:",
"desede3" => ":ALL:SSLv2:RSA:MD5:3DES:HIGH:",
"rsa_rc4_128_md5" => ":ALL:SSLv3:TLSv1:RSA:MD5:RC4:MEDIUM:",
"rsa_rc4_128_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:RC4:MEDIUM:",
"rsa_3des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:3DES:HIGH:",
"rsa_des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:DES:LOW:",
"rsa_rc4_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC4:",
"rsa_rc2_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC2:",
"rsa_null_md5" => ":SSLv3:TLSv1:RSA:MD5:NULL:",
"rsa_null_sha" => ":SSLv3:TLSv1:RSA:SHA:NULL:",
"rsa_des_56_sha" => ":ALL:SSLv3:TLSv1:RSA:DES:SHA:EXP:EXPORT56:",
"rsa_rc4_56_sha" => ":ALL:SSLv3:TLSv1:RSA:RC4:SHA:EXP:EXPORT56:",
);
$NUM_CIPHERS = 16;
for ($i = 0; $i < $NUM_CIPHERS; $i++) {
$selected[$i] = 0;
}
# Don't need to worry about the ordering properties of "+" because
# NSS always chooses the "best" cipher anyway. You can't specify
# preferred order.
# -1: this cipher is completely out
# 0: this cipher is currently unselected, but maybe added later
# 1: this cipher is selected
@s = split(/:/, $str);
for ($i = 0; $i <= $#s; $i++) {
$j = 0;
$val = 1;
# ! means this cipher is disabled forever
if ($s[$i] =~ /^!/) {
$val = -1;
($s[$i] =~ s/^!//);
} elsif ($s[$i] =~ /^-/) {
$val = 0;
($s[$i] =~ s/^-//);
} elsif ($s[$i] =~ /^+/) {
($s[$i] =~ s/^+//);
}
for $cipher (sort keys %cipher_list) {
$match = 0;
# For embedded + we do an AND for all options
if ($s[$i] =~ m/(\w+\+)+/) {
@sub = split(/^\+/, $s[$i]);
$match = 1;
for ($k = 0; $k <=$#sub; $k++) {
if ($cipher_list{$cipher} !=~ m/:$sub[$k]:/) {
$match = 0;
}
}
} else { # straightforward match
if ($cipher_list{$cipher} =~ m/:$s[$i]:/) {
$match = 1;
}
}
if ($match && $selected[$j] != -1) {
$selected[$j] = $val;
}
$j++;
}
}
# NSS doesn't honor the order of a cipher list, it uses the "strongest"
# cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and
# the NSS ciphers not available in OpenSSL.
$str = "SSLv2:SSLv3";
@s = split(/:/, $str);
$ciphersuite = "";
for ($i = 0; $i <= $#s; $i++) {
$j = 0;
for $cipher (sort keys %cipher_list) {
if ($cipher_list{$cipher} =~ m/:$s[$i]:/) {
if ($selected[$j]) {
$ciphersuite .= "+";
} else {
$ciphersuite .= "-";
}
$ciphersuite .= $cipher . ",";
}
$j++;
}
}
$ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha";
return $ciphersuite;
}
# Given the filename of a PEM file, use openssl to fetch the certificate
# subject
sub get_cert_subject {
my $file = shift;
my $subject = "";
return "" if ! -T $file;
$subject = `openssl x509 -subject < $file | head -1`;
$subject =~ s/subject= \///; # Remove leading subject= \
$subject =~ s/\//,/g; # Replace / with , as separator
$subject =~ s/Email=.*(,){0,1}//; # Remove Email attribute
$subject =~ s/,$//; # Remove any trailing commas
chomp($subject);
return $subject;
}
#
# Wrapper around the system() command
sub run_command {
my @args = shift;
my $status = 0;
$status = 0xffff & system(@args);
return if ($status == 0);
print STDERR "Command '@args' failed: $!\n";
exit;
}