pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and

Browse Source 
open("/dev/tty", ...) to make sure that stdin can be read from.
  startproc may inherit wrongly opened file descriptors to httpd.
  (Note: An analogous fix exists in startproc(8), too.)
  [bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
  externalized to /etc/apache2/conf.d/vhost-nss.template and not
  activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
  change. [bnc#878681]

- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
  server side SNI was not implemented when mod_nss was made;
  patches implement SNI with checks if SNI provided hostname
  equals Host: field in http request header.

- mod_nss-cipherlist_update_for_tls12-doc.diff
  mod_nss-cipherlist_update_for_tls12.diff
  GCM mode and Camellia ciphers added to the supported ciphers list.
  The additional ciphers are: 
  rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
  rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  [bnc#863035]

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=1
This commit is contained in:
Roman Drahtmueller 2014-07-25 13:17:08 +00:00 committed by Git OBS Bridge
parent e42fd2cb99
commit ac78b1824b
9 changed files with 407 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
apache2-mod_nss.changes
View File

@ -1,25 +1,3 @@
-------------------------------------------------------------------
Tue Nov 4 14:13:46 UTC 2014 - kstreitova@suse.com
- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
that adding small fixes for support of TLS v1.2
-------------------------------------------------------------------
Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com
- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
that compare CN and VS hostname (use NSS library). Removed
following patches:
* mod_nss-SNI-checks.patch
* mod_nss-SNI-callback.patch
-------------------------------------------------------------------
Thu Aug 21 07:50:57 UTC 2014 - meissner@suse.com
- mod_nss-cipherlist_update_for_tls12-doc.diff,
mod_nss-cipherlist_update_for_tls12.diff,
mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.
-------------------------------------------------------------------
Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de

11
apache2-mod_nss.spec
View File

@ -69,12 +69,9 @@ Patch17: mod_nss-overlapping_memcpy.patch
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19: mod_nss-cipherlist_update_for_tls12.diff
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
Patch21: mod_nss-SNI-callback.patch
Patch22: mod_nss-SNI-checks.patch
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
%define apache apache2
@ -112,9 +109,9 @@ security library.
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch
%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} >= 1300

241
mod_nss-SNI-callback.patch Normal file
View File

@ -0,0 +1,241 @@
diff -rNU 30 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
--- ../mod_nss-1.0.8-o/mod_nss.h 2014-06-23 12:23:17.000000000 +0200
+++ ./mod_nss.h 2014-06-25 15:43:14.000000000 +0200
@@ -459,31 +459,37 @@
APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
/* I/O */
PRFileDesc * nss_io_new_fd();
int nss_io_layer_init();
void nss_io_filter_init(conn_rec *c, PRFileDesc *ssl);
void nss_io_filter_register(apr_pool_t *p);
/* Utility Functions */
char *nss_util_vhostid(apr_pool_t *, server_rec *);
apr_file_t *nss_util_ppopen(server_rec *, apr_pool_t *, const char *,
const char * const *);
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
int nss_io_buffer_fill(request_rec *r);
int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix);
/* Pass Phrase Handling */
SECStatus nss_Init_Tokens(server_rec *s);
/* Logging */
void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
void nss_die(void);
/* NSS callback */
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+
+
+#define SNIMAXNAMELEN 100
+PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *, const SECItem *, PRUint32, void *);
+
+
#endif /* __MOD_NSS_H__ */
diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-06-23 12:23:17.000000000 +0200
+++ ./nss_engine_init.c 2014-06-25 18:33:19.000000000 +0200
@@ -5,60 +5,62 @@
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mod_nss.h"
#include "apr_thread_proc.h"
#include "ap_mpm.h"
#include "secmod.h"
#include "sslerr.h"
#include "pk11func.h"
#include "ocsp.h"
#include "keyhi.h"
#include "cert.h"
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
* Global variables defined in this file.
*/
+void * sni_callback_arg;
+
char* INTERNAL_TOKEN_NAME = "internal ";
cipher_properties ciphers_def[ciphernum] =
{
/* SSL2 cipher suites */
{"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
{"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
{"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
{"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
{"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
{"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
/* SSL3/TLS cipher suites */
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
{"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
{"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
{"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
/* AES ciphers.*/
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
@@ -850,60 +852,78 @@
static void nss_init_ctx_callbacks(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
if (SSL_AuthCertificateHook(mctx->model, nss_AuthCertificate, (void *)CERT_GetDefaultCertDB()) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"SSL_AuthCertificateHook failed.");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
if (SSL_BadCertHook(mctx->model, (SSLBadCertHandler) ownBadCertHandler, NULL) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"SSL_BadCertHook failed");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
if (SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback) ownHandshakeCallback, NULL) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"SSL_HandshakeCallback failed");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
if (SSL_GetClientAuthDataHook(mctx->model, NSS_GetClientAuthData, (void *)mctx->nickname) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"SSL_GetClientAuthDataHook failed");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
+
+ sni_callback_arg = apr_pcalloc(p, SNIMAXNAMELEN + 1);
+ if(sni_callback_arg) {
+ if(SSL_SNISocketConfigHook(mctx->model, mod_nss_SSLSNISocketConfig,
+ sni_callback_arg)) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "SSL_SNISocketConfigHook failed");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "apr_palloc returned NULL for sni_callback_arg");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+
+
}
static void nss_init_ctx_verify(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE);
SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
} else if (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) {
SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE);
SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
} else {
SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_FALSE);
SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
}
}
static int countciphers(PRBool cipher_state[ciphernum], int version) {
int ciphercount = 0;
int i;
for (i = 0; i < ciphernum; i++)
{
if ((cipher_state[i] == PR_TRUE) &&
(ciphers_def[i].version & version)) {
ciphercount++;
}
}
@@ -1702,30 +1722,54 @@
return -1;
}
if ((ciphers = strchr(cipher, ','))) {
*ciphers++ = '\0';
}
found = PR_FALSE;
for (i = 0; i < ciphernum; i++)
{
if (!strcasecmp(cipher, ciphers_def[i].name)) {
cipher_list[i] = active;
found = PR_TRUE;
break;
}
}
if (found == PR_FALSE) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unknown cipher %s", cipher);
}
if (ciphers) {
cipher = ciphers;
}
}
return 0;
}
+
+
+
+
+PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
+ PRUint32 sniNameArrSize, void *arg)
+{
+ /*
+ arg is apr pool memory from apr_palloc(), SNIMAXNAMELEN+1 bytes long.
+ initialized zero.
+ */
+
+ char * retptr = NULL;
+ const SECItem *mysni = sniNameArr;
+
+ if(mysni) {
+ retptr = apr_cpystrn(arg, mysni[0].data,
+ ( mysni[0].len + 1 < SNIMAXNAMELEN ) ? mysni[0].len + 1 : SNIMAXNAMELEN );
+ return 0;
+ } else {
+ /* no SNI provided... Well. */
+ return SSL_SNI_CURRENT_CONFIG_IS_USED;
+ }
+}

155
mod_nss-SNI-checks.patch Normal file
View File

@ -0,0 +1,155 @@
diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c
--- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2014-06-25 19:13:26.000000000 +0200
+++ ./nss_engine_kernel.c 2014-06-27 13:57:40.000000000 +0200
@@ -1,102 +1,151 @@
/* Copyright 2001-2004 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mod_nss.h"
#include "secerr.h"
static void HandshakeDone(PRFileDesc *fd, void *doneflag);
+extern void * sni_callback_arg;
+
/*
* Post Read Request Handler
*/
int nss_hook_ReadReq(request_rec *r)
{
SSLConnRec *sslconn = myConnConfig(r->connection);
PRFileDesc *ssl = sslconn ? sslconn->ssl : NULL;
if (!sslconn) {
return DECLINED;
}
if (sslconn->non_nss_request) {
const char *errmsg;
char *thisurl;
char *thisport = "";
int port = ap_get_server_port(r);
if (!ap_is_default_port(port, r)) {
thisport = apr_psprintf(r->pool, ":%u", port);
}
thisurl = ap_escape_html(r->pool,
apr_psprintf(r->pool, "https://%s%s/",
ap_get_server_name(r),
thisport));
errmsg = apr_psprintf(r->pool,
"Reason: You're speaking plain HTTP "
"to an SSL-enabled server port.<br />\n"
"Instead use the HTTPS scheme to access "
"this URL, please.<br />\n"
"<blockquote>Hint: "
"<a href=\"%s\"><b>%s</b></a></blockquote>",
thisurl, thisurl);
apr_table_setn(r->notes, "error-notes", errmsg);
/* Now that we have caught this error, forget it. we are done
* with using SSL on this request.
*/
sslconn->non_nss_request = 0;
return HTTP_BAD_REQUEST;
}
/* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
if (!ssl) {
return DECLINED;
}
+
+ /*
+ * SNI.
+ *
+ * global pool-allocated char * sni_callback_arg contains SNI name
+ * coming from mod_nss_SSLSNISocketConfig() callback by nss as soon as
+ * SNI extension information was supplied by the client.
+ *
+ * With the SNI provided servername, this is now widely analogous
+ * to mod_ssl; the same checks apply.
+ *
+ */
+
+
+
+ char *servername;
+ servername = (char *) sni_callback_arg;
+
+ if(servername[0] != '\0') {
+ char *host, *scope_id;
+ apr_port_t port;
+ apr_status_t rv;
+
+ if (!r->hostname) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Hostname %s provided via SNI, but no hostname"
+ " provided in HTTP request", servername);
+ return HTTP_BAD_REQUEST;
+ }
+
+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+ if (rv != APR_SUCCESS || scope_id) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ if (strcasecmp(host, servername)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Hostname %s provided via SNI and hostname %s provided"
+ " via HTTP are different", servername, host);
+ return HTTP_BAD_REQUEST;
+ }
+
+
+ }
+
+
+
/*
* Log information about incoming HTTPS requests
*/
if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
"Initial (No.1)" :
apr_psprintf(r->pool, "Subsequent (No.%d)",
r->connection->keepalives+1)),
r->connection->id,
nss_util_vhostid(r->pool, r->server));
}
if (sslconn->client_cert != NULL)
CERT_DestroyCertificate(sslconn->client_cert);
sslconn->client_cert = SSL_PeerCertificate(ssl);
sslconn->client_dn = NULL;
return DECLINED;
}
/*
* Access Handler
*/
int nss_hook_Access(request_rec *r)
{
SSLDirConfigRec *dc = myDirConfig(r);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLConnRec *sslconn = myConnConfig(r->connection);

61
mod_nss-add_support_for_enabling_TLS_v1.2.patch
View File

@ -1,61 +0,0 @@
From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 16 Oct 2014 14:05:05 -0400
Subject: [PATCH] Add support for enabling TLS v1.2
If support is available in NSS then it is just a matter of including
TLS 1.2 in the protocol range.
---
docs/mod_nss.html | 97 ++++++++++++++++++++++++++++---------------------------
mod_nss.c | 4 +--
nss.conf.in | 2 +-
nss_engine_init.c | 51 +++++++++++++++++------------
nss_engine_vars.c | 3 ++
5 files changed, 86 insertions(+), 71 deletions(-)
Index: mod_nss-1.0.8/nss.conf.in
===================================================================
--- mod_nss-1.0.8.orig/nss.conf.in
+++ mod_nss-1.0.8/nss.conf.in
@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
-NSSProtocol SSLv3,TLSv1
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver
case SSL_LIBRARY_VERSION_TLS_1_1:
result = "TLSv1.1";
break;
+ case SSL_LIBRARY_VERSION_TLS_1_2:
+ result = "TLSv1.2";
+ break;
}
}
}
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server
* cannot be excluded from this range. NSS will automatically negotiate
* to utilize the strongest acceptable protocol for a connection starting
* with the maximum specified protocol and downgrading as necessary to the
- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
*/
if (stat == SECSuccess) {
/* Set minimum protocol version (lowest -> highest)
*
- * SSL 3.0 -> TLS 1.0 -> TLS 1.1
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
*/
if (ssl3 == 1) {
enabledVersions.min = SSL_LIBRARY_VERSION_3_0;

30
mod_nss-cipherlist_update_for_tls12-doc.diff
View File

@ -1,7 +1,7 @@
diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100
+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100
@@ -632,100 +632,135 @@
@@ -632,100 +632,121 @@
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
@ -53,18 +53,11 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_sha256<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.2</td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_camellia_128_sha<br>
@ -79,13 +72,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_256_sha256<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.2</td>
+ </tr>
</tbody>
</table>
@ -137,7 +123,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
<td>ecdhe_ecdsa_rc4_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
@@ -773,100 +794,130 @@
@@ -773,100 +794,120 @@
<tr>
<td>echde_rsa_null</td>
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
@ -189,16 +175,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_sha256</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</td>
+ <td>TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_128_sha256</td>
+ <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</td>
+ <td>TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>

10
mod_nss-cipherlist_update_for_tls12.diff
View File

@ -53,10 +53,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
/* the table itself is defined in nss_engine_init.c */
#ifdef NSS_ENABLE_ECC
-#define ciphernum 48
+#define ciphernum 59
+#define ciphernum 55
#else
-#define ciphernum 23
+#define ciphernum 28
+#define ciphernum 26
#endif
/*
@ -110,7 +110,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100
+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100
@@ -15,122 +15,134 @@
@@ -15,122 +15,130 @@
#include "mod_nss.h"
#include "apr_thread_proc.h"
@ -161,11 +161,9 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
/* AES ciphers.*/
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
+ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
+ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
+
#ifdef NSS_ENABLE_ECC
@ -180,7 +178,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
@ -193,7 +190,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},

42
mod_nss-compare_subject_CN_and_VS_hostname.patch
View File

@ -1,42 +0,0 @@
From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001
From: standa <stokos@suse.de>
Date: Wed, 22 Oct 2014 16:14:29 +0200
Subject: [PATCH] Compare subject CN and VS hostname during server start up
---
nss_engine_init.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index d74f002..2569c8d 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
*KEAtype = NSS_FindCertKEAType(*servercert);
+ /* Subject/hostname check */
+ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
+ if (secstatus != SECSuccess) {
+ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Misconfiguration of certificate's CN and virtual name."
+ " The certificate CN has %s. We expected %s as virtual"
+ " name.", cert_dns, s->server_hostname);
+ PORT_Free(cert_dns);
+ }
+
/*
- * Check for certs that are expired or not yet valid and WARN about it
- * no need to refuse working - the client gets a warning, but can work
- * with the server we could also verify if the certificate is made out
- * for the correct hostname but that would require a reverse DNS lookup
- * for every virtual server - too expensive?
+ * Check for certs that are expired or not yet valid and WARN about it.
+ * No need to refuse working - the client gets a warning.
*/
certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
--
1.9.3

2
mod_nss.conf.in
View File

@ -216,7 +216,7 @@ NSSRequireSafeNegotiation off
# * no rc4, no 3des, no des
# * ephemeral is what you want (PFS).
# * EC has precedence over RSA
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+ecdhe_rsa_aes_256_sha256,+rsa_aes_256_sha256,+ecdhe_rsa_aes_256_sha256
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.