Accepting request 259735 from mozilla:Factory
1 OBS-URL: https://build.opensuse.org/request/show/259735 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=10
This commit is contained in:
commit
e42fd2cb99
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 4 14:13:46 UTC 2014 - kstreitova@suse.com
|
||||||
|
|
||||||
|
- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
|
||||||
|
that adding small fixes for support of TLS v1.2
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com
|
Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com
|
||||||
|
|
||||||
|
@ -72,6 +72,8 @@ Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
|
|||||||
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
|
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
|
||||||
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
|
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
|
||||||
Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
|
Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
|
||||||
|
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
|
||||||
|
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
%define apxs /usr/sbin/apxs2
|
%define apxs /usr/sbin/apxs2
|
||||||
@ -112,6 +114,7 @@ security library.
|
|||||||
%patch20 -p0 -b .ciphers.doc.rpmpatch
|
%patch20 -p0 -b .ciphers.doc.rpmpatch
|
||||||
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
||||||
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
|
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
|
||||||
|
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
|
||||||
|
|
||||||
# keep this last, otherwise we get fuzzyness from above
|
# keep this last, otherwise we get fuzzyness from above
|
||||||
%if 0%{?suse_version} >= 1300
|
%if 0%{?suse_version} >= 1300
|
||||||
|
61
mod_nss-add_support_for_enabling_TLS_v1.2.patch
Normal file
61
mod_nss-add_support_for_enabling_TLS_v1.2.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Thu, 16 Oct 2014 14:05:05 -0400
|
||||||
|
Subject: [PATCH] Add support for enabling TLS v1.2
|
||||||
|
|
||||||
|
If support is available in NSS then it is just a matter of including
|
||||||
|
TLS 1.2 in the protocol range.
|
||||||
|
---
|
||||||
|
docs/mod_nss.html | 97 ++++++++++++++++++++++++++++---------------------------
|
||||||
|
mod_nss.c | 4 +--
|
||||||
|
nss.conf.in | 2 +-
|
||||||
|
nss_engine_init.c | 51 +++++++++++++++++------------
|
||||||
|
nss_engine_vars.c | 3 ++
|
||||||
|
5 files changed, 86 insertions(+), 71 deletions(-)
|
||||||
|
|
||||||
|
Index: mod_nss-1.0.8/nss.conf.in
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss.conf.in
|
||||||
|
+++ mod_nss-1.0.8/nss.conf.in
|
||||||
|
@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
|
||||||
|
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||||
|
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||||
|
|
||||||
|
-NSSProtocol SSLv3,TLSv1
|
||||||
|
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||||
|
|
||||||
|
# SSL Certificate Nickname:
|
||||||
|
# The nickname of the RSA server certificate you are going to use.
|
||||||
|
Index: mod_nss-1.0.8/nss_engine_vars.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_vars.c
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_vars.c
|
||||||
|
@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver
|
||||||
|
case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||||
|
result = "TLSv1.1";
|
||||||
|
break;
|
||||||
|
+ case SSL_LIBRARY_VERSION_TLS_1_2:
|
||||||
|
+ result = "TLSv1.2";
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server
|
||||||
|
* cannot be excluded from this range. NSS will automatically negotiate
|
||||||
|
* to utilize the strongest acceptable protocol for a connection starting
|
||||||
|
* with the maximum specified protocol and downgrading as necessary to the
|
||||||
|
- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
|
||||||
|
+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
|
||||||
|
*/
|
||||||
|
if (stat == SECSuccess) {
|
||||||
|
/* Set minimum protocol version (lowest -> highest)
|
||||||
|
*
|
||||||
|
- * SSL 3.0 -> TLS 1.0 -> TLS 1.1
|
||||||
|
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
|
||||||
|
*/
|
||||||
|
if (ssl3 == 1) {
|
||||||
|
enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
|
Loading…
Reference in New Issue
Block a user