- Since the update to NSS 3.35, the default NSS certificate
database format changed from Berkley DB to SQLite
- use %license tag
- Update to 1.0.15
* Try to auto-detect the NSS database format if not specified
* Update nss_pcache.8 man page to drop directory and prefix
* When a token is configured in password file only authenticate once
* Return an error when NSSPassPhraseDialog is invalid
* Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
* Add -Werror=implicit-function-declaration to CFLAGS
* Handle group membership when testing for file permissions
* NSS system-wide policy now disables SSLv3, don't use it in tests
* Add missing error messages for libssl errors
* Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
* When including additional test config use specific extension
* Fix the TLS Session ID cache
* Make an invalid protocol setting fatal
* Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
* Add info log message when FIPS is enabled
* Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
* Fix removal of CR from PEM certificates
* Add OCSP caching and timeout tuning knobs
* Check the NSS database directory permissions as well as the files
inside it for read access on startup.
* Add in simple aliases for ciphers to fix those that
don't follow the pattern (dhe_rsa_aes_128_sha256,
dhe_rsa_aes_256_sha256) and those with typos
(camelia_128_sha, camelia_256_sha)
* Fix semaphore leak
OBS-URL: https://build.opensuse.org/request/show/584463
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=40
- don't disable SSLV2, because it doesn't work with NSS 3.24
(boo#993642)
* add mod_nss-dont_disable_SSLV2.patch
- remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in
(bsc#998176)
- change ownership of the gencert generated NSS database so apache
can read it (bsc#998180)
* add mod_nss-gencert-correct-ownership.patch
- use correct configuration path in mod_nss.conf.in (bsc#996282)
- remove %post migration code from the old alias directory
- generate dummy certificates if there aren't any in mod_nss.d
OBS-URL: https://build.opensuse.org/request/show/427944
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=28
- update to 1.0.14 (fixes boo#973996)
* OpenSSL ciphers stopped parsing at +, CVE-2016-3099
* Created valgrind suppression files to ease debugging
* Implement SSL_PPTYPE_FILTER to call executables to get
the key password pins. Can be used to prompt with systemd.
* Improvements to migrate.pl
- drop mod_nss_migrate.pl and use upstream migrate script instead
* add mod_nss-migrate.patch
OBS-URL: https://build.opensuse.org/request/show/390295
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=24
- use a whitelist approach for keeping directives in the migration
script (bsc#961907)
* modify mod_nss_migrate.pl
- fix test: add NSSPassPhraseDialog, point it to plain file
- update to 1.0.13
Update default ciphers to something more modern and secure
Check for host and netstat commands in gencert before trying to use them
Add server support for DHE ciphers
Extract SAN from server/client certificates into env
Fix memory leaks and other coding issues caught by clang analyzer
Add support for Server Name Indication (SNI) (#1010751)
Add support for SNI for reverse proxy connections
Add RenegBufferSize? option
Add support for TLS Session Tickets (RFC 5077)
Fix logical AND support in OpenSSL cipher compatibility
Correctly handle disabled ciphers (CVE-2015-5244)
Implement a slew more OpenSSL cipher macros
Fix a number of illegal memory accesses and memory leaks
Support for SHA384 ciphers if they are available in NSS
Add compatibility for mod_ssl-style cipher definitions (#862938)
Add TLSv1.2-specific ciphers
Completely remove support for SSLv2
Add support for sqlite NSS databases (#1057650)
Compare subject CN and VS hostname during server start up
Add support for enabling TLS v1.2
Don't enable SSL 3 by default (CVE-2014-3566)
Fix CVE-2013-4566
Move nss_pcache to /usr/libexec
OBS-URL: https://build.opensuse.org/request/show/375069
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22
- unified ciphers with SLE-12
* modified patches:
mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
update-ciphers.patch
- send TLS server name extension on proxy connections (bsc#933832)
* added mod_nss-reverse_proxy_send_SNI.patch
- updates to the SNI code (from Stanislav Tokos):
update update-ciphers.patch
(bsc#928039)
merge changes from the mod_nss-SNI_support.patch to:
0001-SNI-check-with-NameVirtualHosts.patch
(bnc#927402)
abstract hash for NSSNickname and ServerName, add ServerAliases and Wild
Cards for vhost
(bsc#927402, bsc#928039, bsc#930922)
replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts)
(bsc#930186)
add alert about permission on the certificate database
(bsc#933265)
OBS-URL: https://build.opensuse.org/request/show/335921
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=14
- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
that adding small fixes for support of TLS v1.2
- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
that compare CN and VS hostname (use NSS library). Removed
following patches:
* mod_nss-SNI-checks.patch
* mod_nss-SNI-callback.patch
- mod_nss-cipherlist_update_for_tls12-doc.diff,
mod_nss-cipherlist_update_for_tls12.diff,
mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.
OBS-URL: https://build.opensuse.org/request/show/261220
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=3
open("/dev/tty", ...) to make sure that stdin can be read from.
startproc may inherit wrongly opened file descriptors to httpd.
(Note: An analogous fix exists in startproc(8), too.)
[bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
externalized to /etc/apache2/conf.d/vhost-nss.template and not
activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
change. [bnc#878681]
- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
server side SNI was not implemented when mod_nss was made;
patches implement SNI with checks if SNI provided hostname
equals Host: field in http request header.
- mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
GCM mode and Camellia ciphers added to the supported ciphers list.
The additional ciphers are:
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[bnc#863035]
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=1
- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and
open("/dev/tty", ...) to make sure that stdin can be read from.
startproc may inherit wrongly opened file descriptors to httpd.
(Note: An analogous fix exists in startproc(8), too.)
[bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
externalized to /etc/apache2/conf.d/vhost-nss.template and not
activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
change. [bnc#878681]
- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
server side SNI was not implemented when mod_nss was made;
patches implement SNI with checks if SNI provided hostname
equals Host: field in http request header.
OBS-URL: https://build.opensuse.org/request/show/242385
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=10
- mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
GCM mode and Camellia ciphers added to the supported ciphers list.
The additional ciphers are:
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[bnc#863035]
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
If 'NSSVerifyClient none' is set in the server / vhost context
(i.e. when server is configured to not request or require client
certificate authentication on the initial connection), and client
certificate authentication is expected to be required for a
specific directory via 'NSSVerifyClient require' setting,
mod_nss fails to properly require certificate authentication.
Remote attacker can use this to access content of the restricted
directories. [bnc#853039]
- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
* simultaneaous usage of mod_ssl and mod_nss
* SNI concurrency
* SUSE framework for apache configuration, Listen directive
* module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
or mod_nss.conf, respectively. This also leads to the removal of
OBS-URL: https://build.opensuse.org/request/show/222758
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8
- Add support for TLS v1.1 and TLS v1.2
(TLS v1.2 requires mozilla nss 3.15.1 or newer.)
- merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
from redhat to allow tls v1.1 too.
- ported the tls v1.1 patch to be tls v1.2 aware
- added mod_nss-proxyvariables.patch (from RHEL6 package)
- added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun
OBS-URL: https://build.opensuse.org/request/show/185495
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=4
