- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
that adding small fixes for support of TLS v1.2
- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
that compare CN and VS hostname (use NSS library). Removed
following patches:
* mod_nss-SNI-checks.patch
* mod_nss-SNI-callback.patch
- mod_nss-cipherlist_update_for_tls12-doc.diff,
mod_nss-cipherlist_update_for_tls12.diff,
mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.
OBS-URL: https://build.opensuse.org/request/show/261220
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=3
- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and
open("/dev/tty", ...) to make sure that stdin can be read from.
startproc may inherit wrongly opened file descriptors to httpd.
(Note: An analogous fix exists in startproc(8), too.)
[bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
externalized to /etc/apache2/conf.d/vhost-nss.template and not
activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
change. [bnc#878681]
- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
server side SNI was not implemented when mod_nss was made;
patches implement SNI with checks if SNI provided hostname
equals Host: field in http request header.
OBS-URL: https://build.opensuse.org/request/show/242385
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=10
open("/dev/tty", ...) to make sure that stdin can be read from.
startproc may inherit wrongly opened file descriptors to httpd.
(Note: An analogous fix exists in startproc(8), too.)
[bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
externalized to /etc/apache2/conf.d/vhost-nss.template and not
activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
change. [bnc#878681]
- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
server side SNI was not implemented when mod_nss was made;
patches implement SNI with checks if SNI provided hostname
equals Host: field in http request header.
- mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
GCM mode and Camellia ciphers added to the supported ciphers list.
The additional ciphers are:
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[bnc#863035]
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=1
- mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
GCM mode and Camellia ciphers added to the supported ciphers list.
The additional ciphers are:
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[bnc#863035]
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
If 'NSSVerifyClient none' is set in the server / vhost context
(i.e. when server is configured to not request or require client
certificate authentication on the initial connection), and client
certificate authentication is expected to be required for a
specific directory via 'NSSVerifyClient require' setting,
mod_nss fails to properly require certificate authentication.
Remote attacker can use this to access content of the restricted
directories. [bnc#853039]
- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
* simultaneaous usage of mod_ssl and mod_nss
* SNI concurrency
* SUSE framework for apache configuration, Listen directive
* module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
or mod_nss.conf, respectively. This also leads to the removal of (forwarded request 222758 from wrosenauer)
OBS-URL: https://build.opensuse.org/request/show/223307
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=5
- mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
GCM mode and Camellia ciphers added to the supported ciphers list.
The additional ciphers are:
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[bnc#863035]
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
If 'NSSVerifyClient none' is set in the server / vhost context
(i.e. when server is configured to not request or require client
certificate authentication on the initial connection), and client
certificate authentication is expected to be required for a
specific directory via 'NSSVerifyClient require' setting,
mod_nss fails to properly require certificate authentication.
Remote attacker can use this to access content of the restricted
directories. [bnc#853039]
- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
* simultaneaous usage of mod_ssl and mod_nss
* SNI concurrency
* SUSE framework for apache configuration, Listen directive
* module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
or mod_nss.conf, respectively. This also leads to the removal of
OBS-URL: https://build.opensuse.org/request/show/222758
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8
- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
- mod_nss-clientauth.patch: merged from RHEL6 pkg
- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
- make it build on both Apache2 2.4 and 2.2 systems (forwarded request 186032 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/186068
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=3
- Add support for TLS v1.1 and TLS v1.2
(TLS v1.2 requires mozilla nss 3.15.1 or newer.)
- merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
from redhat to allow tls v1.1 too.
- ported the tls v1.1 patch to be tls v1.2 aware
- added mod_nss-proxyvariables.patch (from RHEL6 package)
- added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun (forwarded request 185495 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/185517
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=2
- Add support for TLS v1.1 and TLS v1.2
(TLS v1.2 requires mozilla nss 3.15.1 or newer.)
- merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
from redhat to allow tls v1.1 too.
- ported the tls v1.1 patch to be tls v1.2 aware
- added mod_nss-proxyvariables.patch (from RHEL6 package)
- added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun
OBS-URL: https://build.opensuse.org/request/show/185495
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=4
