apache2-mod_nss

pool/apache2-mod_nss

SHA256

Fork 1

Commit Graph

Author	SHA256	Message	Date
Cristian Rodríguez	d206ad095d	Accepting request 375069 from home:vitezslav_cizek:branches:Apache:Modules - use a whitelist approach for keeping directives in the migration script (bsc#961907) * modify mod_nss_migrate.pl - fix test: add NSSPassPhraseDialog, point it to plain file - update to 1.0.13 Update default ciphers to something more modern and secure Check for host and netstat commands in gencert before trying to use them Add server support for DHE ciphers Extract SAN from server/client certificates into env Fix memory leaks and other coding issues caught by clang analyzer Add support for Server Name Indication (SNI) (#1010751) Add support for SNI for reverse proxy connections Add RenegBufferSize? option Add support for TLS Session Tickets (RFC 5077) Fix logical AND support in OpenSSL cipher compatibility Correctly handle disabled ciphers (CVE-2015-5244) Implement a slew more OpenSSL cipher macros Fix a number of illegal memory accesses and memory leaks Support for SHA384 ciphers if they are available in NSS Add compatibility for mod_ssl-style cipher definitions (#862938) Add TLSv1.2-specific ciphers Completely remove support for SSLv2 Add support for sqlite NSS databases (#1057650) Compare subject CN and VS hostname during server start up Add support for enabling TLS v1.2 Don't enable SSL 3 by default (CVE-2014-3566) Fix CVE-2013-4566 Move nss_pcache to /usr/libexec OBS-URL: https://build.opensuse.org/request/show/375069 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22	2016-03-30 14:57:58 +00:00
Wolfgang Rosenauer	1d3e419a19	Accepting request 222758 from home:draht:branches:mozilla:Factory - mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of OBS-URL: https://build.opensuse.org/request/show/222758 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8	2014-02-20 21:12:44 +00:00

Author

SHA256

Message

Date

Cristian Rodríguez

d206ad095d

Accepting request 375069 from home:vitezslav_cizek:branches:Apache:Modules

- use a whitelist approach for keeping directives in the migration
  script (bsc#961907)
  * modify mod_nss_migrate.pl

- fix test: add NSSPassPhraseDialog, point it to plain file

- update to 1.0.13
  Update default ciphers to something more modern and secure
  Check for host and netstat commands in gencert before trying to use them
  Add server support for DHE ciphers
  Extract SAN from server/client certificates into env
  Fix memory leaks and other coding issues caught by clang analyzer
  Add support for Server Name Indication (SNI) (#1010751)
  Add support for SNI for reverse proxy connections
  Add RenegBufferSize? option
  Add support for TLS Session Tickets (RFC 5077)
  Fix logical AND support in OpenSSL cipher compatibility
  Correctly handle disabled ciphers (CVE-2015-5244)
  Implement a slew more OpenSSL cipher macros
  Fix a number of illegal memory accesses and memory leaks
  Support for SHA384 ciphers if they are available in NSS
  Add compatibility for mod_ssl-style cipher definitions (#862938)
  Add TLSv1.2-specific ciphers
  Completely remove support for SSLv2
  Add support for sqlite NSS databases (#1057650)
  Compare subject CN and VS hostname during server start up
  Add support for enabling TLS v1.2
  Don't enable SSL 3 by default (CVE-2014-3566)
  Fix CVE-2013-4566
  Move nss_pcache to /usr/libexec

OBS-URL: https://build.opensuse.org/request/show/375069
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22

2016-03-30 14:57:58 +00:00

Wolfgang Rosenauer

1d3e419a19

Accepting request 222758 from home:draht:branches:mozilla:Factory

- mod_nss-cipherlist_update_for_tls12-doc.diff
  mod_nss-cipherlist_update_for_tls12.diff
  GCM mode and Camellia ciphers added to the supported ciphers list.
  The additional ciphers are: 
  rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
  rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  [bnc#863035]

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
  If 'NSSVerifyClient none' is set in the server / vhost context
  (i.e. when server is configured to not request or require client
  certificate authentication on the initial connection), and client
  certificate authentication is expected to be required for a 
  specific directory via 'NSSVerifyClient require' setting, 
  mod_nss fails to properly require certificate authentication.
  Remote attacker can use this to access content of the restricted
  directories. [bnc#853039]

- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
  * simultaneaous usage of mod_ssl and mod_nss
  * SNI concurrency
  * SUSE framework for apache configuration, Listen directive
  * module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
  or mod_nss.conf, respectively. This also leads to the removal of

OBS-URL: https://build.opensuse.org/request/show/222758
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8

2014-02-20 21:12:44 +00:00

2 Commits