------------------------------------------------------------------- Tue Nov 4 14:13:46 UTC 2014 - kstreitova@suse.com - bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch that adding small fixes for support of TLS v1.2 ------------------------------------------------------------------- Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com - bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch that compare CN and VS hostname (use NSS library). Removed following patches: * mod_nss-SNI-checks.patch * mod_nss-SNI-callback.patch ------------------------------------------------------------------- Thu Aug 21 07:50:57 UTC 2014 - meissner@suse.com - mod_nss-cipherlist_update_for_tls12-doc.diff, mod_nss-cipherlist_update_for_tls12.diff, mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256. ------------------------------------------------------------------- Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de - mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] ------------------------------------------------------------------- Fri Jun 27 16:13:01 CEST 2014 - draht@suse.de - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. ------------------------------------------------------------------- Tue Feb 18 16:31:45 CET 2014 - draht@suse.de - mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] ------------------------------------------------------------------- Fri Nov 29 16:30:07 CET 2013 - draht@suse.de - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] ------------------------------------------------------------------- Fri Nov 8 20:46:07 CET 2013 - draht@suse.de - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of nss.conf.in specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch . - mod_nss_migrate.pl conversion script added; not patched from source, but partially rewritten. - README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES. - package ready for submission [bnc#847216] ------------------------------------------------------------------- Tue Nov 5 15:45:08 CET 2013 - draht@suse.de - generic cleanup of the package: - explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216] - change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory. - merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists. - set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d ------------------------------------------------------------------- Fri Aug 2 08:29:35 UTC 2013 - meissner@suse.com - mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. - mod_nss-clientauth.patch: merged from RHEL6 pkg - mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg - mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg - mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg - make it build on both Apache2 2.4 and 2.2 systems ------------------------------------------------------------------- Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com - Add support for TLS v1.1 and TLS v1.2 (TLS v1.2 requires mozilla nss 3.15.1 or newer.) - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch from redhat to allow tls v1.1 too. - ported the tls v1.1 patch to be tls v1.2 aware - added mod_nss-proxyvariables.patch (from RHEL6 package) - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) - mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun ------------------------------------------------------------------- Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de - Changed source to original tar.gz ------------------------------------------------------------------- Thu Jul 11 14:50:42 UTC 2013 - aj@ajaissle.de - Added mod_nns-httpd24.patch to support build with apache 2.4 ------------------------------------------------------------------- Tue Jan 22 09:35:41 UTC 2013 - aj@ajaissle.de - Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE dir layout [bnc#799483] - Cleaned up license tag ------------------------------------------------------------------- Sun Apr 15 14:17:19 UTC 2012 - wr@rosenauer.org - import some patches from Fedora - removed autoreconf call ------------------------------------------------------------------- Wed Feb 17 13:30:47 UTC 2010 - nix@opensuse.org - Fix mod_nss-conf.patch to work on SUSE - Rename package from mod_nss to apache2-mod_nss