apache2-mod_nss/mod_nss-cipherlist_update_for_tls12-doc.diff
Wolfgang Rosenauer 1d3e419a19 Accepting request 222758 from home:draht:branches:mozilla:Factory
- mod_nss-cipherlist_update_for_tls12-doc.diff
  mod_nss-cipherlist_update_for_tls12.diff
  GCM mode and Camellia ciphers added to the supported ciphers list.
  The additional ciphers are: 
  rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
  rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  [bnc#863035]

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
  If 'NSSVerifyClient none' is set in the server / vhost context
  (i.e. when server is configured to not request or require client
  certificate authentication on the initial connection), and client
  certificate authentication is expected to be required for a 
  specific directory via 'NSSVerifyClient require' setting, 
  mod_nss fails to properly require certificate authentication.
  Remote attacker can use this to access content of the restricted
  directories. [bnc#853039]

- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
  * simultaneaous usage of mod_ssl and mod_nss
  * SNI concurrency
  * SUSE framework for apache configuration, Listen directive
  * module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
  or mod_nss.conf, respectively. This also leads to the removal of

OBS-URL: https://build.opensuse.org/request/show/222758
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8
2014-02-20 21:12:44 +00:00

247 lines
8.5 KiB
Diff

diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100
+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100
@@ -632,100 +632,121 @@
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_null<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_3des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_des_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_128_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_256_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
</td>
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_camellia_128_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_camellia_256_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
+ </td>
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
</tbody>
</table>
<br>
Additionally there are a number of ECC ciphers:<br>
<br>
<table style="width: 70%;" border="1" cellpadding="2" cellspacing="2">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">Cipher Name<br>
</td>
<td style="vertical-align: top; font-weight: bold;">NSS Cipher
Definition<br>
</td>
<td style="vertical-align: top; font-weight: bold;">Protocol<br>
</td>
</tr>
<tr>
<td>ecdh_ecdsa_null_sha</td>
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_rc4_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_3des_sha</td>
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_256_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_null_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_rc4_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
@@ -773,100 +794,120 @@
<tr>
<td>echde_rsa_null</td>
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_rc4_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_3des_sha</td>
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_256_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_null_sha</td>
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_rc4_128sha</td>
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_3des_sha</td>
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_128_sha</td>
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_256_sha</td>
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_aes_128_gcm_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
+ </tr>
</tbody>
</table>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
<code>NSSCipherSuite
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,<br>
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,<br>
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha</code><br>
<br>
<big><big>NSSProtocol<br>
</big></big><br>
A comma-separated string that lists the basic protocols that the server
can use (and clients may connect with). It doesn't enable a cipher
specifically but allows ciphers for that protocol to be used at all.<br>
<br>
Options are:<br>
<ul>
<li><code>SSLv3</code></li>
<li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
<li><code>TLSv1.0</code></li>
<li><code>TLSv1.1</code></li>
<li><code>TLSv1.2</code></li>
<li><code>All</code></li>
</ul>
Note that this differs from mod_ssl in that you can't add or subtract
protocols.<br>
<br>
If no NSSProtocol is specified, mod_nss will default to allowing the use of
the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
allowed.
<br>
If values for NSSProtocol are specified, mod_nss will set both the minimum
and the maximum allowed protocols based upon these entries allowing for the
inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
protocol ranges to accept all protocols inclusively
(TLS 1.2 -&gt;TLS 1.1 -&gt; TLS 1.0 -&gt; SSL 3.0), and does not allow exclusion of any protocols
in the middle of a range (e. g. - TLS 1.0).<br>
<br>
Finally, NSS will always automatically negotiate the use of the strongest
possible protocol that has been specified which is acceptable to both sides of
a given connection.<br>
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
<br>