pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4bd89ca6fa
apache2-mod_nss/mod_nss-cipherlist_update_for_tls12.diff
Kristyna Streitova 23f3b41e70 Accepting request 261220 from mozilla:Factory 
- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
  that adding small fixes for support of TLS v1.2 

- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
  that compare CN and VS hostname (use NSS library). Removed
  following patches:
  * mod_nss-SNI-checks.patch
  * mod_nss-SNI-callback.patch 

- mod_nss-cipherlist_update_for_tls12-doc.diff,
  mod_nss-cipherlist_update_for_tls12.diff,
  mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.

OBS-URL: https://build.opensuse.org/request/show/261220
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=3
2014-11-12 10:27:24 +00:00

248 lines
11 KiB
Diff
Raw Blame History

diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
--- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100
+++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100
@@ -318,103 +318,103 @@
/*
* Define the mod_ssl per-directory configuration structure
* (i.e. the local configuration for all <Directory>
* and .htaccess contexts)
*/
typedef struct {
BOOL bSSLRequired;
apr_array_header_t *aRequirement;
int nOptions;
int nOptionsAdd;
int nOptionsDel;
const char *szCipherSuite;
nss_verify_t nVerifyClient;
const char *szUserName;
} SSLDirConfigRec;
/*
* Cipher definitions
*/
typedef struct
{
const char *name;
int num;
int fortezza_only;
PRInt32 version; /* protocol version valid for this cipher */
} cipher_properties;
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
* is the last version without this define. This is used for more than just
* the below defines. It also determines which API is used.
*/
#ifndef AP_SERVER_MAJORVERSION_NUMBER
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 0
#define AP_SERVER_PATCHLEVEL_NUMBER 55
#endif
#if AP_SERVER_MINORVERSION_NUMBER < 2
typedef struct regex_t ap_regex_t;
#define AP_REG_EXTENDED REG_EXTENDED
#define AP_REG_NOSUB REG_NOSUB
#define AP_REG_ICASE REG_ICASE
#endif
enum sslversion { SSL2=1, SSL3=2, TLS=4};
/* the table itself is defined in nss_engine_init.c */
#ifdef NSS_ENABLE_ECC
-#define ciphernum 48
+#define ciphernum 59
#else
-#define ciphernum 23
+#define ciphernum 28
#endif
/*
* function prototypes
*/
/* API glue structures */
extern module AP_MODULE_DECLARE_DATA nss_module;
/* configuration handling */
SSLModConfigRec *nss_config_global_create(server_rec *);
void *nss_config_perdir_create(apr_pool_t *p, char *dir);
void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#ifdef SSL_ENABLE_RENEGOTIATION
const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100
+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100
@@ -15,122 +15,134 @@
#include "mod_nss.h"
#include "apr_thread_proc.h"
#include "ap_mpm.h"
#include "secmod.h"
#include "sslerr.h"
#include "pk11func.h"
#include "ocsp.h"
#include "keyhi.h"
#include "cert.h"
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
* Global variables defined in this file.
*/
char* INTERNAL_TOKEN_NAME = "internal ";
cipher_properties ciphers_def[ciphernum] =
{
/* SSL2 cipher suites */
{"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
{"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
{"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
{"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
{"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
{"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
/* SSL3/TLS cipher suites */
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
{"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
{"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
{"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
/* AES ciphers.*/
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
+ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
+ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
+
#ifdef NSS_ENABLE_ECC
/* ECC ciphers.*/
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
{"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
+ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
{"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
#endif
};
static char *version_components[] = {
"SSL_VERSION_PRODUCT",
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
NULL
};
static char *nss_add_version_component(apr_pool_t *p,
server_rec *s,
char *name)
{
char *val = nss_var_lookup(p, s, NULL, NULL, name);
if (val && *val) {
ap_add_version_component(p, val);
}
return val;
}
static void nss_add_version_components(apr_pool_t *p,
server_rec *s)
{
char *vals[sizeof(version_components)/sizeof(char *)];
int i;
for (i=0; version_components[i]; i++) {
vals[i] = nss_add_version_component(p, s,
version_components[i]);
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Server: %s, Interface: %s, Library: %s",
AP_SERVER_BASEVERSION,
vals[1], /* SSL_VERSION_INTERFACE */
vals[2]); /* SSL_VERSION_LIBRARY */
}
/*
* Initialize SSL library
*
Reference in New Issue View Git Blame Copy Permalink