ac78b1824b
open("/dev/tty", ...) to make sure that stdin can be read from.
startproc may inherit wrongly opened file descriptors to httpd.
(Note: An analogous fix exists in startproc(8), too.)
[bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
externalized to /etc/apache2/conf.d/vhost-nss.template and not
activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
change. [bnc#878681]
- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
server side SNI was not implemented when mod_nss was made;
patches implement SNI with checks if SNI provided hostname
equals Host: field in http request header.
- mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
GCM mode and Camellia ciphers added to the supported ciphers list.
The additional ciphers are:
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[bnc#863035]
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=1
247 lines
8.5 KiB
Diff
247 lines
8.5 KiB
Diff
diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
|
|
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100
|
|
+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100
|
|
@@ -632,100 +632,121 @@
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">fortezza_null<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">fips_des_sha<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">fips_3des_sha<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">rsa_des_56_sha</td>
|
|
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
|
|
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">rsa_aes_128_sha<br>
|
|
</td>
|
|
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;">rsa_aes_256_sha<br>
|
|
</td>
|
|
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
|
|
</td>
|
|
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
+ <tr>
|
|
+ <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
|
|
+ </td>
|
|
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
|
|
+ </td>
|
|
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
+ <tr>
|
|
+ <td style="vertical-align: top;">rsa_camellia_128_sha<br>
|
|
+ </td>
|
|
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br>
|
|
+ </td>
|
|
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
+ <tr>
|
|
+ <td style="vertical-align: top;">rsa_camellia_256_sha<br>
|
|
+ </td>
|
|
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
|
|
+ </td>
|
|
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
</tbody>
|
|
</table>
|
|
<br>
|
|
Additionally there are a number of ECC ciphers:<br>
|
|
<br>
|
|
<table style="width: 70%;" border="1" cellpadding="2" cellspacing="2">
|
|
<tbody>
|
|
<tr>
|
|
<td style="vertical-align: top; font-weight: bold;">Cipher Name<br>
|
|
</td>
|
|
<td style="vertical-align: top; font-weight: bold;">NSS Cipher
|
|
Definition<br>
|
|
</td>
|
|
<td style="vertical-align: top; font-weight: bold;">Protocol<br>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_ecdsa_null_sha</td>
|
|
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_ecdsa_rc4_128_sha</td>
|
|
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_ecdsa_3des_sha</td>
|
|
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_ecdsa_aes_128_sha</td>
|
|
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_ecdsa_aes_256_sha</td>
|
|
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdhe_ecdsa_null_sha</td>
|
|
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdhe_ecdsa_rc4_128_sha</td>
|
|
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
@@ -773,100 +794,120 @@
|
|
<tr>
|
|
<td>echde_rsa_null</td>
|
|
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdhe_rsa_rc4_128_sha</td>
|
|
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdhe_rsa_3des_sha</td>
|
|
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdhe_rsa_aes_128_sha</td>
|
|
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdhe_rsa_aes_256_sha</td>
|
|
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_anon_null_sha</td>
|
|
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_anon_rc4_128sha</td>
|
|
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_anon_3des_sha</td>
|
|
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_anon_aes_128_sha</td>
|
|
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ecdh_anon_aes_256_sha</td>
|
|
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
|
|
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
</tr>
|
|
+ <tr>
|
|
+ <td>ecdh_ecdsa_aes_128_gcm_sha</td>
|
|
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
|
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
+ <tr>
|
|
+ <td>ecdhe_ecdsa_aes_128_gcm_sha</td>
|
|
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</td>
|
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
+ <tr>
|
|
+ <td>ecdh_rsa_aes_128_gcm_sha</td>
|
|
+ <td>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td>
|
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
+ <tr>
|
|
+ <td>ecdhe_rsa_aes_128_gcm_sha</td>
|
|
+ <td>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</td>
|
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
|
+ </tr>
|
|
</tbody>
|
|
</table>
|
|
<br>
|
|
<span style="font-weight: bold;">Example</span><br>
|
|
<br>
|
|
<code>NSSCipherSuite
|
|
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,<br>
|
|
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,<br>
|
|
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha</code><br>
|
|
<br>
|
|
<big><big>NSSProtocol<br>
|
|
</big></big><br>
|
|
A comma-separated string that lists the basic protocols that the server
|
|
can use (and clients may connect with). It doesn't enable a cipher
|
|
specifically but allows ciphers for that protocol to be used at all.<br>
|
|
<br>
|
|
Options are:<br>
|
|
<ul>
|
|
<li><code>SSLv3</code></li>
|
|
<li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
|
|
<li><code>TLSv1.0</code></li>
|
|
<li><code>TLSv1.1</code></li>
|
|
<li><code>TLSv1.2</code></li>
|
|
<li><code>All</code></li>
|
|
</ul>
|
|
Note that this differs from mod_ssl in that you can't add or subtract
|
|
protocols.<br>
|
|
<br>
|
|
If no NSSProtocol is specified, mod_nss will default to allowing the use of
|
|
the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
|
|
minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
|
|
allowed.
|
|
<br>
|
|
If values for NSSProtocol are specified, mod_nss will set both the minimum
|
|
and the maximum allowed protocols based upon these entries allowing for the
|
|
inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
|
|
are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
|
|
protocol ranges to accept all protocols inclusively
|
|
(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
|
|
in the middle of a range (e. g. - TLS 1.0).<br>
|
|
<br>
|
|
Finally, NSS will always automatically negotiate the use of the strongest
|
|
possible protocol that has been specified which is acceptable to both sides of
|
|
a given connection.<br>
|
|
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
|
|
<br>
|
|
<span style="font-weight: bold;">Example</span><br>
|
|
<br>
|
|
<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
|
|
<br>
|