Petr Gajdos
a7a532682b
- unified ciphers with SLE-12 * modified patches: mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff update-ciphers.patch - send TLS server name extension on proxy connections (bsc#933832) * added mod_nss-reverse_proxy_send_SNI.patch - updates to the SNI code (from Stanislav Tokos): update update-ciphers.patch (bsc#928039) merge changes from the mod_nss-SNI_support.patch to: 0001-SNI-check-with-NameVirtualHosts.patch (bnc#927402) abstract hash for NSSNickname and ServerName, add ServerAliases and Wild Cards for vhost (bsc#927402, bsc#928039, bsc#930922) replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts) (bsc#930186) add alert about permission on the certificate database (bsc#933265) OBS-URL: https://build.opensuse.org/request/show/335921 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=14
70 lines
4.7 KiB
Diff
70 lines
4.7 KiB
Diff
Index: mod_nss-1.0.8/nss_engine_init.c
|
|
===================================================================
|
|
--- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200
|
|
+++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200
|
|
@@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc
|
|
*/
|
|
char* INTERNAL_TOKEN_NAME = "internal ";
|
|
|
|
+/* When adding or removing ciphers from this table,
|
|
+ remember to adjust the ciphernum constant in mod_nss.h
|
|
+*/
|
|
cipher_properties ciphers_def[ciphernum] =
|
|
{
|
|
- /* SSL2 cipher suites */
|
|
- {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
|
|
- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
|
|
- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
|
|
- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
|
|
- {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
|
|
- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
|
|
/* SSL3/TLS cipher suites */
|
|
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
|
|
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
|
|
@@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum]
|
|
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
|
|
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
|
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
|
- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
|
|
- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
|
|
- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
|
|
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
|
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
|
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
|
|
Index: mod_nss-1.0.8/mod_nss.h
|
|
===================================================================
|
|
--- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200
|
|
+++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200
|
|
@@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4}
|
|
|
|
/* the table itself is defined in nss_engine_init.c */
|
|
#ifdef NSS_ENABLE_ECC
|
|
-#define ciphernum 59
|
|
+#define ciphernum 50
|
|
#else
|
|
-#define ciphernum 28
|
|
+#define ciphernum 19
|
|
#endif
|
|
|
|
/*
|
|
Index: mod_nss-1.0.8/nss.conf.in
|
|
===================================================================
|
|
--- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200
|
|
+++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200
|
|
@@ -90,13 +90,13 @@ NSSEngine on
|
|
# See the mod_nss documentation for a complete list.
|
|
|
|
# SSL 3 ciphers. SSL 2 is disabled by default.
|
|
-NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
|
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
|
|
|
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
|
|
#
|
|
# Comment out the NSSCipherSuite line above and use the one below if you have
|
|
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
|
-#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
|
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
|
|
|
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
|
|