From ac78b1824b3bf3da8b1dd3e7d285956b6e62df193ce3b5b4c80e506c3010bd63 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Fri, 25 Jul 2014 13:17:08 +0000 Subject: [PATCH 1/5] - mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. - mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=1 --- apache2-mod_nss.changes | 22 -- apache2-mod_nss.spec | 11 +- mod_nss-SNI-callback.patch | 241 ++++++++++++++++++ mod_nss-SNI-checks.patch | 155 +++++++++++ ...ss-add_support_for_enabling_TLS_v1.2.patch | 61 ----- mod_nss-cipherlist_update_for_tls12-doc.diff | 30 +-- mod_nss-cipherlist_update_for_tls12.diff | 10 +- ...s-compare_subject_CN_and_VS_hostname.patch | 42 --- mod_nss.conf.in | 2 +- 9 files changed, 407 insertions(+), 167 deletions(-) create mode 100644 mod_nss-SNI-callback.patch create mode 100644 mod_nss-SNI-checks.patch delete mode 100644 mod_nss-add_support_for_enabling_TLS_v1.2.patch delete mode 100644 mod_nss-compare_subject_CN_and_VS_hostname.patch diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index 984edf6..d321d44 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,25 +1,3 @@ -------------------------------------------------------------------- -Tue Nov 4 14:13:46 UTC 2014 - kstreitova@suse.com - -- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch - that adding small fixes for support of TLS v1.2 - -------------------------------------------------------------------- -Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com - -- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch - that compare CN and VS hostname (use NSS library). Removed - following patches: - * mod_nss-SNI-checks.patch - * mod_nss-SNI-callback.patch - -------------------------------------------------------------------- -Thu Aug 21 07:50:57 UTC 2014 - meissner@suse.com - -- mod_nss-cipherlist_update_for_tls12-doc.diff, - mod_nss-cipherlist_update_for_tls12.diff, - mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256. - ------------------------------------------------------------------- Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index 579bcf9..aaa8246 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -69,12 +69,9 @@ Patch17: mod_nss-overlapping_memcpy.patch Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19: mod_nss-cipherlist_update_for_tls12.diff Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff +Patch21: mod_nss-SNI-callback.patch +Patch22: mod_nss-SNI-checks.patch Patch23: mod_nss-bnc863518-reopen_dev_tty.diff -# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name -Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch -# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2 -Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 @@ -112,9 +109,9 @@ security library. %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch +%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch +%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch -%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch -%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} >= 1300 diff --git a/mod_nss-SNI-callback.patch b/mod_nss-SNI-callback.patch new file mode 100644 index 0000000..e009906 --- /dev/null +++ b/mod_nss-SNI-callback.patch @@ -0,0 +1,241 @@ +diff -rNU 30 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h +--- ../mod_nss-1.0.8-o/mod_nss.h 2014-06-23 12:23:17.000000000 +0200 ++++ ./mod_nss.h 2014-06-25 15:43:14.000000000 +0200 +@@ -459,31 +459,37 @@ + APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); + + /* I/O */ + PRFileDesc * nss_io_new_fd(); + int nss_io_layer_init(); + void nss_io_filter_init(conn_rec *c, PRFileDesc *ssl); + void nss_io_filter_register(apr_pool_t *p); + + /* Utility Functions */ + char *nss_util_vhostid(apr_pool_t *, server_rec *); + apr_file_t *nss_util_ppopen(server_rec *, apr_pool_t *, const char *, + const char * const *); + void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); + char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, + const char * const *); + /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request + * to allow an SSL renegotiation to take place. */ + int nss_io_buffer_fill(request_rec *r); + + int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix); + + /* Pass Phrase Handling */ + SECStatus nss_Init_Tokens(server_rec *s); + + /* Logging */ + void nss_log_nss_error(const char *file, int line, int level, server_rec *s); + void nss_die(void); + + /* NSS callback */ + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); ++ ++ ++#define SNIMAXNAMELEN 100 ++PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *, const SECItem *, PRUint32, void *); ++ ++ + #endif /* __MOD_NSS_H__ */ +diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c +--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-06-23 12:23:17.000000000 +0200 ++++ ./nss_engine_init.c 2014-06-25 18:33:19.000000000 +0200 +@@ -5,60 +5,62 @@ + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + #include "mod_nss.h" + #include "apr_thread_proc.h" + #include "ap_mpm.h" + #include "secmod.h" + #include "sslerr.h" + #include "pk11func.h" + #include "ocsp.h" + #include "keyhi.h" + #include "cert.h" + + static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); + static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); + static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); + static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); + + /* + * Global variables defined in this file. + */ ++void * sni_callback_arg; ++ + char* INTERNAL_TOKEN_NAME = "internal "; + + cipher_properties ciphers_def[ciphernum] = + { + /* SSL2 cipher suites */ + {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, + {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, + {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, + {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, + {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, + {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, + /* SSL3/TLS cipher suites */ + {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, + {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, + {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, + {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, + {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS}, + {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS}, + {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS}, + {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, + {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, + {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, + {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, + {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, + {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, + /* TLS 1.0: Exportable 56-bit Cipher Suites. */ + {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, + {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, + /* AES ciphers.*/ + {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, +@@ -850,60 +852,78 @@ + + static void nss_init_ctx_callbacks(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, + modnss_ctx_t *mctx) + { + if (SSL_AuthCertificateHook(mctx->model, nss_AuthCertificate, (void *)CERT_GetDefaultCertDB()) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "SSL_AuthCertificateHook failed."); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + if (SSL_BadCertHook(mctx->model, (SSLBadCertHandler) ownBadCertHandler, NULL) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "SSL_BadCertHook failed"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + if (SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback) ownHandshakeCallback, NULL) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "SSL_HandshakeCallback failed"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + if (SSL_GetClientAuthDataHook(mctx->model, NSS_GetClientAuthData, (void *)mctx->nickname) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "SSL_GetClientAuthDataHook failed"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } ++ ++ sni_callback_arg = apr_pcalloc(p, SNIMAXNAMELEN + 1); ++ if(sni_callback_arg) { ++ if(SSL_SNISocketConfigHook(mctx->model, mod_nss_SSLSNISocketConfig, ++ sni_callback_arg)) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "SSL_SNISocketConfigHook failed"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "apr_palloc returned NULL for sni_callback_arg"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++ ++ + } + + static void nss_init_ctx_verify(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, + modnss_ctx_t *mctx) + { + if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) { + SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE); + SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS); + } else if (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) { + SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE); + SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); + } else { + SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_FALSE); + SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); + } + } + + static int countciphers(PRBool cipher_state[ciphernum], int version) { + int ciphercount = 0; + int i; + + for (i = 0; i < ciphernum; i++) + { + if ((cipher_state[i] == PR_TRUE) && + (ciphers_def[i].version & version)) { + ciphercount++; + } + } +@@ -1702,30 +1722,54 @@ + return -1; + } + + if ((ciphers = strchr(cipher, ','))) { + *ciphers++ = '\0'; + } + + found = PR_FALSE; + + for (i = 0; i < ciphernum; i++) + { + if (!strcasecmp(cipher, ciphers_def[i].name)) { + cipher_list[i] = active; + found = PR_TRUE; + break; + } + } + + if (found == PR_FALSE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unknown cipher %s", cipher); + } + + if (ciphers) { + cipher = ciphers; + } + } + + return 0; + } ++ ++ ++ ++ ++PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, ++ PRUint32 sniNameArrSize, void *arg) ++{ ++ /* ++ arg is apr pool memory from apr_palloc(), SNIMAXNAMELEN+1 bytes long. ++ initialized zero. ++ */ ++ ++ char * retptr = NULL; ++ const SECItem *mysni = sniNameArr; ++ ++ if(mysni) { ++ retptr = apr_cpystrn(arg, mysni[0].data, ++ ( mysni[0].len + 1 < SNIMAXNAMELEN ) ? mysni[0].len + 1 : SNIMAXNAMELEN ); ++ return 0; ++ } else { ++ /* no SNI provided... Well. */ ++ return SSL_SNI_CURRENT_CONFIG_IS_USED; ++ } ++} diff --git a/mod_nss-SNI-checks.patch b/mod_nss-SNI-checks.patch new file mode 100644 index 0000000..d879292 --- /dev/null +++ b/mod_nss-SNI-checks.patch @@ -0,0 +1,155 @@ +diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c +--- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2014-06-25 19:13:26.000000000 +0200 ++++ ./nss_engine_kernel.c 2014-06-27 13:57:40.000000000 +0200 +@@ -1,102 +1,151 @@ + /* Copyright 2001-2004 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + #include "mod_nss.h" + #include "secerr.h" + + static void HandshakeDone(PRFileDesc *fd, void *doneflag); + ++extern void * sni_callback_arg; ++ + /* + * Post Read Request Handler + */ + int nss_hook_ReadReq(request_rec *r) + { + SSLConnRec *sslconn = myConnConfig(r->connection); + PRFileDesc *ssl = sslconn ? sslconn->ssl : NULL; + + if (!sslconn) { + return DECLINED; + } + + if (sslconn->non_nss_request) { + const char *errmsg; + char *thisurl; + char *thisport = ""; + int port = ap_get_server_port(r); + + if (!ap_is_default_port(port, r)) { + thisport = apr_psprintf(r->pool, ":%u", port); + } + + thisurl = ap_escape_html(r->pool, + apr_psprintf(r->pool, "https://%s%s/", + ap_get_server_name(r), + thisport)); + + errmsg = apr_psprintf(r->pool, + "Reason: You're speaking plain HTTP " + "to an SSL-enabled server port.
\n" + "Instead use the HTTPS scheme to access " + "this URL, please.
\n" + "
Hint: " + "%s
", + thisurl, thisurl); + + apr_table_setn(r->notes, "error-notes", errmsg); + /* Now that we have caught this error, forget it. we are done + * with using SSL on this request. + */ + sslconn->non_nss_request = 0; + + + return HTTP_BAD_REQUEST; + } + + /* Get the SSL connection structure and perform the + * delayed interlinking from SSL back to request_rec + */ + if (!ssl) { + return DECLINED; + } + ++ ++ /* ++ * SNI. ++ * ++ * global pool-allocated char * sni_callback_arg contains SNI name ++ * coming from mod_nss_SSLSNISocketConfig() callback by nss as soon as ++ * SNI extension information was supplied by the client. ++ * ++ * With the SNI provided servername, this is now widely analogous ++ * to mod_ssl; the same checks apply. ++ * ++ */ ++ ++ ++ ++ char *servername; ++ servername = (char *) sni_callback_arg; ++ ++ if(servername[0] != '\0') { ++ char *host, *scope_id; ++ apr_port_t port; ++ apr_status_t rv; ++ ++ if (!r->hostname) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, ++ "Hostname %s provided via SNI, but no hostname" ++ " provided in HTTP request", servername); ++ return HTTP_BAD_REQUEST; ++ } ++ ++ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); ++ if (rv != APR_SUCCESS || scope_id) { ++ return HTTP_BAD_REQUEST; ++ } ++ ++ if (strcasecmp(host, servername)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, ++ "Hostname %s provided via SNI and hostname %s provided" ++ " via HTTP are different", servername, host); ++ return HTTP_BAD_REQUEST; ++ } ++ ++ ++ } ++ ++ ++ + /* + * Log information about incoming HTTPS requests + */ + if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "%s HTTPS request received for child %ld (server %s)", + (r->connection->keepalives <= 0 ? + "Initial (No.1)" : + apr_psprintf(r->pool, "Subsequent (No.%d)", + r->connection->keepalives+1)), + r->connection->id, + nss_util_vhostid(r->pool, r->server)); + } + + if (sslconn->client_cert != NULL) + CERT_DestroyCertificate(sslconn->client_cert); + sslconn->client_cert = SSL_PeerCertificate(ssl); + sslconn->client_dn = NULL; + + return DECLINED; + } + + /* + * Access Handler + */ + int nss_hook_Access(request_rec *r) + { + SSLDirConfigRec *dc = myDirConfig(r); + SSLSrvConfigRec *sc = mySrvConfig(r->server); + SSLConnRec *sslconn = myConnConfig(r->connection); diff --git a/mod_nss-add_support_for_enabling_TLS_v1.2.patch b/mod_nss-add_support_for_enabling_TLS_v1.2.patch deleted file mode 100644 index 8393563..0000000 --- a/mod_nss-add_support_for_enabling_TLS_v1.2.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 16 Oct 2014 14:05:05 -0400 -Subject: [PATCH] Add support for enabling TLS v1.2 - -If support is available in NSS then it is just a matter of including -TLS 1.2 in the protocol range. ---- - docs/mod_nss.html | 97 ++++++++++++++++++++++++++++--------------------------- - mod_nss.c | 4 +-- - nss.conf.in | 2 +- - nss_engine_init.c | 51 +++++++++++++++++------------ - nss_engine_vars.c | 3 ++ - 5 files changed, 86 insertions(+), 71 deletions(-) - -Index: mod_nss-1.0.8/nss.conf.in -=================================================================== ---- mod_nss-1.0.8.orig/nss.conf.in -+++ mod_nss-1.0.8/nss.conf.in -@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 - # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography - #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha - --NSSProtocol SSLv3,TLSv1 -+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 - - # SSL Certificate Nickname: - # The nickname of the RSA server certificate you are going to use. -Index: mod_nss-1.0.8/nss_engine_vars.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_vars.c -+++ mod_nss-1.0.8/nss_engine_vars.c -@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver - case SSL_LIBRARY_VERSION_TLS_1_1: - result = "TLSv1.1"; - break; -+ case SSL_LIBRARY_VERSION_TLS_1_2: -+ result = "TLSv1.2"; -+ break; - } - } - } -Index: mod_nss-1.0.8/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.8.orig/nss_engine_init.c -+++ mod_nss-1.0.8/nss_engine_init.c -@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server - * cannot be excluded from this range. NSS will automatically negotiate - * to utilize the strongest acceptable protocol for a connection starting - * with the maximum specified protocol and downgrading as necessary to the -- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). -+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0). - */ - if (stat == SECSuccess) { - /* Set minimum protocol version (lowest -> highest) - * -- * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 - */ - if (ssl3 == 1) { - enabledVersions.min = SSL_LIBRARY_VERSION_3_0; diff --git a/mod_nss-cipherlist_update_for_tls12-doc.diff b/mod_nss-cipherlist_update_for_tls12-doc.diff index 0b132b0..eed96d7 100644 --- a/mod_nss-cipherlist_update_for_tls12-doc.diff +++ b/mod_nss-cipherlist_update_for_tls12-doc.diff @@ -1,7 +1,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html --- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100 +++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100 -@@ -632,100 +632,135 @@ +@@ -632,100 +632,121 @@ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 @@ -53,18 +53,11 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 + -+ rsa_aes_128_sha256
-+ -+ TLS_RSA_WITH_AES_128_CBC_SHA256
-+ -+ TLSv1.2 -+ -+ + rsa_aes_128_gcm_sha
+ + TLS_RSA_WITH_AES_128_GCM_SHA256
+ -+ TLSv1.2 ++ TLSv1.0/TLSv1.1/TLSv1.2 + + + rsa_camellia_128_sha
@@ -79,13 +72,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ + TLSv1.0/TLSv1.1/TLSv1.2 -+ -+ -+ rsa_aes_256_sha256
-+ -+ TLS_RSA_WITH_AES_256_CBC_SHA256
-+ -+ TLSv1.2 + @@ -137,7 +123,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html ecdhe_ecdsa_rc4_128_sha TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLSv1.0/TLSv1.1/TLSv1.2 -@@ -773,100 +794,130 @@ +@@ -773,100 +794,120 @@ echde_rsa_null TLS_ECDHE_RSA_WITH_NULL_SHA @@ -189,16 +175,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html TLSv1.0/TLSv1.1/TLSv1.2 + -+ ecdh_ecdsa_aes_128_sha256 -+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -+ TLSv1.2 -+ -+ -+ ecdh_rsa_aes_128_sha256 -+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 -+ TLSv1.2 -+ -+ + ecdh_ecdsa_aes_128_gcm_sha + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + TLSv1.0/TLSv1.1/TLSv1.2 diff --git a/mod_nss-cipherlist_update_for_tls12.diff b/mod_nss-cipherlist_update_for_tls12.diff index 7bee592..fb3e1ed 100644 --- a/mod_nss-cipherlist_update_for_tls12.diff +++ b/mod_nss-cipherlist_update_for_tls12.diff @@ -53,10 +53,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 48 -+#define ciphernum 59 ++#define ciphernum 55 #else -#define ciphernum 23 -+#define ciphernum 28 ++#define ciphernum 26 #endif /* @@ -110,7 +110,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c --- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100 +++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100 -@@ -15,122 +15,134 @@ +@@ -15,122 +15,130 @@ #include "mod_nss.h" #include "apr_thread_proc.h" @@ -161,11 +161,9 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, /* AES ciphers.*/ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, -+ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, + {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, -+ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS}, + {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, + #ifdef NSS_ENABLE_ECC @@ -180,7 +178,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, -+ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS}, @@ -193,7 +190,6 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, -+ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS}, diff --git a/mod_nss-compare_subject_CN_and_VS_hostname.patch b/mod_nss-compare_subject_CN_and_VS_hostname.patch deleted file mode 100644 index 4bfb530..0000000 --- a/mod_nss-compare_subject_CN_and_VS_hostname.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 -From: standa -Date: Wed, 22 Oct 2014 16:14:29 +0200 -Subject: [PATCH] Compare subject CN and VS hostname during server start up - ---- - nss_engine_init.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/nss_engine_init.c b/nss_engine_init.c -index d74f002..2569c8d 100644 ---- a/nss_engine_init.c -+++ b/nss_engine_init.c -@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, - - *KEAtype = NSS_FindCertKEAType(*servercert); - -+ /* Subject/hostname check */ -+ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); -+ if (secstatus != SECSuccess) { -+ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "Misconfiguration of certificate's CN and virtual name." -+ " The certificate CN has %s. We expected %s as virtual" -+ " name.", cert_dns, s->server_hostname); -+ PORT_Free(cert_dns); -+ } -+ - /* -- * Check for certs that are expired or not yet valid and WARN about it -- * no need to refuse working - the client gets a warning, but can work -- * with the server we could also verify if the certificate is made out -- * for the correct hostname but that would require a reverse DNS lookup -- * for every virtual server - too expensive? -+ * Check for certs that are expired or not yet valid and WARN about it. -+ * No need to refuse working - the client gets a warning. - */ - - certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); --- -1.9.3 - diff --git a/mod_nss.conf.in b/mod_nss.conf.in index ad35f30..2a980bf 100644 --- a/mod_nss.conf.in +++ b/mod_nss.conf.in @@ -216,7 +216,7 @@ NSSRequireSafeNegotiation off # * no rc4, no 3des, no des # * ephemeral is what you want (PFS). # * EC has precedence over RSA -NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+ecdhe_rsa_aes_256_sha256,+rsa_aes_256_sha256,+ecdhe_rsa_aes_256_sha256 +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha # SSL Protocol: # Cryptographic protocols that provide communication security. From 9a60ccd314e8bdabeee3fc4cb784c13f0e3959aed39568a5e7ee36ea0e79344f Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Tue, 4 Nov 2014 10:06:28 +0000 Subject: [PATCH 2/5] OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=2 --- ...s-compare_subject_CN_and_VS_hostname.patch | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 mod_nss-compare_subject_CN_and_VS_hostname.patch diff --git a/mod_nss-compare_subject_CN_and_VS_hostname.patch b/mod_nss-compare_subject_CN_and_VS_hostname.patch new file mode 100644 index 0000000..4bfb530 --- /dev/null +++ b/mod_nss-compare_subject_CN_and_VS_hostname.patch @@ -0,0 +1,42 @@ +From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 +From: standa +Date: Wed, 22 Oct 2014 16:14:29 +0200 +Subject: [PATCH] Compare subject CN and VS hostname during server start up + +--- + nss_engine_init.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index d74f002..2569c8d 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, + + *KEAtype = NSS_FindCertKEAType(*servercert); + ++ /* Subject/hostname check */ ++ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); ++ if (secstatus != SECSuccess) { ++ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Misconfiguration of certificate's CN and virtual name." ++ " The certificate CN has %s. We expected %s as virtual" ++ " name.", cert_dns, s->server_hostname); ++ PORT_Free(cert_dns); ++ } ++ + /* +- * Check for certs that are expired or not yet valid and WARN about it +- * no need to refuse working - the client gets a warning, but can work +- * with the server we could also verify if the certificate is made out +- * for the correct hostname but that would require a reverse DNS lookup +- * for every virtual server - too expensive? ++ * Check for certs that are expired or not yet valid and WARN about it. ++ * No need to refuse working - the client gets a warning. + */ + + certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); +-- +1.9.3 + From 16cc1b34518b9fc1352be59ad683674dec3856f79ce846fff0f1b335cd2ab629 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Thu, 6 Nov 2014 15:50:15 +0000 Subject: [PATCH 3/5] Updating link to change in openSUSE:Factory/apache2-mod_nss revision 10.0 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=3f744081ef38cb0b17351f48f11267f4 --- ...ss-add_support_for_enabling_TLS_v1.2.patch | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 mod_nss-add_support_for_enabling_TLS_v1.2.patch diff --git a/mod_nss-add_support_for_enabling_TLS_v1.2.patch b/mod_nss-add_support_for_enabling_TLS_v1.2.patch new file mode 100644 index 0000000..8393563 --- /dev/null +++ b/mod_nss-add_support_for_enabling_TLS_v1.2.patch @@ -0,0 +1,61 @@ +From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 16 Oct 2014 14:05:05 -0400 +Subject: [PATCH] Add support for enabling TLS v1.2 + +If support is available in NSS then it is just a matter of including +TLS 1.2 in the protocol range. +--- + docs/mod_nss.html | 97 ++++++++++++++++++++++++++++--------------------------- + mod_nss.c | 4 +-- + nss.conf.in | 2 +- + nss_engine_init.c | 51 +++++++++++++++++------------ + nss_engine_vars.c | 3 ++ + 5 files changed, 86 insertions(+), 71 deletions(-) + +Index: mod_nss-1.0.8/nss.conf.in +=================================================================== +--- mod_nss-1.0.8.orig/nss.conf.in ++++ mod_nss-1.0.8/nss.conf.in +@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 + # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography + #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha + +-NSSProtocol SSLv3,TLSv1 ++NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 + + # SSL Certificate Nickname: + # The nickname of the RSA server certificate you are going to use. +Index: mod_nss-1.0.8/nss_engine_vars.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_vars.c ++++ mod_nss-1.0.8/nss_engine_vars.c +@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver + case SSL_LIBRARY_VERSION_TLS_1_1: + result = "TLSv1.1"; + break; ++ case SSL_LIBRARY_VERSION_TLS_1_2: ++ result = "TLSv1.2"; ++ break; + } + } + } +Index: mod_nss-1.0.8/nss_engine_init.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_init.c ++++ mod_nss-1.0.8/nss_engine_init.c +@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server + * cannot be excluded from this range. NSS will automatically negotiate + * to utilize the strongest acceptable protocol for a connection starting + * with the maximum specified protocol and downgrading as necessary to the +- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). ++ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0). + */ + if (stat == SECSuccess) { + /* Set minimum protocol version (lowest -> highest) + * +- * SSL 3.0 -> TLS 1.0 -> TLS 1.1 ++ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 + */ + if (ssl3 == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_3_0; From 23f3b41e70a375b859223984a3046f22776400efa6bd00d9dbbd115874ea7aff Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Wed, 12 Nov 2014 10:27:24 +0000 Subject: [PATCH 4/5] Accepting request 261220 from mozilla:Factory - bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch that adding small fixes for support of TLS v1.2 - bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch that compare CN and VS hostname (use NSS library). Removed following patches: * mod_nss-SNI-checks.patch * mod_nss-SNI-callback.patch - mod_nss-cipherlist_update_for_tls12-doc.diff, mod_nss-cipherlist_update_for_tls12.diff, mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256. OBS-URL: https://build.opensuse.org/request/show/261220 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=3 --- apache2-mod_nss.changes | 22 ++ apache2-mod_nss.spec | 11 +- mod_nss-SNI-callback.patch | 241 ------------------- mod_nss-SNI-checks.patch | 155 ------------ mod_nss-cipherlist_update_for_tls12-doc.diff | 30 ++- mod_nss-cipherlist_update_for_tls12.diff | 10 +- mod_nss.conf.in | 2 +- 7 files changed, 64 insertions(+), 407 deletions(-) delete mode 100644 mod_nss-SNI-callback.patch delete mode 100644 mod_nss-SNI-checks.patch diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index d321d44..984edf6 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Tue Nov 4 14:13:46 UTC 2014 - kstreitova@suse.com + +- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch + that adding small fixes for support of TLS v1.2 + +------------------------------------------------------------------- +Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com + +- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch + that compare CN and VS hostname (use NSS library). Removed + following patches: + * mod_nss-SNI-checks.patch + * mod_nss-SNI-callback.patch + +------------------------------------------------------------------- +Thu Aug 21 07:50:57 UTC 2014 - meissner@suse.com + +- mod_nss-cipherlist_update_for_tls12-doc.diff, + mod_nss-cipherlist_update_for_tls12.diff, + mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256. + ------------------------------------------------------------------- Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index aaa8246..579bcf9 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -69,9 +69,12 @@ Patch17: mod_nss-overlapping_memcpy.patch Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19: mod_nss-cipherlist_update_for_tls12.diff Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff -Patch21: mod_nss-SNI-callback.patch -Patch22: mod_nss-SNI-checks.patch Patch23: mod_nss-bnc863518-reopen_dev_tty.diff +# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name +Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch +# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2 +Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 @@ -109,9 +112,9 @@ security library. %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch -%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch -%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch +%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} >= 1300 diff --git a/mod_nss-SNI-callback.patch b/mod_nss-SNI-callback.patch deleted file mode 100644 index e009906..0000000 --- a/mod_nss-SNI-callback.patch +++ /dev/null @@ -1,241 +0,0 @@ -diff -rNU 30 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h ---- ../mod_nss-1.0.8-o/mod_nss.h 2014-06-23 12:23:17.000000000 +0200 -+++ ./mod_nss.h 2014-06-25 15:43:14.000000000 +0200 -@@ -459,31 +459,37 @@ - APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); - - /* I/O */ - PRFileDesc * nss_io_new_fd(); - int nss_io_layer_init(); - void nss_io_filter_init(conn_rec *c, PRFileDesc *ssl); - void nss_io_filter_register(apr_pool_t *p); - - /* Utility Functions */ - char *nss_util_vhostid(apr_pool_t *, server_rec *); - apr_file_t *nss_util_ppopen(server_rec *, apr_pool_t *, const char *, - const char * const *); - void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); - char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, - const char * const *); - /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request - * to allow an SSL renegotiation to take place. */ - int nss_io_buffer_fill(request_rec *r); - - int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix); - - /* Pass Phrase Handling */ - SECStatus nss_Init_Tokens(server_rec *s); - - /* Logging */ - void nss_log_nss_error(const char *file, int line, int level, server_rec *s); - void nss_die(void); - - /* NSS callback */ - SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); -+ -+ -+#define SNIMAXNAMELEN 100 -+PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *, const SECItem *, PRUint32, void *); -+ -+ - #endif /* __MOD_NSS_H__ */ -diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c ---- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-06-23 12:23:17.000000000 +0200 -+++ ./nss_engine_init.c 2014-06-25 18:33:19.000000000 +0200 -@@ -5,60 +5,62 @@ - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - #include "mod_nss.h" - #include "apr_thread_proc.h" - #include "ap_mpm.h" - #include "secmod.h" - #include "sslerr.h" - #include "pk11func.h" - #include "ocsp.h" - #include "keyhi.h" - #include "cert.h" - - static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); - static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); - static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); - static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); - SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); - - /* - * Global variables defined in this file. - */ -+void * sni_callback_arg; -+ - char* INTERNAL_TOKEN_NAME = "internal "; - - cipher_properties ciphers_def[ciphernum] = - { - /* SSL2 cipher suites */ - {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, - {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, - {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, - {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, - {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, - {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, - /* SSL3/TLS cipher suites */ - {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, - {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, - {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS}, - {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS}, - {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS}, - {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, - {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, - {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, - {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, - {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, - /* TLS 1.0: Exportable 56-bit Cipher Suites. */ - {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, - /* AES ciphers.*/ - {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, -@@ -850,60 +852,78 @@ - - static void nss_init_ctx_callbacks(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, - modnss_ctx_t *mctx) - { - if (SSL_AuthCertificateHook(mctx->model, nss_AuthCertificate, (void *)CERT_GetDefaultCertDB()) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "SSL_AuthCertificateHook failed."); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); - } - if (SSL_BadCertHook(mctx->model, (SSLBadCertHandler) ownBadCertHandler, NULL) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "SSL_BadCertHook failed"); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); - } - if (SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback) ownHandshakeCallback, NULL) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "SSL_HandshakeCallback failed"); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); - } - if (SSL_GetClientAuthDataHook(mctx->model, NSS_GetClientAuthData, (void *)mctx->nickname) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "SSL_GetClientAuthDataHook failed"); - nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - nss_die(); - } -+ -+ sni_callback_arg = apr_pcalloc(p, SNIMAXNAMELEN + 1); -+ if(sni_callback_arg) { -+ if(SSL_SNISocketConfigHook(mctx->model, mod_nss_SSLSNISocketConfig, -+ sni_callback_arg)) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "SSL_SNISocketConfigHook failed"); -+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); -+ nss_die(); -+ } -+ } else { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "apr_palloc returned NULL for sni_callback_arg"); -+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); -+ nss_die(); -+ } -+ -+ - } - - static void nss_init_ctx_verify(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, - modnss_ctx_t *mctx) - { - if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) { - SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE); - SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS); - } else if (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) { - SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE); - SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); - } else { - SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_FALSE); - SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); - } - } - - static int countciphers(PRBool cipher_state[ciphernum], int version) { - int ciphercount = 0; - int i; - - for (i = 0; i < ciphernum; i++) - { - if ((cipher_state[i] == PR_TRUE) && - (ciphers_def[i].version & version)) { - ciphercount++; - } - } -@@ -1702,30 +1722,54 @@ - return -1; - } - - if ((ciphers = strchr(cipher, ','))) { - *ciphers++ = '\0'; - } - - found = PR_FALSE; - - for (i = 0; i < ciphernum; i++) - { - if (!strcasecmp(cipher, ciphers_def[i].name)) { - cipher_list[i] = active; - found = PR_TRUE; - break; - } - } - - if (found == PR_FALSE) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Unknown cipher %s", cipher); - } - - if (ciphers) { - cipher = ciphers; - } - } - - return 0; - } -+ -+ -+ -+ -+PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, -+ PRUint32 sniNameArrSize, void *arg) -+{ -+ /* -+ arg is apr pool memory from apr_palloc(), SNIMAXNAMELEN+1 bytes long. -+ initialized zero. -+ */ -+ -+ char * retptr = NULL; -+ const SECItem *mysni = sniNameArr; -+ -+ if(mysni) { -+ retptr = apr_cpystrn(arg, mysni[0].data, -+ ( mysni[0].len + 1 < SNIMAXNAMELEN ) ? mysni[0].len + 1 : SNIMAXNAMELEN ); -+ return 0; -+ } else { -+ /* no SNI provided... Well. */ -+ return SSL_SNI_CURRENT_CONFIG_IS_USED; -+ } -+} diff --git a/mod_nss-SNI-checks.patch b/mod_nss-SNI-checks.patch deleted file mode 100644 index d879292..0000000 --- a/mod_nss-SNI-checks.patch +++ /dev/null @@ -1,155 +0,0 @@ -diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c ---- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2014-06-25 19:13:26.000000000 +0200 -+++ ./nss_engine_kernel.c 2014-06-27 13:57:40.000000000 +0200 -@@ -1,102 +1,151 @@ - /* Copyright 2001-2004 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - #include "mod_nss.h" - #include "secerr.h" - - static void HandshakeDone(PRFileDesc *fd, void *doneflag); - -+extern void * sni_callback_arg; -+ - /* - * Post Read Request Handler - */ - int nss_hook_ReadReq(request_rec *r) - { - SSLConnRec *sslconn = myConnConfig(r->connection); - PRFileDesc *ssl = sslconn ? sslconn->ssl : NULL; - - if (!sslconn) { - return DECLINED; - } - - if (sslconn->non_nss_request) { - const char *errmsg; - char *thisurl; - char *thisport = ""; - int port = ap_get_server_port(r); - - if (!ap_is_default_port(port, r)) { - thisport = apr_psprintf(r->pool, ":%u", port); - } - - thisurl = ap_escape_html(r->pool, - apr_psprintf(r->pool, "https://%s%s/", - ap_get_server_name(r), - thisport)); - - errmsg = apr_psprintf(r->pool, - "Reason: You're speaking plain HTTP " - "to an SSL-enabled server port.
\n" - "Instead use the HTTPS scheme to access " - "this URL, please.
\n" - "
Hint: " - "%s
", - thisurl, thisurl); - - apr_table_setn(r->notes, "error-notes", errmsg); - /* Now that we have caught this error, forget it. we are done - * with using SSL on this request. - */ - sslconn->non_nss_request = 0; - - - return HTTP_BAD_REQUEST; - } - - /* Get the SSL connection structure and perform the - * delayed interlinking from SSL back to request_rec - */ - if (!ssl) { - return DECLINED; - } - -+ -+ /* -+ * SNI. -+ * -+ * global pool-allocated char * sni_callback_arg contains SNI name -+ * coming from mod_nss_SSLSNISocketConfig() callback by nss as soon as -+ * SNI extension information was supplied by the client. -+ * -+ * With the SNI provided servername, this is now widely analogous -+ * to mod_ssl; the same checks apply. -+ * -+ */ -+ -+ -+ -+ char *servername; -+ servername = (char *) sni_callback_arg; -+ -+ if(servername[0] != '\0') { -+ char *host, *scope_id; -+ apr_port_t port; -+ apr_status_t rv; -+ -+ if (!r->hostname) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, -+ "Hostname %s provided via SNI, but no hostname" -+ " provided in HTTP request", servername); -+ return HTTP_BAD_REQUEST; -+ } -+ -+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); -+ if (rv != APR_SUCCESS || scope_id) { -+ return HTTP_BAD_REQUEST; -+ } -+ -+ if (strcasecmp(host, servername)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, -+ "Hostname %s provided via SNI and hostname %s provided" -+ " via HTTP are different", servername, host); -+ return HTTP_BAD_REQUEST; -+ } -+ -+ -+ } -+ -+ -+ - /* - * Log information about incoming HTTPS requests - */ - if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "%s HTTPS request received for child %ld (server %s)", - (r->connection->keepalives <= 0 ? - "Initial (No.1)" : - apr_psprintf(r->pool, "Subsequent (No.%d)", - r->connection->keepalives+1)), - r->connection->id, - nss_util_vhostid(r->pool, r->server)); - } - - if (sslconn->client_cert != NULL) - CERT_DestroyCertificate(sslconn->client_cert); - sslconn->client_cert = SSL_PeerCertificate(ssl); - sslconn->client_dn = NULL; - - return DECLINED; - } - - /* - * Access Handler - */ - int nss_hook_Access(request_rec *r) - { - SSLDirConfigRec *dc = myDirConfig(r); - SSLSrvConfigRec *sc = mySrvConfig(r->server); - SSLConnRec *sslconn = myConnConfig(r->connection); diff --git a/mod_nss-cipherlist_update_for_tls12-doc.diff b/mod_nss-cipherlist_update_for_tls12-doc.diff index eed96d7..0b132b0 100644 --- a/mod_nss-cipherlist_update_for_tls12-doc.diff +++ b/mod_nss-cipherlist_update_for_tls12-doc.diff @@ -1,7 +1,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html --- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100 +++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100 -@@ -632,100 +632,121 @@ +@@ -632,100 +632,135 @@ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 @@ -53,11 +53,18 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 + ++ rsa_aes_128_sha256
++ ++ TLS_RSA_WITH_AES_128_CBC_SHA256
++ ++ TLSv1.2 ++ ++ + rsa_aes_128_gcm_sha
+ + TLS_RSA_WITH_AES_128_GCM_SHA256
+ -+ TLSv1.0/TLSv1.1/TLSv1.2 ++ TLSv1.2 + + + rsa_camellia_128_sha
@@ -72,6 +79,13 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ + TLSv1.0/TLSv1.1/TLSv1.2 ++ ++ ++ rsa_aes_256_sha256
++ ++ TLS_RSA_WITH_AES_256_CBC_SHA256
++ ++ TLSv1.2 + @@ -123,7 +137,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html ecdhe_ecdsa_rc4_128_sha TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLSv1.0/TLSv1.1/TLSv1.2 -@@ -773,100 +794,120 @@ +@@ -773,100 +794,130 @@ echde_rsa_null TLS_ECDHE_RSA_WITH_NULL_SHA @@ -175,6 +189,16 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html TLSv1.0/TLSv1.1/TLSv1.2 + ++ ecdh_ecdsa_aes_128_sha256 ++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ++ TLSv1.2 ++ ++ ++ ecdh_rsa_aes_128_sha256 ++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ++ TLSv1.2 ++ ++ + ecdh_ecdsa_aes_128_gcm_sha + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + TLSv1.0/TLSv1.1/TLSv1.2 diff --git a/mod_nss-cipherlist_update_for_tls12.diff b/mod_nss-cipherlist_update_for_tls12.diff index fb3e1ed..7bee592 100644 --- a/mod_nss-cipherlist_update_for_tls12.diff +++ b/mod_nss-cipherlist_update_for_tls12.diff @@ -53,10 +53,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 48 -+#define ciphernum 55 ++#define ciphernum 59 #else -#define ciphernum 23 -+#define ciphernum 26 ++#define ciphernum 28 #endif /* @@ -110,7 +110,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c --- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100 +++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100 -@@ -15,122 +15,130 @@ +@@ -15,122 +15,134 @@ #include "mod_nss.h" #include "apr_thread_proc.h" @@ -161,9 +161,11 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, /* AES ciphers.*/ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, ++ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, + {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, ++ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS}, + {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, + #ifdef NSS_ENABLE_ECC @@ -178,6 +180,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, ++ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS}, @@ -190,6 +193,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, ++ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS}, diff --git a/mod_nss.conf.in b/mod_nss.conf.in index 2a980bf..ad35f30 100644 --- a/mod_nss.conf.in +++ b/mod_nss.conf.in @@ -216,7 +216,7 @@ NSSRequireSafeNegotiation off # * no rc4, no 3des, no des # * ephemeral is what you want (PFS). # * EC has precedence over RSA -NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+ecdhe_rsa_aes_256_sha256,+rsa_aes_256_sha256,+ecdhe_rsa_aes_256_sha256 # SSL Protocol: # Cryptographic protocols that provide communication security. From ae21fd63feba61d45ed18b07b9871cee157bf6d04e444c3765a5131d62173126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Thu, 5 Mar 2015 21:47:39 +0000 Subject: [PATCH 5/5] Accepting request 288636 from home:kstreitova:branches:Apache:Modules - add mod_nss-SNI_support.patch that brings Server Name Indication support that allows to have multiple HTTPS websites with multiple certificates on the same IP address and port. [fate#318331], [bnc#897712] OBS-URL: https://build.opensuse.org/request/show/288636 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=4 --- apache2-mod_nss.changes | 8 + apache2-mod_nss.spec | 5 +- mod_nss-SNI_support.patch | 397 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 409 insertions(+), 1 deletion(-) create mode 100644 mod_nss-SNI_support.patch diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index 984edf6..7a8645f 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Mar 3 10:25:27 UTC 2015 - kstreitova@suse.com + +- add mod_nss-SNI_support.patch that brings Server Name Indication + support that allows to have multiple HTTPS websites with multiple + certificates on the same IP address and port. + [fate#318331], [bnc#897712] + ------------------------------------------------------------------- Tue Nov 4 14:13:46 UTC 2014 - kstreitova@suse.com diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index 579bcf9..c37426b 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -74,6 +74,8 @@ Patch23: mod_nss-bnc863518-reopen_dev_tty.diff Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch # PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2 Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch +# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support +Patch26: mod_nss-SNI_support.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -115,6 +117,7 @@ security library. %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch %patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch +%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} >= 1300 diff --git a/mod_nss-SNI_support.patch b/mod_nss-SNI_support.patch new file mode 100644 index 0000000..a43c9a4 --- /dev/null +++ b/mod_nss-SNI_support.patch @@ -0,0 +1,397 @@ +From 07405e4dbd1e2df6583bb571a6230da78788c19b Mon Sep 17 00:00:00 2001 +From: standa +Date: Thu, 26 Feb 2015 15:23:50 +0100 +Subject: [PATCH] SNI check with NameVirtualHosts + +--- + docs/mod_nss.html | 10 ++++++ + mod_nss.c | 3 ++ + mod_nss.h | 18 ++++++++++ + nss_engine_config.c | 11 +++++++ + nss_engine_init.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++----- + nss_engine_kernel.c | 51 ++++++++++++++++++++++++++++ + nss_util.c | 19 +++++++++++ + 7 files changed, 199 insertions(+), 8 deletions(-) + +Index: mod_nss-1.0.8/docs/mod_nss.html +=================================================================== +--- mod_nss-1.0.8.orig/docs/mod_nss.html ++++ mod_nss-1.0.8/docs/mod_nss.html +@@ -1079,6 +1079,16 @@ components of the client certificate, th +
+ NSSRequire
+
++NSSSNI
++
++Enables or disables Server Name Identification(SNI) extension check for ++SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header. ++
++
++Example
++
++NSSSNI off
++
+ NSSProxyEngine
+
+ Enables or disables mod_nss HTTPS support for mod_proxy.
+Index: mod_nss-1.0.8/mod_nss.c +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.c ++++ mod_nss-1.0.8/mod_nss.c +@@ -85,6 +85,9 @@ static const command_rec nss_config_cmds + SSL_CMD_SRV(FIPS, FLAG, + "FIPS 140-1 mode " + "(`on', `off')") ++ SSL_CMD_SRV(SNI, FLAG, ++ "SNI" ++ "(`on', `off')") + SSL_CMD_ALL(CipherSuite, TAKE1, + "Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable " + "(`[+-]XXX,...,[+-]XXX' - see manual)") +Index: mod_nss-1.0.8/mod_nss.h +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.h ++++ mod_nss-1.0.8/mod_nss.h +@@ -308,6 +308,7 @@ struct SSLSrvConfigRec { + const char *ocsp_name; + BOOL ocsp; + BOOL enabled; ++ BOOL sni; + BOOL proxy_enabled; + const char *vhost_id; + int vhost_id_len; +@@ -343,6 +344,20 @@ typedef struct + PRInt32 version; /* protocol version valid for this cipher */ + } cipher_properties; + ++typedef struct { ++ const char *vhost_id[70]; ++ const char *nick[30]; ++} vhostNick[500]; ++ ++typedef struct { ++ enum { ++ PW_NONE = 0, ++ PW_FROMFILE = 1, ++ PW_PLAINTEXT = 2, ++ PW_EXTERNAL = 3 ++ } source; ++ char *data; ++} secuPWData; + /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of + * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it + * is the last version without this define. This is used for more than just +@@ -384,6 +399,7 @@ void *nss_config_perdir_merge(apr_pool_t + void *nss_config_server_create(apr_pool_t *p, server_rec *s); + void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv); + const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int); ++const char *nss_cmd_NSSSNI(cmd_parms *, void *, int); + const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); + const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); + const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); +@@ -471,6 +487,8 @@ apr_file_t *nss_util_ppopen(server_rec + void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); + char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, + const char * const *); ++char *getSECItemData(char *data, int len); ++char *getSplitURL(char *url); + /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request + * to allow an SSL renegotiation to take place. */ + int nss_io_buffer_fill(request_rec *r); +Index: mod_nss-1.0.8/nss_engine_config.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_config.c ++++ mod_nss-1.0.8/nss_engine_config.c +@@ -135,6 +135,7 @@ static SSLSrvConfigRec *nss_config_serve + sc->ocsp_name = NULL; + sc->fips = UNSET; + sc->enabled = UNSET; ++ sc->sni = TRUE; + sc->proxy_enabled = UNSET; + sc->vhost_id = NULL; /* set during module init */ + sc->vhost_id_len = 0; /* set during module init */ +@@ -214,6 +215,7 @@ void *nss_config_server_merge(apr_pool_t + cfgMerge(ocsp_name, NULL); + cfgMergeBool(fips); + cfgMergeBool(enabled); ++ cfgMergeBool(sni); + cfgMergeBool(proxy_enabled); + cfgMergeBool(proxy_ssl_check_peer_cn); + +@@ -320,6 +322,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c + + return NULL; + } ++ ++const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->sni = flag ? TRUE : FALSE; ++ ++ return NULL; ++} + + const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) + { +Index: mod_nss-1.0.8/nss_engine_init.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_init.c ++++ mod_nss-1.0.8/nss_engine_init.c +@@ -28,12 +28,17 @@ static SECStatus ownHandshakeCallback(PR + static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); + static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); ++PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, ++ PRUint32 sniNameArrSize, void *arg); + + /* + * Global variables defined in this file. + */ + char* INTERNAL_TOKEN_NAME = "internal "; + ++vhostNick vhostNickSNI; ++int vhostNickSize = 0; ++ + cipher_properties ciphers_def[ciphernum] = + { + /* SSL2 cipher suites */ +@@ -382,6 +387,11 @@ int nss_init_Module(apr_pool_t *p, apr_p + sc->vhost_id = nss_util_vhostid(p, s); + sc->vhost_id_len = strlen(sc->vhost_id); + ++ if (sc->server->nickname != NULL && sc->vhost_id != NULL) { ++ strcpy(vhostNickSNI[vhostNickSize].vhost_id, sc->vhost_id); ++ strcpy(vhostNickSNI[vhostNickSize].nick, sc->server->nickname); ++ vhostNickSize++; ++ } + /* Fix up stuff that may not have been set */ + if (sc->fips == UNSET) { + sc->fips = FALSE; +@@ -534,7 +544,7 @@ int nss_init_Module(apr_pool_t *p, apr_p + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "Init: Initializing (virtual) servers for SSL"); + +- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); ++ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); + + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); +@@ -547,7 +557,7 @@ int nss_init_Module(apr_pool_t *p, apr_p + /* + * Read the server certificate and key + */ +- nss_init_ConfigureServer(s, p, ptemp, sc, clist); ++ nss_init_ConfigureServer(s, p, ptemp, sc, clist); + } + + if (clist) { +@@ -1233,13 +1243,21 @@ static void nss_init_certificate(server_ + break; + } + +- secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); ++ secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); + if (secstatus != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "SSL error configuring server: '%s'", nickname); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); +- } ++ } ++ ++ /* SNI */ ++ if (SSL_SNISocketConfigHook(model, (SSLSNISocketConfig) ownSSLSNISocketConfig, (void*) s) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "SSL_SNISocketConfigHook failed"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } + } + + +@@ -1308,6 +1326,7 @@ static void nss_init_server_certs(server + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } ++ + } + + static void nss_init_proxy_ctx(server_rec *s, +@@ -1374,7 +1393,6 @@ void nss_init_Child(apr_pool_t *p, serve + /* If any servers have SSL, we want sslenabled set so we + * can perform further initialization + */ +- + if (sc->enabled == UNSET) { + sc->enabled = FALSE; + } +@@ -1404,11 +1422,12 @@ void nss_init_Child(apr_pool_t *p, serve + nss_init_SSLLibrary(base_server); + + /* Configure all virtual servers */ +- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); ++ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); +- if (sc->server->servercert == NULL && NSS_IsInitialized()) +- nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); ++ if (sc->server->servercert == NULL && NSS_IsInitialized()) { ++ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); ++ } + } + if (clist) { + CERT_DestroyCertList(clist); +@@ -1741,3 +1760,63 @@ int nss_parse_ciphers(server_rec *s, cha + + return 0; + } ++ ++PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, ++ PRUint32 sniNameArrSize, void *arg) ++{ ++ server_rec *s = (server_rec *)arg; ++ ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "start function ownSSLSNISocketConfig for SNI"); ++ ++ secuPWData *pwdata; ++ CERTCertificate * cert = NULL; ++ SECKEYPrivateKey * privKey = NULL; ++ char *nickName = NULL; ++ char *vhost = NULL; ++ int i; ++ ++ PORT_Assert(fd && sniNameArr); ++ if (!fd || !sniNameArr) { ++ return SSL_SNI_SEND_ALERT; ++ } ++ vhost = getSECItemData((char *) sniNameArr->data, sniNameArr->len); ++ ++ for(i = 0; isni parameter gets vhost from HTTPS header ++ */ ++ SSLSrvConfigRec *sc = mySrvConfig(r->server); ++ ++ SECItem *hostInfo = NULL; ++ hostInfo = SSL_GetNegotiatedHostInfo(ssl); ++ if (hostInfo != NULL && sc->sni) { ++ if (ap_is_initial_req(r) && (hostInfo->len != 0)) { ++ char *servername = NULL; ++ char *host, *scope_id; ++ apr_port_t port; ++ apr_status_t rv; ++ ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, ++ "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d" ++ , hostInfo->data, hostInfo->len); ++ ++ servername = getSECItemData((char *) hostInfo->data, hostInfo->len); ++ ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, ++ "SNI hostInfo servername:%s, lenght:%d" ++ , servername, (unsigned)strlen(servername)); ++ ++ if (!r->hostname) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, ++ "Hostname %s provided via SNI, but no hostname" ++ " provided in HTTP request", servername); ++ return HTTP_BAD_REQUEST; ++ } ++ ++ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); ++ if (rv != APR_SUCCESS || scope_id) { ++ return HTTP_BAD_REQUEST; ++ } ++ ++ if (strcasecmp(host, servername)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, ++ "Hostname %s provided via SNI and hostname %s provided" ++ " via HTTP are different", servername, host); ++ ++ SECITEM_FreeItem(hostInfo, PR_TRUE); ++ servername = NULL; ++ return HTTP_BAD_REQUEST; ++ } else { ++ SECITEM_FreeItem(hostInfo, PR_TRUE); ++ servername = NULL; ++ } ++ } ++ } ++ /* + * Log information about incoming HTTPS requests + */ + if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { +Index: mod_nss-1.0.8/nss_util.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_util.c ++++ mod_nss-1.0.8/nss_util.c +@@ -100,3 +100,22 @@ char *nss_util_readfilter(server_rec *s, + + return buf; + } ++ ++char *getSECItemData(char *data, int len) { ++ ++ data[len]='\0'; ++ ++ return data; ++} ++ ++char *getSplitURL(char *url) { ++ ++ int iter = 0; ++ ++ while(url[iter] != '\0' && url[iter] != ':'){ ++ url[iter++]; ++ } ++ url[iter]='\0'; ++ ++ return url; ++}