forked from pool/apache2-mod_nss
Accepting request 381888 from Apache:Modules
1 OBS-URL: https://build.opensuse.org/request/show/381888 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=19
This commit is contained in:
commit
5b2cc4633c
@ -1,534 +0,0 @@
|
||||
From 1b4116cce21ab58e7a1b9f6ff46de0adce6b9ff0 Mon Sep 17 00:00:00 2001
|
||||
From: standa <standa@papaya.suse.cz>
|
||||
Date: Thu, 25 Jun 2015 17:14:56 +0200
|
||||
Subject: [PATCH] SNI check with NameVirtualHosts
|
||||
|
||||
---
|
||||
docs/mod_nss.html | 14 ++++-
|
||||
mod_nss.c | 3 ++
|
||||
mod_nss.h | 21 ++++++++
|
||||
nss_engine_config.c | 11 ++++
|
||||
nss_engine_init.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++------
|
||||
nss_engine_kernel.c | 51 ++++++++++++++++++
|
||||
nss_util.c | 72 ++++++++++++++++++++++++-
|
||||
7 files changed, 303 insertions(+), 18 deletions(-)
|
||||
|
||||
Index: mod_nss-1.0.8/docs/mod_nss.html
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/docs/mod_nss.html
|
||||
+++ mod_nss-1.0.8/docs/mod_nss.html
|
||||
@@ -195,7 +195,9 @@ following line to httpd.conf (location r
|
||||
</code><br>
|
||||
This has Apache load the mod_nss configuration file, <code>nss.conf</code>.
|
||||
It is here that you will setup your VirtualServer entries to and
|
||||
-configure your SSL servers.<br>
|
||||
+configure your SSL servers. If you have a certificate with the Subject
|
||||
+Alternative Names then you will set up these names like ServerAlias for your virtual host.<br>
|
||||
+
|
||||
<h1><a name="Generation"></a>Certificate Generation</h1>
|
||||
A ksh script, <code>gencert</code>, is included to automatically
|
||||
generate a self-signed CA plus one server certificate. This is fine for
|
||||
@@ -1079,6 +1081,16 @@ components of the client certificate, th
|
||||
<br>
|
||||
<code>NSSRequire<br>
|
||||
</code><br>
|
||||
+<big><big>NSSSNI</big></big><br>
|
||||
+<br>
|
||||
+Enables or disables Server Name Identification(SNI) extension check for
|
||||
+SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header.
|
||||
+<br>
|
||||
+<br>
|
||||
+<span style="font-weight: bold;">Example</span><br>
|
||||
+<br>
|
||||
+<code>NSSSNI off</code><br>
|
||||
+<br>
|
||||
<big><big>NSSProxyEngine</big></big><br>
|
||||
<br>
|
||||
Enables or disables mod_nss HTTPS support for mod_proxy.<br>
|
||||
Index: mod_nss-1.0.8/mod_nss.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.c
|
||||
+++ mod_nss-1.0.8/mod_nss.c
|
||||
@@ -85,6 +85,9 @@ static const command_rec nss_config_cmds
|
||||
SSL_CMD_SRV(FIPS, FLAG,
|
||||
"FIPS 140-1 mode "
|
||||
"(`on', `off')")
|
||||
+ SSL_CMD_SRV(SNI, FLAG,
|
||||
+ "SNI"
|
||||
+ "(`on', `off')")
|
||||
SSL_CMD_ALL(CipherSuite, TAKE1,
|
||||
"Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable "
|
||||
"(`[+-]XXX,...,[+-]XXX' - see manual)")
|
||||
Index: mod_nss-1.0.8/mod_nss.h
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.h
|
||||
+++ mod_nss-1.0.8/mod_nss.h
|
||||
@@ -308,6 +308,7 @@ struct SSLSrvConfigRec {
|
||||
const char *ocsp_name;
|
||||
BOOL ocsp;
|
||||
BOOL enabled;
|
||||
+ BOOL sni;
|
||||
BOOL proxy_enabled;
|
||||
const char *vhost_id;
|
||||
int vhost_id_len;
|
||||
@@ -343,6 +344,20 @@ typedef struct
|
||||
PRInt32 version; /* protocol version valid for this cipher */
|
||||
} cipher_properties;
|
||||
|
||||
+typedef struct {
|
||||
+ enum {
|
||||
+ PW_NONE = 0,
|
||||
+ PW_FROMFILE = 1,
|
||||
+ PW_PLAINTEXT = 2,
|
||||
+ PW_EXTERNAL = 3
|
||||
+ } source;
|
||||
+ char *data;
|
||||
+} secuPWData;
|
||||
+
|
||||
+/* pool and hash which will contain ServerName and NSSNickname */
|
||||
+apr_pool_t *mp;
|
||||
+apr_hash_t *ht;
|
||||
+
|
||||
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
|
||||
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
|
||||
* is the last version without this define. This is used for more than just
|
||||
@@ -384,6 +399,7 @@ void *nss_config_perdir_merge(apr_pool_t
|
||||
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
|
||||
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
|
||||
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
|
||||
+const char *nss_cmd_NSSSNI(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
|
||||
@@ -471,6 +487,9 @@ apr_file_t *nss_util_ppopen(server_rec
|
||||
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
|
||||
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
|
||||
const char * const *);
|
||||
+char *searchHashVhostNick(char *vhost_id);
|
||||
+char *searchHashVhostNick_match(char *vhost_id);
|
||||
+void addHashVhostNick(char *vhost_id, char *nickname);
|
||||
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
|
||||
* to allow an SSL renegotiation to take place. */
|
||||
int nss_io_buffer_fill(request_rec *r);
|
||||
Index: mod_nss-1.0.8/nss_engine_config.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_config.c
|
||||
+++ mod_nss-1.0.8/nss_engine_config.c
|
||||
@@ -135,6 +135,7 @@ static SSLSrvConfigRec *nss_config_serve
|
||||
sc->ocsp_name = NULL;
|
||||
sc->fips = UNSET;
|
||||
sc->enabled = UNSET;
|
||||
+ sc->sni = TRUE;
|
||||
sc->proxy_enabled = UNSET;
|
||||
sc->vhost_id = NULL; /* set during module init */
|
||||
sc->vhost_id_len = 0; /* set during module init */
|
||||
@@ -214,6 +215,7 @@ void *nss_config_server_merge(apr_pool_t
|
||||
cfgMerge(ocsp_name, NULL);
|
||||
cfgMergeBool(fips);
|
||||
cfgMergeBool(enabled);
|
||||
+ cfgMergeBool(sni);
|
||||
cfgMergeBool(proxy_enabled);
|
||||
cfgMergeBool(proxy_ssl_check_peer_cn);
|
||||
|
||||
@@ -321,6 +323,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag)
|
||||
+{
|
||||
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
+
|
||||
+ sc->sni = flag ? TRUE : FALSE;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag)
|
||||
{
|
||||
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||
@@ -28,6 +28,8 @@ static SECStatus ownHandshakeCallback(PR
|
||||
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
||||
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
||||
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
||||
+PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
|
||||
+ PRUint32 sniNameArrSize, void *arg);
|
||||
|
||||
/*
|
||||
* Global variables defined in this file.
|
||||
@@ -222,11 +224,10 @@ static void nss_init_SSLLibrary(server_r
|
||||
NSS_Shutdown();
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration");
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
+ "Please check access rights for user:%s!!!", mc->user);
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
|
||||
- if (mc->nInitCount == 1)
|
||||
- nss_die();
|
||||
- else
|
||||
- return;
|
||||
+ nss_die();
|
||||
}
|
||||
|
||||
if (fipsenabled) {
|
||||
@@ -325,6 +326,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
int fipsenabled = FALSE;
|
||||
int threaded = 0;
|
||||
struct semid_ds status;
|
||||
+ char *split_vhost_id = NULL;
|
||||
+ char *last1;
|
||||
|
||||
mc->nInitCount++;
|
||||
|
||||
@@ -381,6 +384,12 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
*/
|
||||
sc->vhost_id = nss_util_vhostid(p, s);
|
||||
sc->vhost_id_len = strlen(sc->vhost_id);
|
||||
+
|
||||
+ if (sc->server->nickname != NULL && sc->vhost_id != NULL) {
|
||||
+ split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1);
|
||||
+ ap_str_tolower(split_vhost_id);
|
||||
+ addHashVhostNick(split_vhost_id, (char *)sc->server->nickname);
|
||||
+ }
|
||||
|
||||
/* Fix up stuff that may not have been set */
|
||||
if (sc->fips == UNSET) {
|
||||
@@ -534,7 +543,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
|
||||
"Init: Initializing (virtual) servers for SSL");
|
||||
|
||||
- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
|
||||
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL);
|
||||
|
||||
for (s = base_server; s; s = s->next) {
|
||||
sc = mySrvConfig(s);
|
||||
@@ -547,7 +556,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
/*
|
||||
* Read the server certificate and key
|
||||
*/
|
||||
- nss_init_ConfigureServer(s, p, ptemp, sc, clist);
|
||||
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
|
||||
}
|
||||
|
||||
if (clist) {
|
||||
@@ -1132,6 +1141,12 @@ static void nss_init_certificate(server_
|
||||
SECStatus secstatus;
|
||||
|
||||
PK11SlotInfo* slot = NULL;
|
||||
+ CERTCertNicknames *certNickDNS = NULL;
|
||||
+ char **nnptr = NULL;
|
||||
+ int nn = 0;
|
||||
+ apr_array_header_t *names = NULL;
|
||||
+ apr_array_header_t *wild_names = NULL;
|
||||
+ int i, j;
|
||||
|
||||
if (nickname == NULL) {
|
||||
return;
|
||||
@@ -1198,17 +1213,52 @@ static void nss_init_certificate(server_
|
||||
|
||||
*KEAtype = NSS_FindCertKEAType(*servercert);
|
||||
|
||||
+ /* get ServerAlias entries to hash */
|
||||
+ names = s->names;
|
||||
+ if (names) {
|
||||
+ char **name = (char **)names->elts;
|
||||
+ for (i = 0; i < names->nelts; ++i) {
|
||||
+ ap_str_tolower(name[i]);
|
||||
+ addHashVhostNick(name[i], (char *)nickname);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* get ServerAlias entries with wildcards */
|
||||
+ wild_names = s->wild_names;
|
||||
+ if (wild_names) {
|
||||
+ char **wild_name = (char **)wild_names->elts;
|
||||
+ for (j = 0; j < wild_names->nelts; ++j) {
|
||||
+ ap_str_tolower(wild_name[j]);
|
||||
+ addHashVhostNick(wild_name[j], (char *)nickname);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* get valid DNS names from certificate to hash */
|
||||
+ certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert);
|
||||
+
|
||||
+ if (certNickDNS) {
|
||||
+ nnptr = certNickDNS->nicknames;
|
||||
+ nn = certNickDNS->numnicknames;
|
||||
+
|
||||
+ while ( nn > 0 ) {
|
||||
+ ap_str_tolower(*nnptr);
|
||||
+ addHashVhostNick(*nnptr, (char *)nickname);
|
||||
+ nnptr++;
|
||||
+ nn--;
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+
|
||||
/* Subject/hostname check */
|
||||
secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
|
||||
if (secstatus != SECSuccess) {
|
||||
char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "Misconfiguration of certificate's CN and virtual name."
|
||||
- " The certificate CN has %s. We expected %s as virtual"
|
||||
- " name.", cert_dns, s->server_hostname);
|
||||
+ "Misconfiguration of certificate's CN and virtual name."
|
||||
+ " The certificate CN has %s. We expected %s as virtual"
|
||||
+ " name.", cert_dns, s->server_hostname);
|
||||
PORT_Free(cert_dns);
|
||||
}
|
||||
-
|
||||
/*
|
||||
* Check for certs that are expired or not yet valid and WARN about it.
|
||||
* No need to refuse working - the client gets a warning.
|
||||
@@ -1233,13 +1283,21 @@ static void nss_init_certificate(server_
|
||||
break;
|
||||
}
|
||||
|
||||
- secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
|
||||
+ secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
|
||||
if (secstatus != SECSuccess) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
"SSL error configuring server: '%s'", nickname);
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
nss_die();
|
||||
- }
|
||||
+ }
|
||||
+
|
||||
+ /* SNI */
|
||||
+ if (SSL_SNISocketConfigHook(model, (SSLSNISocketConfig) ownSSLSNISocketConfig, (void*) s) != SECSuccess) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "SSL_SNISocketConfigHook failed");
|
||||
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
+ nss_die();
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -1308,6 +1366,7 @@ static void nss_init_server_certs(server
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
nss_die();
|
||||
}
|
||||
+
|
||||
}
|
||||
|
||||
static void nss_init_proxy_ctx(server_rec *s,
|
||||
@@ -1374,7 +1433,6 @@ void nss_init_Child(apr_pool_t *p, serve
|
||||
/* If any servers have SSL, we want sslenabled set so we
|
||||
* can perform further initialization
|
||||
*/
|
||||
-
|
||||
if (sc->enabled == UNSET) {
|
||||
sc->enabled = FALSE;
|
||||
}
|
||||
@@ -1404,11 +1462,12 @@ void nss_init_Child(apr_pool_t *p, serve
|
||||
nss_init_SSLLibrary(base_server);
|
||||
|
||||
/* Configure all virtual servers */
|
||||
- CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
|
||||
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL);
|
||||
for (s = base_server; s; s = s->next) {
|
||||
sc = mySrvConfig(s);
|
||||
- if (sc->server->servercert == NULL && NSS_IsInitialized())
|
||||
- nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
|
||||
+ if (sc->server->servercert == NULL && NSS_IsInitialized()) {
|
||||
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
|
||||
+ }
|
||||
}
|
||||
if (clist) {
|
||||
CERT_DestroyCertList(clist);
|
||||
@@ -1741,3 +1800,67 @@ int nss_parse_ciphers(server_rec *s, cha
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
|
||||
+ PRUint32 sniNameArrSize, void *arg)
|
||||
+{
|
||||
+ server_rec *s = (server_rec *)arg;
|
||||
+
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "start function ownSSLSNISocketConfig for SNI");
|
||||
+
|
||||
+ secuPWData *pwdata;
|
||||
+ CERTCertificate * cert = NULL;
|
||||
+ SECKEYPrivateKey * privKey = NULL;
|
||||
+ char *nickName = NULL;
|
||||
+ char *vhost = NULL;
|
||||
+ apr_pool_t *str_p;
|
||||
+
|
||||
+ PORT_Assert(fd && sniNameArr);
|
||||
+ if (!fd || !sniNameArr) {
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ apr_pool_create(&str_p, NULL);
|
||||
+ vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len);
|
||||
+
|
||||
+ /* rfc6125 - Checking of Traditional Domain Names*/
|
||||
+ ap_str_tolower(vhost);
|
||||
+
|
||||
+ nickName = searchHashVhostNick(vhost);
|
||||
+ if (nickName == NULL) {
|
||||
+ /* search wild_names in serverAlises */
|
||||
+ nickName = searchHashVhostNick_match(vhost);
|
||||
+ if (nickName == NULL) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search [val = %s] failed, unrecognized name.", vhost);
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search passed [value = %s] for key:%s", nickName, vhost);
|
||||
+
|
||||
+ pwdata = SSL_RevealPinArg(fd);
|
||||
+
|
||||
+ /* if pwdata is NULL, then we would not get the key and
|
||||
+ * return an error status. */
|
||||
+ cert = PK11_FindCertFromNickname(nickName, &pwdata);
|
||||
+ if (cert == NULL) {
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
|
||||
+ if (privKey == NULL) {
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ SSLKEAType certKEA = NSS_FindCertKEAType(cert);
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "start configure vhost:%s", vhost);
|
||||
+ if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) {
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "successfull setting vhost with nick:%s", nickName);
|
||||
+ SECKEY_DestroyPrivateKey(privKey);
|
||||
+ CERT_DestroyCertificate(cert);
|
||||
+ apr_pool_destroy(str_p);
|
||||
+ return 0;
|
||||
+
|
||||
+}
|
||||
Index: mod_nss-1.0.8/nss_engine_kernel.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
|
||||
+++ mod_nss-1.0.8/nss_engine_kernel.c
|
||||
@@ -71,6 +71,59 @@ int nss_hook_ReadReq(request_rec *r)
|
||||
}
|
||||
|
||||
/*
|
||||
+ * SNI check is default on. In same cases you switch of by NSSSNI off
|
||||
+ * sc->sni parameter gets vhost from HTTPS header
|
||||
+ */
|
||||
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
||||
+
|
||||
+ SECItem *hostInfo = NULL;
|
||||
+ hostInfo = SSL_GetNegotiatedHostInfo(ssl);
|
||||
+ if (hostInfo != NULL && sc->sni) {
|
||||
+ if (ap_is_initial_req(r) && (hostInfo->len != 0)) {
|
||||
+ char *servername = NULL;
|
||||
+ char *host, *scope_id;
|
||||
+ apr_port_t port;
|
||||
+ apr_status_t rv;
|
||||
+ apr_pool_t *s_p;
|
||||
+
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
+ "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d"
|
||||
+ ,(char *) hostInfo->data, hostInfo->len);
|
||||
+
|
||||
+ apr_pool_create(&s_p, NULL);
|
||||
+ servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len);
|
||||
+
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
+ "SNI hostInfo servername:%s, lenght:%d"
|
||||
+ , servername, (unsigned)strlen(servername));
|
||||
+
|
||||
+ if (!r->hostname) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
|
||||
+ "Hostname %s provided via SNI, but no hostname"
|
||||
+ " provided in HTTP request", servername);
|
||||
+ return HTTP_BAD_REQUEST;
|
||||
+ }
|
||||
+
|
||||
+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
|
||||
+ if (rv != APR_SUCCESS || scope_id) {
|
||||
+ return HTTP_BAD_REQUEST;
|
||||
+ }
|
||||
+
|
||||
+ if (strcasecmp(host, servername)) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
|
||||
+ "Hostname %s provided via SNI and hostname %s provided"
|
||||
+ " via HTTP are different", servername, host);
|
||||
+
|
||||
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
|
||||
+ apr_pool_destroy(s_p);
|
||||
+ return HTTP_BAD_REQUEST;
|
||||
+ } else {
|
||||
+ SECITEM_FreeItem(hostInfo, PR_TRUE);
|
||||
+ apr_pool_destroy(s_p);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ /*
|
||||
* Log information about incoming HTTPS requests
|
||||
*/
|
||||
if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
|
||||
Index: mod_nss-1.0.8/nss_util.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_util.c
|
||||
+++ mod_nss-1.0.8/nss_util.c
|
||||
@@ -13,7 +13,6 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
-
|
||||
#include "mod_nss.h"
|
||||
#include "ap_mpm.h"
|
||||
#include "apr_thread_mutex.h"
|
||||
@@ -100,3 +99,47 @@ char *nss_util_readfilter(server_rec *s,
|
||||
|
||||
return buf;
|
||||
}
|
||||
+
|
||||
+static void initializeHashVhostNick() {
|
||||
+ apr_pool_create(&mp, NULL);
|
||||
+ ht = apr_hash_make(mp);
|
||||
+}
|
||||
+
|
||||
+char *searchHashVhostNick(char *vhost_id) {
|
||||
+ char *searchVal = NULL;
|
||||
+
|
||||
+ searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING);
|
||||
+
|
||||
+ return searchVal;
|
||||
+}
|
||||
+
|
||||
+char *searchHashVhostNick_match(char *vhost_id)
|
||||
+{
|
||||
+ char *searchValReg = NULL;
|
||||
+ apr_hash_index_t *hi;
|
||||
+ for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) {
|
||||
+ const char *k = NULL;
|
||||
+ const char *v = NULL;
|
||||
+
|
||||
+ apr_hash_this(hi, (const void**)&k, NULL, (void**)&v);
|
||||
+ if (!ap_strcasecmp_match(vhost_id, k)) {
|
||||
+ searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING);
|
||||
+ return searchValReg;
|
||||
+ }
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+void addHashVhostNick(char *vhost_id, char *nickname) {
|
||||
+
|
||||
+ if (ht == NULL) {
|
||||
+ initializeHashVhostNick();
|
||||
+ }
|
||||
+
|
||||
+ if(searchHashVhostNick(vhost_id) == NULL) {
|
||||
+ apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING,
|
||||
+ apr_pstrdup(mp, nickname));
|
||||
+ }
|
||||
+ return;
|
||||
+}
|
||||
+
|
@ -1,3 +1,71 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 17 16:27:13 UTC 2016 - vcizek@suse.com
|
||||
|
||||
- use a whitelist approach for keeping directives in the migration
|
||||
script (bsc#961907)
|
||||
* modify mod_nss_migrate.pl
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 16 14:45:24 UTC 2016 - pgajdos@suse.com
|
||||
|
||||
- fix test: add NSSPassPhraseDialog, point it to plain file
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 14 12:27:37 UTC 2016 - vcizek@suse.com
|
||||
|
||||
- update to 1.0.13
|
||||
Update default ciphers to something more modern and secure
|
||||
Check for host and netstat commands in gencert before trying to use them
|
||||
Add server support for DHE ciphers
|
||||
Extract SAN from server/client certificates into env
|
||||
Fix memory leaks and other coding issues caught by clang analyzer
|
||||
Add support for Server Name Indication (SNI) (#1010751)
|
||||
Add support for SNI for reverse proxy connections
|
||||
Add RenegBufferSize? option
|
||||
Add support for TLS Session Tickets (RFC 5077)
|
||||
Fix logical AND support in OpenSSL cipher compatibility
|
||||
Correctly handle disabled ciphers (CVE-2015-5244)
|
||||
Implement a slew more OpenSSL cipher macros
|
||||
Fix a number of illegal memory accesses and memory leaks
|
||||
Support for SHA384 ciphers if they are available in NSS
|
||||
Add compatibility for mod_ssl-style cipher definitions (#862938)
|
||||
Add TLSv1.2-specific ciphers
|
||||
Completely remove support for SSLv2
|
||||
Add support for sqlite NSS databases (#1057650)
|
||||
Compare subject CN and VS hostname during server start up
|
||||
Add support for enabling TLS v1.2
|
||||
Don't enable SSL 3 by default (CVE-2014-3566)
|
||||
Fix CVE-2013-4566
|
||||
Move nss_pcache to /usr/libexec
|
||||
Support httpd 2.4+
|
||||
- drop almost all our patches (upstream)
|
||||
* 0001-SNI-check-with-NameVirtualHosts.patch
|
||||
* mod_nss-CVE-2013-4566-NSSVerifyClient.diff
|
||||
* mod_nss-PK11_ListCerts_2.patch
|
||||
* mod_nss-add_support_for_enabling_TLS_v1.2.patch
|
||||
* mod_nss-array_overrun.patch
|
||||
* mod_nss-cipherlist_update_for_tls12-doc.diff
|
||||
* mod_nss-cipherlist_update_for_tls12.diff
|
||||
* mod_nss-clientauth.patch
|
||||
* mod_nss-compare_subject_CN_and_VS_hostname.patch
|
||||
* mod_nss-gencert.patch
|
||||
* mod_nss-httpd24.patch
|
||||
* mod_nss-lockpcache.patch
|
||||
* mod_nss-negotiate.patch
|
||||
* mod_nss-no_shutdown_if_not_init_2.patch
|
||||
* mod_nss-overlapping_memcpy.patch
|
||||
* mod_nss-pcachesignal.h
|
||||
* mod_nss-proxyvariables.patch
|
||||
* mod_nss-reseterror.patch
|
||||
* mod_nss-reverse_proxy_send_SNI.patch
|
||||
* mod_nss-reverseproxy.patch
|
||||
* mod_nss-sslmultiproxy.patch
|
||||
* mod_nss-tlsv1_1.patch
|
||||
* mod_nss-wouldblock.patch
|
||||
* update-ciphers.patch
|
||||
- add automake and libtool to BuildRequires
|
||||
- temporarily comment out %check
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 12 08:31:19 UTC 2016 - pgajdos@suse.com
|
||||
|
||||
|
@ -20,7 +20,7 @@ Name: apache2-mod_nss
|
||||
Summary: SSL/TLS module for the Apache HTTP server
|
||||
License: Apache-2.0
|
||||
Group: Productivity/Networking/Web/Servers
|
||||
Version: 1.0.8
|
||||
Version: 1.0.13
|
||||
Release: 0.4.8
|
||||
Url: https://fedorahosted.org/mod_nss
|
||||
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
|
||||
@ -38,6 +38,7 @@ Requires: mozilla-nss >= 3.15.1
|
||||
PreReq: mozilla-nss-tools
|
||||
BuildRequires: apache-rpm-macros
|
||||
BuildRequires: apache2-devel >= 2.2.12
|
||||
BuildRequires: automake
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl
|
||||
BuildRequires: findutils
|
||||
@ -45,43 +46,13 @@ BuildRequires: flex
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libapr-util1-devel
|
||||
BuildRequires: libapr1-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
||||
BuildRequires: mozilla-nss-devel >= 3.15.1
|
||||
BuildRequires: mozilla-nss-tools
|
||||
BuildRequires: pkgconfig
|
||||
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
|
||||
# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
|
||||
#Patch1: mod_nss-conf.patch
|
||||
Patch2: mod_nss-gencert.patch
|
||||
Patch3: mod_nss-wouldblock.patch
|
||||
Patch4: mod_nss-negotiate.patch
|
||||
Patch5: mod_nss-reverseproxy.patch
|
||||
Patch6: mod_nss-pcachesignal.h
|
||||
Patch7: mod_nss-reseterror.patch
|
||||
Patch8: mod_nss-lockpcache.patch
|
||||
# Fix build with apache 2.4
|
||||
Patch9: mod_nss-httpd24.patch
|
||||
|
||||
Patch10: mod_nss-proxyvariables.patch
|
||||
Patch11: mod_nss-tlsv1_1.patch
|
||||
Patch12: mod_nss-array_overrun.patch
|
||||
Patch13: mod_nss-clientauth.patch
|
||||
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
|
||||
Patch15: mod_nss-PK11_ListCerts_2.patch
|
||||
Patch16: mod_nss-sslmultiproxy.patch
|
||||
Patch17: mod_nss-overlapping_memcpy.patch
|
||||
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
|
||||
Patch19: mod_nss-cipherlist_update_for_tls12.diff
|
||||
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
|
||||
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
|
||||
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
|
||||
Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
|
||||
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
|
||||
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
|
||||
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
|
||||
Patch26: 0001-SNI-check-with-NameVirtualHosts.patch
|
||||
Patch27: update-ciphers.patch
|
||||
Patch28: mod_nss-reverse_proxy_send_SNI.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%define apxs /usr/sbin/apxs2
|
||||
@ -101,36 +72,7 @@ security library.
|
||||
|
||||
%prep
|
||||
%setup -q -n mod_nss-%{version}
|
||||
##%patch1 -p1 -b .conf.rpmpatch
|
||||
%patch2 -p1 -b .gencert.rpmpatch
|
||||
%patch3 -p1 -b .wouldblock.rpmpatch
|
||||
%patch4 -p1 -b .negotiate.rpmpatch
|
||||
%patch5 -p1 -b .reverseproxy.rpmpatch
|
||||
%patch6 -p1 -b .pcachesignal.h.rpmpatch
|
||||
%patch7 -p1 -b .reseterror.rpmpatch
|
||||
%patch8 -p1 -b .lockpcache.rpmpatch
|
||||
%patch10 -p1 -b .proxyvariables.rpmpatch
|
||||
%patch11 -p1 -b .tlsv1_1.rpmpatch
|
||||
%patch12 -p1 -b .array_overrun.rpmpatch
|
||||
%patch13 -p1 -b .clientauth.rpmpatch
|
||||
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
|
||||
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
|
||||
%patch16 -p1 -b .sslmultiproxy.rpmpatch
|
||||
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
|
||||
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
|
||||
%patch19 -p0 -b .ciphers.rpmpatch
|
||||
%patch20 -p0 -b .ciphers.doc.rpmpatch
|
||||
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
||||
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
|
||||
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
|
||||
%patch26 -p1 -b .SNI_support.rpmpatch
|
||||
%patch27 -p1 -b .update-ciphers.rpmpatch
|
||||
%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
|
||||
|
||||
# keep this last, otherwise we get fuzzyness from above
|
||||
%if %{apache_branch} >= 204
|
||||
%patch9 -p1 -b .http24
|
||||
%endif
|
||||
|
||||
# Touch expression parser sources to prevent regenerating it
|
||||
touch nss_expr_*.[chyl]
|
||||
@ -150,7 +92,7 @@ export C_INCLUDE_PATH
|
||||
cp -a %{SOURCE1} ./nss.conf.in
|
||||
cp -a %{SOURCE4} .
|
||||
chmod 644 ./nss.conf.in
|
||||
#autoreconf -fvi
|
||||
autoreconf -fvi
|
||||
%configure \
|
||||
--with-nss-lib=$NSS_LIB_DIR \
|
||||
--with-nss-inc=$NSS_INCLUDE_DIR \
|
||||
@ -193,11 +135,18 @@ perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
||||
%check
|
||||
set +x
|
||||
mkdir -p %{apache_test_module_dir}
|
||||
# create password file including internal token to suppress
|
||||
# apache 'builtin dialog', see NSSPassPhraseDialog below
|
||||
# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
|
||||
cat << EOF > %{apache_test_module_dir}/password.conf
|
||||
internal:httptest
|
||||
EOF
|
||||
# create test configuration
|
||||
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
|
||||
NSSEngine on
|
||||
NSSNickname Server-Cert
|
||||
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
|
||||
NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
|
||||
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
|
||||
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
|
||||
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||
|
3
mod_nss-1.0.13.tar.gz
Normal file
3
mod_nss-1.0.13.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:244afe11101bf75d85562fadf7b5e4292f8de634446414c268b4b4636cc88817
|
||||
size 177668
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f8477dfc432033738ee1aad5e010e9f0429eb1c1debd273a05fed6316d50a801
|
||||
size 405061
|
@ -1,319 +0,0 @@
|
||||
This is CVE-2013-4566:
|
||||
The flaw is in the NSSVerifyClient (which is equivalent to mod_ssl's
|
||||
SSLVerifyClient) setting enforcement. If 'NSSVerifyClient none' is set
|
||||
in the server / vhost context (i.e. when server is configured to not
|
||||
request or require client certificate authentication on the initial
|
||||
connection), and client certificate authentication is expected to be
|
||||
required for a specific directory via 'NSSVerifyClient require'
|
||||
setting, mod_nss fails to properly require certificate authentication.
|
||||
Remote attacker can use this to access content of the restricted
|
||||
directories.
|
||||
|
||||
Reported by Thomas Hoger <thoger@redhat.com>.
|
||||
|
||||
diff -rNU 150 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c
|
||||
--- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2013-11-29 16:09:37.000000000 +0100
|
||||
+++ ./nss_engine_kernel.c 2013-11-29 16:12:20.000000000 +0100
|
||||
@@ -133,301 +133,301 @@
|
||||
/*
|
||||
* Check to see if SSL protocol is enabled. If it's not then
|
||||
* no further access control checks are relevant. The test for
|
||||
* sc->enabled is probably strictly unnecessary
|
||||
*/
|
||||
if (!((sc->enabled == TRUE) || !ssl)) {
|
||||
return DECLINED;
|
||||
}
|
||||
|
||||
/*
|
||||
* Support for per-directory reconfigured SSL connection parameters.
|
||||
*
|
||||
* This is implemented by forcing an SSL renegotiation with the
|
||||
* reconfigured parameter suite. But Apache's internal API processing
|
||||
* makes our life very hard here, because when internal sub-requests occur
|
||||
* we nevertheless should avoid multiple unnecessary SSL handshakes (they
|
||||
* require extra network I/O and especially time to perform).
|
||||
*
|
||||
* But the optimization for filtering out the unnecessary handshakes isn't
|
||||
* obvious and trivial. Especially because while Apache is in its
|
||||
* sub-request processing the client could force additional handshakes,
|
||||
* too. And these take place perhaps without our notice. So the only
|
||||
* possibility is to explicitly _ask_ OpenSSL whether the renegotiation
|
||||
* has to be performed or not. It has to performed when some parameters
|
||||
* which were previously known (by us) are not those we've now
|
||||
* reconfigured (as known by OpenSSL) or (in optimized way) at least when
|
||||
* the reconfigured parameter suite is stronger (more restrictions) than
|
||||
* the currently active one.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Override of NSSCipherSuite
|
||||
*
|
||||
* We provide two options here:
|
||||
*
|
||||
* o The paranoid and default approach where we force a renegotiation when
|
||||
* the cipher suite changed in _any_ way (which is straight-forward but
|
||||
* often forces renegotiations too often and is perhaps not what the
|
||||
* user actually wanted).
|
||||
*
|
||||
* o The optimized and still secure way where we force a renegotiation
|
||||
* only if the currently active cipher is no longer contained in the
|
||||
* reconfigured/new cipher suite. Any other changes are not important
|
||||
* because it's the servers choice to select a cipher from the ones the
|
||||
* client supports. So as long as the current cipher is still in the new
|
||||
* cipher suite we're happy. Because we can assume we would have
|
||||
* selected it again even when other (better) ciphers exists now in the
|
||||
* new cipher suite. This approach is fine because the user explicitly
|
||||
* has to enable this via ``NSSOptions +OptRenegotiate''. So we do no
|
||||
* implicit optimizations.
|
||||
*/
|
||||
if (dc->szCipherSuite) {
|
||||
/* remember old state */
|
||||
for (i=0; i < ciphernum; i++) {
|
||||
SSL_CipherPrefGet(ssl, ciphers_def[i].num, &ciphers_old[i]);
|
||||
}
|
||||
|
||||
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
|
||||
int on, keySize, secretKeySize;
|
||||
char *issuer, *subject;
|
||||
|
||||
SSL_SecurityStatus(ssl, &on, &cipher,
|
||||
&keySize, &secretKeySize, &issuer,
|
||||
&subject);
|
||||
}
|
||||
|
||||
/* configure new state */
|
||||
|
||||
ciphers = strdup(dc->szCipherSuite);
|
||||
if (nss_parse_ciphers(r->server, ciphers, ciphers_new) < 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
|
||||
r->server,
|
||||
"Unable to reconfigure (per-directory) "
|
||||
"permitted SSL ciphers");
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, r->server);
|
||||
free(ciphers);
|
||||
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
free(ciphers);
|
||||
|
||||
/* Actually enable the selected ciphers. Also check to
|
||||
see if the existing cipher is in the new list for
|
||||
a possible optimization later. */
|
||||
|
||||
for (i=0; i<ciphernum;i++) {
|
||||
if (cipher && !strcasecmp(cipher, ciphers_def[i].name)) {
|
||||
if (ciphers_new[i] == PR_TRUE)
|
||||
cipher_in_list = PR_TRUE;
|
||||
}
|
||||
SSL_CipherPrefSet(ssl, ciphers_def[i].num, ciphers_new[i]);
|
||||
}
|
||||
|
||||
/* determine whether a renegotiation has to be forced */
|
||||
|
||||
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
|
||||
if (cipher_in_list != PR_TRUE)
|
||||
renegotiate = TRUE;
|
||||
}
|
||||
else {
|
||||
/* paranoid way */
|
||||
for (i=0; i<ciphernum;i++) {
|
||||
if (ciphers_new[i] != ciphers_old[i]) {
|
||||
renegotiate = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* tracing */
|
||||
if (renegotiate) {
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Reconfigured cipher suite will force renegotiation");
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* override of SSLVerifyClient
|
||||
*
|
||||
* We force a renegotiation if the reconfigured/new verify type is
|
||||
* stronger than the currently active verify type.
|
||||
*
|
||||
* The order is: none << optional_no_ca << optional << require
|
||||
*
|
||||
* Additionally the following optimization is possible here: When the
|
||||
* currently active verify type is "none" but a client certificate is
|
||||
* already known/present, it's enough to manually force a client
|
||||
* verification but at least skip the I/O-intensive renegotation
|
||||
* handshake.
|
||||
*/
|
||||
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
|
||||
PRInt32 on;
|
||||
|
||||
/* remember old state */
|
||||
SSL_OptionGet(ssl, SSL_REQUIRE_CERTIFICATE, &on);
|
||||
if (on == PR_TRUE) {
|
||||
verify_old = SSL_CVERIFY_REQUIRE;
|
||||
} else {
|
||||
SSL_OptionGet(ssl, SSL_REQUEST_CERTIFICATE, &on);
|
||||
if (on == PR_TRUE)
|
||||
verify_old = SSL_CVERIFY_OPTIONAL;
|
||||
else
|
||||
verify_old = SSL_CVERIFY_NONE;
|
||||
}
|
||||
|
||||
/* configure new state */
|
||||
verify = dc->nVerifyClient;
|
||||
|
||||
if (verify == SSL_CVERIFY_REQUIRE) {
|
||||
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
|
||||
- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
|
||||
+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
|
||||
} else if (verify == SSL_CVERIFY_OPTIONAL) {
|
||||
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
|
||||
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
|
||||
} else {
|
||||
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_FALSE);
|
||||
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
|
||||
}
|
||||
|
||||
/* determine whether we've to force a renegotiation */
|
||||
if (!renegotiate && verify != verify_old) {
|
||||
if (((verify_old == SSL_CVERIFY_NONE) &&
|
||||
(verify != SSL_CVERIFY_NONE)) ||
|
||||
|
||||
(!(verify_old & SSL_CVERIFY_OPTIONAL) &&
|
||||
(verify & SSL_CVERIFY_OPTIONAL)) ||
|
||||
|
||||
(!(verify_old & SSL_CVERIFY_REQUIRE) &&
|
||||
(verify & SSL_CVERIFY_REQUIRE)))
|
||||
{
|
||||
renegotiate = TRUE;
|
||||
/* optimization */
|
||||
|
||||
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
|
||||
(verify_old == SSL_CVERIFY_NONE) &&
|
||||
((peercert = SSL_PeerCertificate(ssl)) != NULL))
|
||||
{
|
||||
renegotiate_quick = TRUE;
|
||||
CERT_DestroyCertificate(peercert);
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
|
||||
r->server,
|
||||
"Changed client verification type will force "
|
||||
"%srenegotiation",
|
||||
renegotiate_quick ? "quick " : "");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* If a renegotiation is now required for this location, and the
|
||||
* request includes a message body (and the client has not
|
||||
* requested a "100 Continue" response), then the client will be
|
||||
* streaming the request body over the wire already. In that
|
||||
* case, it is not possible to stop and perform a new SSL
|
||||
* handshake immediately; once the SSL library moves to the
|
||||
* "accept" state, it will reject the SSL packets which the client
|
||||
* is sending for the request body.
|
||||
*
|
||||
* To allow authentication to complete in this auth hook, the
|
||||
* solution used here is to fill a (bounded) buffer with the
|
||||
* request body, and then to reinject that request body later.
|
||||
*/
|
||||
if (renegotiate && !renegotiate_quick
|
||||
&& (apr_table_get(r->headers_in, "transfer-encoding")
|
||||
|| (apr_table_get(r->headers_in, "content-length")
|
||||
&& strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
|
||||
&& !r->expecting_100) {
|
||||
int rv;
|
||||
|
||||
/* Fill the I/O buffer with the request body if possible. */
|
||||
rv = nss_io_buffer_fill(r);
|
||||
|
||||
if (rv) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
||||
"could not buffer message body to allow "
|
||||
"SSL renegotiation to proceed");
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* now do the renegotiation if anything was actually reconfigured
|
||||
*/
|
||||
if (renegotiate) {
|
||||
/*
|
||||
* Now we force the SSL renegotation by sending the Hello Request
|
||||
* message to the client. Here we have to do a workaround: Actually
|
||||
* OpenSSL returns immediately after sending the Hello Request (the
|
||||
* intent AFAIK is because the SSL/TLS protocol says it's not a must
|
||||
* that the client replies to a Hello Request). But because we insist
|
||||
* on a reply (anything else is an error for us) we have to go to the
|
||||
* ACCEPT state manually. Using SSL_set_accept_state() doesn't work
|
||||
* here because it resets too much of the connection. So we set the
|
||||
* state explicitly and continue the handshake manually.
|
||||
*/
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
|
||||
"Requesting connection re-negotiation");
|
||||
|
||||
if (renegotiate_quick) {
|
||||
SECStatus rv;
|
||||
CERTCertificate *peerCert;
|
||||
void *pinArg;
|
||||
|
||||
/* perform just a manual re-verification of the peer */
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Performing quick renegotiation: "
|
||||
"just re-verifying the peer");
|
||||
|
||||
peerCert = SSL_PeerCertificate(sslconn->ssl);
|
||||
|
||||
pinArg = SSL_RevealPinArg(sslconn->ssl);
|
||||
|
||||
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(),
|
||||
peerCert,
|
||||
PR_TRUE,
|
||||
certUsageSSLClient,
|
||||
pinArg);
|
||||
|
||||
CERT_DestroyCertificate(peerCert);
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
|
||||
"Re-negotiation handshake failed: "
|
||||
"Client verification failed");
|
||||
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
|
||||
/* The cert is ok, fall through to the check SSLRequires */
|
||||
}
|
||||
else {
|
||||
int handshake_done = 0;
|
||||
int result = 0;
|
||||
|
||||
/* do a full renegotiation */
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Performing full renegotiation: "
|
||||
"complete handshake protocol");
|
||||
|
||||
/* Do NOT call SSL_ResetHandshake as this will tear down the
|
||||
* existing connection.
|
||||
*/
|
||||
if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) {
|
||||
int errCode = PR_GetError();
|
||||
if (errCode == SEC_ERROR_INVALID_ARGS) {
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Re-negotation request failed: "
|
||||
"trying to do client authentication on a non-SSL3 connection");
|
||||
} else {
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Re-negotation request failed: "
|
||||
"returned error %d", errCode);
|
||||
}
|
||||
r->connection->aborted = 1;
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Awaiting re-negotiation handshake");
|
||||
|
@ -1,201 +0,0 @@
|
||||
diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
|
||||
--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800
|
||||
+++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800
|
||||
@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
|
||||
/* module initialization */
|
||||
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
|
||||
void nss_init_Child(apr_pool_t *, server_rec *);
|
||||
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
|
||||
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
|
||||
apr_status_t nss_init_ModuleKill(void *data);
|
||||
apr_status_t nss_init_ChildKill(void *data);
|
||||
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
|
||||
diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
|
||||
--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800
|
||||
+++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800
|
||||
@@ -26,7 +26,7 @@
|
||||
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
||||
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
||||
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
||||
-static CERTCertificate* FindServerCertFromNickname(const char* name);
|
||||
+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
||||
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
||||
|
||||
/*
|
||||
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
|
||||
"Init: Initializing (virtual) servers for SSL");
|
||||
|
||||
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
|
||||
+
|
||||
for (s = base_server; s; s = s->next) {
|
||||
sc = mySrvConfig(s);
|
||||
/*
|
||||
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
/*
|
||||
* Read the server certificate and key
|
||||
*/
|
||||
- nss_init_ConfigureServer(s, p, ptemp, sc);
|
||||
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
|
||||
+ }
|
||||
+
|
||||
+ if (clist) {
|
||||
+ CERT_DestroyCertList(clist);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
|
||||
SECKEYPrivateKey **serverkey,
|
||||
SSLKEAType *KEAtype,
|
||||
PRFileDesc *model,
|
||||
- int enforce)
|
||||
+ int enforce,
|
||||
+ const CERTCertList* clist)
|
||||
{
|
||||
SECCertTimeValidity certtimestatus;
|
||||
SECStatus secstatus;
|
||||
@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
"Using nickname %s.", nickname);
|
||||
|
||||
- *servercert = FindServerCertFromNickname(nickname);
|
||||
+ *servercert = FindServerCertFromNickname(nickname, clist);
|
||||
|
||||
/* Verify the certificate chain. */
|
||||
if (*servercert != NULL) {
|
||||
SECCertificateUsage usage = certificateUsageSSLServer;
|
||||
|
||||
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "Certificate not verified: '%s'", nickname);
|
||||
+ if (enforce) {
|
||||
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
- if (enforce) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
"Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
|
||||
nss_die();
|
||||
@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
|
||||
static void nss_init_server_certs(server_rec *s,
|
||||
apr_pool_t *p,
|
||||
apr_pool_t *ptemp,
|
||||
- modnss_ctx_t *mctx)
|
||||
+ modnss_ctx_t *mctx,
|
||||
+ const CERTCertList* clist)
|
||||
{
|
||||
SECStatus secstatus;
|
||||
|
||||
@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
|
||||
|
||||
nss_init_certificate(s, mctx->nickname, &mctx->servercert,
|
||||
&mctx->serverkey, &mctx->serverKEAType,
|
||||
- mctx->model, mctx->enforce);
|
||||
+ mctx->model, mctx->enforce, clist);
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
|
||||
&mctx->eccserverkey, &mctx->eccserverKEAType,
|
||||
- mctx->model, mctx->enforce);
|
||||
+ mctx->model, mctx->enforce, clist);
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
|
||||
static void nss_init_proxy_ctx(server_rec *s,
|
||||
apr_pool_t *p,
|
||||
apr_pool_t *ptemp,
|
||||
- SSLSrvConfigRec *sc)
|
||||
+ SSLSrvConfigRec *sc,
|
||||
+ const CERTCertList* clist)
|
||||
{
|
||||
nss_init_ctx(s, p, ptemp, sc->proxy);
|
||||
|
||||
- nss_init_server_certs(s, p, ptemp, sc->proxy);
|
||||
+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
|
||||
}
|
||||
|
||||
static void nss_init_server_ctx(server_rec *s,
|
||||
apr_pool_t *p,
|
||||
apr_pool_t *ptemp,
|
||||
- SSLSrvConfigRec *sc)
|
||||
+ SSLSrvConfigRec *sc,
|
||||
+ const CERTCertList* clist)
|
||||
{
|
||||
nss_init_server_check(s, p, ptemp, sc->server);
|
||||
|
||||
nss_init_ctx(s, p, ptemp, sc->server);
|
||||
|
||||
- nss_init_server_certs(s, p, ptemp, sc->server);
|
||||
+ nss_init_server_certs(s, p, ptemp, sc->server, clist);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
|
||||
void nss_init_ConfigureServer(server_rec *s,
|
||||
apr_pool_t *p,
|
||||
apr_pool_t *ptemp,
|
||||
- SSLSrvConfigRec *sc)
|
||||
+ SSLSrvConfigRec *sc,
|
||||
+ const CERTCertList* clist)
|
||||
{
|
||||
if (sc->enabled == TRUE) {
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
"Configuring server for SSL protocol");
|
||||
- nss_init_server_ctx(s, p, ptemp, sc);
|
||||
+ nss_init_server_ctx(s, p, ptemp, sc, clist);
|
||||
}
|
||||
|
||||
if (sc->proxy_enabled == TRUE) {
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
"Enabling proxy.");
|
||||
- nss_init_proxy_ctx(s, p, ptemp, sc);
|
||||
+ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
|
||||
nss_init_SSLLibrary(base_server);
|
||||
|
||||
/* Configure all virtual servers */
|
||||
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
|
||||
for (s = base_server; s; s = s->next) {
|
||||
sc = mySrvConfig(s);
|
||||
if (sc->server->servercert == NULL && NSS_IsInitialized())
|
||||
- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
|
||||
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
|
||||
+ }
|
||||
+ if (clist) {
|
||||
+ CERT_DestroyCertList(clist);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
|
||||
* newest, valid server certificate.
|
||||
*/
|
||||
static CERTCertificate*
|
||||
-FindServerCertFromNickname(const char* name)
|
||||
+FindServerCertFromNickname(const char* name, const CERTCertList* clist)
|
||||
{
|
||||
- CERTCertList* clist;
|
||||
CERTCertificate* bestcert = NULL;
|
||||
|
||||
CERTCertListNode *cln;
|
||||
@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
|
||||
if (name == NULL)
|
||||
return NULL;
|
||||
|
||||
- clist = PK11_ListCerts(PK11CertListUser, NULL);
|
||||
-
|
||||
for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
|
||||
cln = CERT_LIST_NEXT(cln)) {
|
||||
CERTCertificate* cert = cln->cert;
|
||||
@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
|
||||
if (bestcert) {
|
||||
bestcert = CERT_DupCertificate(bestcert);
|
||||
}
|
||||
- if (clist) {
|
||||
- CERT_DestroyCertList(clist);
|
||||
- }
|
||||
return bestcert;
|
||||
}
|
||||
|
||||
|
@ -1,61 +0,0 @@
|
||||
From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 16 Oct 2014 14:05:05 -0400
|
||||
Subject: [PATCH] Add support for enabling TLS v1.2
|
||||
|
||||
If support is available in NSS then it is just a matter of including
|
||||
TLS 1.2 in the protocol range.
|
||||
---
|
||||
docs/mod_nss.html | 97 ++++++++++++++++++++++++++++---------------------------
|
||||
mod_nss.c | 4 +--
|
||||
nss.conf.in | 2 +-
|
||||
nss_engine_init.c | 51 +++++++++++++++++------------
|
||||
nss_engine_vars.c | 3 ++
|
||||
5 files changed, 86 insertions(+), 71 deletions(-)
|
||||
|
||||
Index: mod_nss-1.0.8/nss.conf.in
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss.conf.in
|
||||
+++ mod_nss-1.0.8/nss.conf.in
|
||||
@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
|
||||
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||
|
||||
-NSSProtocol SSLv3,TLSv1
|
||||
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||
|
||||
# SSL Certificate Nickname:
|
||||
# The nickname of the RSA server certificate you are going to use.
|
||||
Index: mod_nss-1.0.8/nss_engine_vars.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_vars.c
|
||||
+++ mod_nss-1.0.8/nss_engine_vars.c
|
||||
@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver
|
||||
case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||
result = "TLSv1.1";
|
||||
break;
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_2:
|
||||
+ result = "TLSv1.2";
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
}
|
||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||
@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server
|
||||
* cannot be excluded from this range. NSS will automatically negotiate
|
||||
* to utilize the strongest acceptable protocol for a connection starting
|
||||
* with the maximum specified protocol and downgrading as necessary to the
|
||||
- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
|
||||
+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
|
||||
*/
|
||||
if (stat == SECSuccess) {
|
||||
/* Set minimum protocol version (lowest -> highest)
|
||||
*
|
||||
- * SSL 3.0 -> TLS 1.0 -> TLS 1.1
|
||||
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
|
||||
*/
|
||||
if (ssl3 == 1) {
|
||||
enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
|
@ -1,16 +0,0 @@
|
||||
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
|
||||
"child_argv", with 5 elements, at position 5 with index variable "5".
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=714154
|
||||
diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400
|
||||
@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||
|
||||
/* Do we need to fire up our password helper? */
|
||||
if (mc->nInitCount == 1) {
|
||||
- const char * child_argv[5];
|
||||
+ const char * child_argv[6];
|
||||
apr_status_t rv;
|
||||
struct sembuf sb;
|
||||
char sembuf[32];
|
@ -1,54 +1,8 @@
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c
|
||||
--- ../mod_nss-1.0.8-o/nss_engine_pphrase.c 2014-07-24 12:23:30.000000000 +0200
|
||||
+++ ./nss_engine_pphrase.c 2014-07-24 13:54:23.000000000 +0200
|
||||
@@ -181,199 +181,218 @@
|
||||
* that may be done.
|
||||
*/
|
||||
static PRBool nss_check_password(unsigned char *cp)
|
||||
{
|
||||
int len;
|
||||
unsigned char *end, ch;
|
||||
|
||||
len = strlen((char *)cp);
|
||||
if (len < 8) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
end = cp + len;
|
||||
while (cp < end) {
|
||||
ch = *cp++;
|
||||
if (!((ch >= 'A') && (ch <= 'Z')) &&
|
||||
!((ch >= 'a') && (ch <= 'z'))) {
|
||||
/* pass phrase has at least one non alphabetic in it */
|
||||
return PR_TRUE;
|
||||
}
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
/*
|
||||
* Password callback so the user is not prompted to enter the password
|
||||
* after the server starts.
|
||||
*/
|
||||
static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Password callback to prompt the user for a password. This requires
|
||||
* twiddling with the tty. Alternatively, if the file password.conf
|
||||
* exists then it may be used to store the token password(s).
|
||||
*/
|
||||
static char *nss_get_password(FILE *input, FILE *output,
|
||||
PK11SlotInfo *slot,
|
||||
PRBool (*ok)(unsigned char *),
|
||||
pphrase_arg_t *parg)
|
||||
{
|
||||
char *pwdstr = NULL;
|
||||
char *token_name = NULL;
|
||||
int tmp;
|
||||
FILE *pwd_fileptr;
|
||||
char *ptr;
|
||||
Index: nss_engine_pphrase.c
|
||||
===================================================================
|
||||
--- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100
|
||||
+++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100
|
||||
@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu
|
||||
char line[1024];
|
||||
unsigned char phrase[200];
|
||||
int infd = fileno(input);
|
||||
@ -56,103 +10,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c
|
||||
int isTTY = isatty(infd);
|
||||
|
||||
token_name = PK11_GetTokenName(slot);
|
||||
|
||||
if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE ||
|
||||
parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) {
|
||||
/* Try to get the passwords from the password file if it exists.
|
||||
* THIS IS UNSAFE and is provided for convenience only. Without this
|
||||
* capability the server would have to be started in foreground mode.
|
||||
*/
|
||||
if ((*parg->mc->pphrase_dialog_path != '\0') &&
|
||||
((pwd_fileptr = fopen(parg->mc->pphrase_dialog_path, "r")) != NULL)) {
|
||||
while(fgets(line, 1024, pwd_fileptr)) {
|
||||
if (PL_strstr(line, token_name) == line) {
|
||||
tmp = PL_strlen(line) - 1;
|
||||
while((line[tmp] == ' ') || (line[tmp] == '\n'))
|
||||
tmp--;
|
||||
line[tmp+1] = '\0';
|
||||
ptr = PL_strchr(line, ':');
|
||||
if (ptr == NULL) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Malformed password entry for token %s. Format should be token:password", token_name);
|
||||
continue;
|
||||
}
|
||||
for(tmp=1; ptr[tmp] == ' '; tmp++) {}
|
||||
pwdstr = strdup(&(ptr[tmp]));
|
||||
}
|
||||
}
|
||||
fclose(pwd_fileptr);
|
||||
} else {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Unable to open password file %s", parg->mc->pphrase_dialog_path);
|
||||
nss_die();
|
||||
}
|
||||
}
|
||||
|
||||
/* For SSL_PPTYPE_DEFER we only want to authenticate passwords found
|
||||
* in the password file.
|
||||
*/
|
||||
if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) &&
|
||||
(pwdstr == NULL)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* This purposely comes after the file check because that is more
|
||||
* authoritative.
|
||||
*/
|
||||
if (parg->mc->nInitCount > 1) {
|
||||
char buf[1024];
|
||||
apr_status_t rv;
|
||||
apr_size_t nBytes = 1024;
|
||||
struct sembuf sb;
|
||||
|
||||
/* lock the pipe */
|
||||
sb.sem_num = 0;
|
||||
sb.sem_op = -1;
|
||||
sb.sem_flg = SEM_UNDO;
|
||||
if (semop(parg->mc->semid, &sb, 1) == -1) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Unable to reserve semaphore resource");
|
||||
}
|
||||
|
||||
snprintf(buf, 1024, "RETR\t%s", token_name);
|
||||
rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
|
||||
if (rv != APR_SUCCESS) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
|
||||
nss_die();
|
||||
}
|
||||
|
||||
/* The helper just returns a token pw or "", so we don't have much
|
||||
* to check for.
|
||||
*/
|
||||
memset(buf, 0, sizeof(buf));
|
||||
rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
|
||||
sb.sem_op = 1;
|
||||
if (semop(parg->mc->semid, &sb, 1) == -1) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Unable to free semaphore resource");
|
||||
/* perror("semop free resource id"); */
|
||||
}
|
||||
|
||||
if (rv != APR_SUCCESS) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
|
||||
nss_die();
|
||||
}
|
||||
|
||||
/* Just return what we got. If we got this far and we don't have a
|
||||
* PIN then I/O is already shut down, so we can't do anything really
|
||||
* clever.
|
||||
*/
|
||||
pwdstr = strdup(buf);
|
||||
}
|
||||
|
||||
/* If we got a password we're done */
|
||||
@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu
|
||||
if (pwdstr)
|
||||
return pwdstr;
|
||||
-
|
||||
+
|
||||
|
||||
+ /* It happens that stdin is not opened with O_RDONLY. Better make sure
|
||||
+ * it is and re-open /dev/tty.
|
||||
+ */
|
||||
@ -174,50 +35,3 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c
|
||||
for (;;) {
|
||||
/* Prompt for password */
|
||||
if (isTTY) {
|
||||
if (parg->retryCount > 0) {
|
||||
fprintf(output, "Password incorrect. Please try again.\n");
|
||||
}
|
||||
fprintf(output, "%s", prompt);
|
||||
echoOff(infd);
|
||||
}
|
||||
fgets((char*) phrase, sizeof(phrase), input);
|
||||
if (isTTY) {
|
||||
fprintf(output, "\n");
|
||||
echoOn(infd);
|
||||
}
|
||||
/* stomp on newline */
|
||||
phrase[strlen((char*)phrase)-1] = 0;
|
||||
|
||||
/* Validate password */
|
||||
if (!(*ok)(phrase)) {
|
||||
/* Not weird enough */
|
||||
if (!isTTY) return 0;
|
||||
fprintf(output, "Password must be at least 8 characters long with one or more\n");
|
||||
fprintf(output, "non-alphabetic characters\n");
|
||||
continue;
|
||||
}
|
||||
if (PK11_IsFIPS() && strlen(phrase) == 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"The FIPS security policy requires that a password be set.");
|
||||
nss_die();
|
||||
} else
|
||||
return (char*) PORT_Strdup((char*)phrase);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Turn the echoing off on a tty.
|
||||
*/
|
||||
static void echoOff(int fd)
|
||||
{
|
||||
if (isatty(fd)) {
|
||||
struct termios tio;
|
||||
tcgetattr(fd, &tio);
|
||||
tio.c_lflag &= ~ECHO;
|
||||
tcsetattr(fd, TCSAFLUSH, &tio);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Turn the echoing on on a tty.
|
||||
*/
|
||||
|
@ -1,270 +0,0 @@
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
|
||||
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100
|
||||
+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100
|
||||
@@ -632,100 +632,135 @@
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fortezza_null<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fips_des_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fips_3des_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_des_56_sha</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_aes_128_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_aes_256_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_aes_128_sha256<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA256<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_camellia_128_sha<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_camellia_256_sha<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_aes_256_sha256<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA256<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.2</td>
|
||||
+ </tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Additionally there are a number of ECC ciphers:<br>
|
||||
<br>
|
||||
<table style="width: 70%;" border="1" cellpadding="2" cellspacing="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">Cipher Name<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">NSS Cipher
|
||||
Definition<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">Protocol<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_null_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_3des_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_aes_128_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_aes_256_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_null_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
@@ -773,100 +794,130 @@
|
||||
<tr>
|
||||
<td>echde_rsa_null</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_3des_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_aes_128_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_aes_256_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_null_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_rc4_128sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_3des_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_aes_128_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_aes_256_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
+ <tr>
|
||||
+ <td>ecdh_ecdsa_aes_128_sha256</td>
|
||||
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</td>
|
||||
+ <td>TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdh_rsa_aes_128_sha256</td>
|
||||
+ <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</td>
|
||||
+ <td>TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdh_ecdsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdhe_ecdsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdh_rsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdhe_rsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Example</span><br>
|
||||
<br>
|
||||
<code>NSSCipherSuite
|
||||
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,<br>
|
||||
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,<br>
|
||||
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha</code><br>
|
||||
<br>
|
||||
<big><big>NSSProtocol<br>
|
||||
</big></big><br>
|
||||
A comma-separated string that lists the basic protocols that the server
|
||||
can use (and clients may connect with). It doesn't enable a cipher
|
||||
specifically but allows ciphers for that protocol to be used at all.<br>
|
||||
<br>
|
||||
Options are:<br>
|
||||
<ul>
|
||||
<li><code>SSLv3</code></li>
|
||||
<li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
|
||||
<li><code>TLSv1.0</code></li>
|
||||
<li><code>TLSv1.1</code></li>
|
||||
<li><code>TLSv1.2</code></li>
|
||||
<li><code>All</code></li>
|
||||
</ul>
|
||||
Note that this differs from mod_ssl in that you can't add or subtract
|
||||
protocols.<br>
|
||||
<br>
|
||||
If no NSSProtocol is specified, mod_nss will default to allowing the use of
|
||||
the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
|
||||
minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
|
||||
allowed.
|
||||
<br>
|
||||
If values for NSSProtocol are specified, mod_nss will set both the minimum
|
||||
and the maximum allowed protocols based upon these entries allowing for the
|
||||
inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
|
||||
are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
|
||||
protocol ranges to accept all protocols inclusively
|
||||
(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
|
||||
in the middle of a range (e. g. - TLS 1.0).<br>
|
||||
<br>
|
||||
Finally, NSS will always automatically negotiate the use of the strongest
|
||||
possible protocol that has been specified which is acceptable to both sides of
|
||||
a given connection.<br>
|
||||
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Example</span><br>
|
||||
<br>
|
||||
<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
|
||||
<br>
|
@ -1,247 +0,0 @@
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
|
||||
--- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100
|
||||
+++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100
|
||||
@@ -318,103 +318,103 @@
|
||||
|
||||
/*
|
||||
* Define the mod_ssl per-directory configuration structure
|
||||
* (i.e. the local configuration for all <Directory>
|
||||
* and .htaccess contexts)
|
||||
*/
|
||||
typedef struct {
|
||||
BOOL bSSLRequired;
|
||||
apr_array_header_t *aRequirement;
|
||||
int nOptions;
|
||||
int nOptionsAdd;
|
||||
int nOptionsDel;
|
||||
const char *szCipherSuite;
|
||||
nss_verify_t nVerifyClient;
|
||||
const char *szUserName;
|
||||
} SSLDirConfigRec;
|
||||
|
||||
/*
|
||||
* Cipher definitions
|
||||
*/
|
||||
typedef struct
|
||||
{
|
||||
const char *name;
|
||||
int num;
|
||||
int fortezza_only;
|
||||
PRInt32 version; /* protocol version valid for this cipher */
|
||||
} cipher_properties;
|
||||
|
||||
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
|
||||
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
|
||||
* is the last version without this define. This is used for more than just
|
||||
* the below defines. It also determines which API is used.
|
||||
*/
|
||||
#ifndef AP_SERVER_MAJORVERSION_NUMBER
|
||||
#define AP_SERVER_MAJORVERSION_NUMBER 2
|
||||
#define AP_SERVER_MINORVERSION_NUMBER 0
|
||||
#define AP_SERVER_PATCHLEVEL_NUMBER 55
|
||||
#endif
|
||||
|
||||
#if AP_SERVER_MINORVERSION_NUMBER < 2
|
||||
typedef struct regex_t ap_regex_t;
|
||||
#define AP_REG_EXTENDED REG_EXTENDED
|
||||
#define AP_REG_NOSUB REG_NOSUB
|
||||
#define AP_REG_ICASE REG_ICASE
|
||||
#endif
|
||||
|
||||
enum sslversion { SSL2=1, SSL3=2, TLS=4};
|
||||
|
||||
/* the table itself is defined in nss_engine_init.c */
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
-#define ciphernum 48
|
||||
+#define ciphernum 59
|
||||
#else
|
||||
-#define ciphernum 23
|
||||
+#define ciphernum 28
|
||||
#endif
|
||||
|
||||
/*
|
||||
* function prototypes
|
||||
*/
|
||||
|
||||
/* API glue structures */
|
||||
extern module AP_MODULE_DECLARE_DATA nss_module;
|
||||
|
||||
/* configuration handling */
|
||||
SSLModConfigRec *nss_config_global_create(server_rec *);
|
||||
void *nss_config_perdir_create(apr_pool_t *p, char *dir);
|
||||
void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
|
||||
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
|
||||
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
|
||||
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
|
||||
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
||||
const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
||||
#endif
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
#endif
|
||||
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
|
||||
const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
|
||||
const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
|
||||
|
||||
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
|
||||
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
|
||||
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100
|
||||
+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100
|
||||
@@ -15,122 +15,134 @@
|
||||
|
||||
#include "mod_nss.h"
|
||||
#include "apr_thread_proc.h"
|
||||
#include "ap_mpm.h"
|
||||
#include "secmod.h"
|
||||
#include "sslerr.h"
|
||||
#include "pk11func.h"
|
||||
#include "ocsp.h"
|
||||
#include "keyhi.h"
|
||||
#include "cert.h"
|
||||
|
||||
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
||||
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
||||
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
||||
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
||||
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
||||
|
||||
/*
|
||||
* Global variables defined in this file.
|
||||
*/
|
||||
char* INTERNAL_TOKEN_NAME = "internal ";
|
||||
|
||||
cipher_properties ciphers_def[ciphernum] =
|
||||
{
|
||||
/* SSL2 cipher suites */
|
||||
{"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
|
||||
{"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
|
||||
{"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
|
||||
{"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
|
||||
{"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
|
||||
{"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
|
||||
/* SSL3/TLS cipher suites */
|
||||
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
|
||||
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
|
||||
{"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
|
||||
{"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
|
||||
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
||||
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
|
||||
/* AES ciphers.*/
|
||||
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
|
||||
+ {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
|
||||
+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
|
||||
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
|
||||
+ {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
|
||||
+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
|
||||
+
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
/* ECC ciphers.*/
|
||||
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS},
|
||||
+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
|
||||
+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
#endif
|
||||
};
|
||||
|
||||
static char *version_components[] = {
|
||||
"SSL_VERSION_PRODUCT",
|
||||
"SSL_VERSION_INTERFACE",
|
||||
"SSL_VERSION_LIBRARY",
|
||||
NULL
|
||||
};
|
||||
|
||||
static char *nss_add_version_component(apr_pool_t *p,
|
||||
server_rec *s,
|
||||
char *name)
|
||||
{
|
||||
char *val = nss_var_lookup(p, s, NULL, NULL, name);
|
||||
|
||||
if (val && *val) {
|
||||
ap_add_version_component(p, val);
|
||||
}
|
||||
|
||||
return val;
|
||||
}
|
||||
|
||||
static void nss_add_version_components(apr_pool_t *p,
|
||||
server_rec *s)
|
||||
{
|
||||
char *vals[sizeof(version_components)/sizeof(char *)];
|
||||
int i;
|
||||
|
||||
for (i=0; version_components[i]; i++) {
|
||||
vals[i] = nss_add_version_component(p, s,
|
||||
version_components[i]);
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
"Server: %s, Interface: %s, Library: %s",
|
||||
AP_SERVER_BASEVERSION,
|
||||
vals[1], /* SSL_VERSION_INTERFACE */
|
||||
vals[2]); /* SSL_VERSION_LIBRARY */
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize SSL library
|
||||
*
|
@ -1,50 +0,0 @@
|
||||
The first fix is to retrieve the full certificate subject instead of just the
|
||||
CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
|
||||
|
||||
The second always attempts to retrieve the client certificate in
|
||||
nss_hook_ReadReq().
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=702437
|
||||
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
|
||||
+++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
|
||||
@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
|
||||
|
||||
status = SSL_AuthCertificate(arg, socket, checksig, isServer);
|
||||
|
||||
- if (status == SECSuccess) {
|
||||
- conn_rec *c = filter_ctx->c;
|
||||
- SSLConnRec *sslconn = myConnConfig(c);
|
||||
-
|
||||
- sslconn->client_cert = SSL_PeerCertificate(socket);
|
||||
- sslconn->client_dn = NULL;
|
||||
- }
|
||||
+ /* The certificate is copied to sslconn->client_cert in
|
||||
+ * nss_hook_ReadReq()
|
||||
+ */
|
||||
|
||||
return status;
|
||||
}
|
||||
--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
|
||||
+++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
|
||||
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
|
||||
nss_util_vhostid(r->pool, r->server));
|
||||
}
|
||||
|
||||
+ if (sslconn->client_cert != NULL)
|
||||
+ CERT_DestroyCertificate(sslconn->client_cert);
|
||||
+ sslconn->client_cert = SSL_PeerCertificate(ssl);
|
||||
+ sslconn->client_dn = NULL;
|
||||
+
|
||||
return DECLINED;
|
||||
}
|
||||
|
||||
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
|
||||
}
|
||||
|
||||
if (!sslconn->client_dn) {
|
||||
- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
|
||||
- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
|
||||
+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
|
||||
+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
|
||||
PORT_Free(cp);
|
||||
}
|
@ -1,42 +0,0 @@
|
||||
From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001
|
||||
From: standa <stokos@suse.de>
|
||||
Date: Wed, 22 Oct 2014 16:14:29 +0200
|
||||
Subject: [PATCH] Compare subject CN and VS hostname during server start up
|
||||
|
||||
---
|
||||
nss_engine_init.c | 18 +++++++++++++-----
|
||||
1 file changed, 13 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/nss_engine_init.c b/nss_engine_init.c
|
||||
index d74f002..2569c8d 100644
|
||||
--- a/nss_engine_init.c
|
||||
+++ b/nss_engine_init.c
|
||||
@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
|
||||
|
||||
*KEAtype = NSS_FindCertKEAType(*servercert);
|
||||
|
||||
+ /* Subject/hostname check */
|
||||
+ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
|
||||
+ if (secstatus != SECSuccess) {
|
||||
+ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "Misconfiguration of certificate's CN and virtual name."
|
||||
+ " The certificate CN has %s. We expected %s as virtual"
|
||||
+ " name.", cert_dns, s->server_hostname);
|
||||
+ PORT_Free(cert_dns);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
- * Check for certs that are expired or not yet valid and WARN about it
|
||||
- * no need to refuse working - the client gets a warning, but can work
|
||||
- * with the server we could also verify if the certificate is made out
|
||||
- * for the correct hostname but that would require a reverse DNS lookup
|
||||
- * for every virtual server - too expensive?
|
||||
+ * Check for certs that are expired or not yet valid and WARN about it.
|
||||
+ * No need to refuse working - the client gets a warning.
|
||||
*/
|
||||
|
||||
certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,26 +0,0 @@
|
||||
--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400
|
||||
+++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400
|
||||
@@ -82,12 +82,11 @@
|
||||
|
||||
DEST=$1
|
||||
|
||||
-echo "httptest" > $DEST/pw.txt
|
||||
+echo -e "\n" > $DEST/pw.txt
|
||||
|
||||
echo ""
|
||||
echo "#####################################################################"
|
||||
-echo "Generating new server certificate and key database. The password"
|
||||
-echo "is httptest"
|
||||
+echo "Generating new server certificate and key database."
|
||||
echo "#####################################################################"
|
||||
$CERTUTIL -N -d $DEST -f $DEST/pw.txt
|
||||
|
||||
@@ -183,8 +182,4 @@
|
||||
rm $DEST/pw.txt
|
||||
rm $DEST/noise
|
||||
|
||||
-echo ""
|
||||
-echo "The database password is httptest"
|
||||
-echo ""
|
||||
-
|
||||
exit 0
|
@ -1,142 +0,0 @@
|
||||
Index: mod_nss-1.0.8/mod_nss.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.c
|
||||
+++ mod_nss-1.0.8/mod_nss.c
|
||||
@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
|
||||
"Connection to child %ld established "
|
||||
"(server %s, client %s)", c->id, sc->vhost_id,
|
||||
- c->remote_ip ? c->remote_ip : "unknown");
|
||||
+ c->client_ip ? c->client_ip : "unknown");
|
||||
|
||||
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
|
||||
|
||||
Index: mod_nss-1.0.8/mod_nss.h
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.h
|
||||
+++ mod_nss-1.0.8/mod_nss.h
|
||||
@@ -28,7 +28,6 @@
|
||||
#include "mod_ssl.h"
|
||||
#include "util_script.h"
|
||||
#include "util_filter.h"
|
||||
-#include "mpm.h"
|
||||
#include "apr.h"
|
||||
#include "apr_strings.h"
|
||||
#define APR_WANT_STRFUNC
|
||||
@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo
|
||||
SECStatus nss_Init_Tokens(server_rec *s);
|
||||
|
||||
/* Logging */
|
||||
-void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
|
||||
+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s);
|
||||
void nss_die(void);
|
||||
|
||||
/* NSS callback */
|
||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||
@@ -15,7 +15,7 @@
|
||||
|
||||
#include "mod_nss.h"
|
||||
#include "apr_thread_proc.h"
|
||||
-#include "ap_mpm.h"
|
||||
+#include "mpm_common.h"
|
||||
#include "secmod.h"
|
||||
#include "sslerr.h"
|
||||
#include "pk11func.h"
|
||||
Index: mod_nss-1.0.8/nss_engine_io.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_io.c
|
||||
+++ mod_nss-1.0.8/nss_engine_io.c
|
||||
@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo
|
||||
PR_Close(ssl);
|
||||
|
||||
/* log the fact that we've closed the connection */
|
||||
- if (c->base_server->loglevel >= APLOG_INFO) {
|
||||
+ if (c->base_server->log.level >= APLOG_INFO) {
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
|
||||
"Connection to child %ld closed "
|
||||
"(server %s, client %s)",
|
||||
c->id,
|
||||
nss_util_vhostid(c->pool, c->base_server),
|
||||
- c->remote_ip ? c->remote_ip : "unknown");
|
||||
+ c->client_ip ? c->client_ip : "unknown");
|
||||
}
|
||||
|
||||
/* deallocate the SSL connection */
|
||||
@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_
|
||||
filter_ctx = (nss_filter_ctx_t *)(fd->secret);
|
||||
c = filter_ctx->c;
|
||||
|
||||
- return PR_StringToNetAddr(c->remote_ip, addr);
|
||||
+ return PR_StringToNetAddr(c->client_ip, addr);
|
||||
}
|
||||
|
||||
/*
|
||||
Index: mod_nss-1.0.8/nss_engine_kernel.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_kernel.c
|
||||
+++ mod_nss-1.0.8/nss_engine_kernel.c
|
||||
@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r)
|
||||
/*
|
||||
* Log information about incoming HTTPS requests
|
||||
*/
|
||||
- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
|
||||
+ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) {
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
|
||||
"%s HTTPS request received for child %ld (server %s)",
|
||||
(r->connection->keepalives <= 0 ?
|
||||
@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r)
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
|
||||
"Access to %s denied for %s "
|
||||
"(requirement expression not fulfilled)",
|
||||
- r->filename, r->connection->remote_ip);
|
||||
+ r->filename, r->connection->client_ip);
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
|
||||
"Failed expression: %s", req->cpExpr);
|
||||
Index: mod_nss-1.0.8/nss_engine_log.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_log.c
|
||||
+++ mod_nss-1.0.8/nss_engine_log.c
|
||||
@@ -321,7 +321,7 @@ void nss_die(void)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
-void nss_log_nss_error(const char *file, int line, int level, server_rec *s)
|
||||
+void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s)
|
||||
{
|
||||
const char *err;
|
||||
PRInt32 error;
|
||||
@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file,
|
||||
err = "Unknown";
|
||||
}
|
||||
|
||||
- ap_log_error(file, line, level, 0, s,
|
||||
+ ap_log_error(file, line, module_index, level, 0, s,
|
||||
"SSL Library Error: %d %s",
|
||||
error, err);
|
||||
}
|
||||
Index: mod_nss-1.0.8/nss_engine_vars.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_vars.c
|
||||
+++ mod_nss-1.0.8/nss_engine_vars.c
|
||||
@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
|
||||
&& sslconn && sslconn->ssl)
|
||||
result = nss_var_lookup_ssl(p, c, var+4);
|
||||
else if (strcEQ(var, "REMOTE_ADDR"))
|
||||
- result = c->remote_ip;
|
||||
+ result = c->client_ip;
|
||||
else if (strcEQ(var, "HTTPS")) {
|
||||
if (sslconn && sslconn->ssl)
|
||||
result = "on";
|
||||
@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
|
||||
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
|
||||
result = nss_var_lookup_nss_version(p, var+12);
|
||||
else if (strcEQ(var, "SERVER_SOFTWARE"))
|
||||
- result = (char *)ap_get_server_version();
|
||||
+ result = (char *)ap_get_server_banner();
|
||||
else if (strcEQ(var, "API_VERSION")) {
|
||||
result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
|
||||
resdup = FALSE;
|
@ -1,240 +0,0 @@
|
||||
diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c
|
||||
--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500
|
||||
+++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500
|
||||
@@ -152,6 +152,8 @@
|
||||
AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
|
||||
"SSLLogLevel directive is no longer supported - use LogLevel."),
|
||||
#endif
|
||||
+ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
|
||||
+ "Apache user. Comes from httpd.conf."),
|
||||
|
||||
AP_END_CMD
|
||||
};
|
||||
diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h
|
||||
--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500
|
||||
+++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500
|
||||
@@ -41,6 +41,9 @@
|
||||
#include "apr_shm.h"
|
||||
#include "apr_global_mutex.h"
|
||||
#include "apr_optional.h"
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/ipc.h>
|
||||
+#include <sys/sem.h>
|
||||
|
||||
#define MOD_NSS_VERSION AP_SERVER_BASEREVISION
|
||||
|
||||
@@ -244,6 +247,9 @@
|
||||
struct {
|
||||
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
|
||||
} rCtx;
|
||||
+
|
||||
+ int semid;
|
||||
+ const char *user;
|
||||
} SSLModConfigRec;
|
||||
|
||||
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
|
||||
@@ -412,6 +418,7 @@
|
||||
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
|
||||
+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg);
|
||||
|
||||
/* module initialization */
|
||||
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
|
||||
diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c
|
||||
--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500
|
||||
+++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500
|
||||
@@ -830,3 +830,12 @@
|
||||
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+const char *set_user(cmd_parms *cmd, void *dummy, const char *arg)
|
||||
+{
|
||||
+ SSLModConfigRec *mc = myModConfig(cmd->server);
|
||||
+
|
||||
+ mc->user = arg;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c
|
||||
--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500
|
||||
+++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500
|
||||
@@ -312,6 +312,7 @@
|
||||
int sslenabled = FALSE;
|
||||
int fipsenabled = FALSE;
|
||||
int threaded = 0;
|
||||
+ struct semid_ds status;
|
||||
|
||||
mc->nInitCount++;
|
||||
|
||||
@@ -412,10 +413,26 @@
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
"Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i");
|
||||
|
||||
+ /* The first pass through this function will create the semaphore that
|
||||
+ * will be used to lock the pipe. The user is still root at that point
|
||||
+ * so for any later calls the semaphore ops will fail with permission
|
||||
+ * errors. So switch the user to the Apache user.
|
||||
+ */
|
||||
+ if (mc->semid) {
|
||||
+ uid_t user_id;
|
||||
+
|
||||
+ user_id = ap_uname2id(mc->user);
|
||||
+ semctl(mc->semid, 0, IPC_STAT, &status);
|
||||
+ status.sem_perm.uid = user_id;
|
||||
+ semctl(mc->semid,0,IPC_SET,&status);
|
||||
+ }
|
||||
+
|
||||
/* Do we need to fire up our password helper? */
|
||||
if (mc->nInitCount == 1) {
|
||||
const char * child_argv[5];
|
||||
apr_status_t rv;
|
||||
+ struct sembuf sb;
|
||||
+ char sembuf[32];
|
||||
|
||||
if (mc->pphrase_dialog_helper == NULL) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
@@ -423,11 +440,31 @@
|
||||
nss_die();
|
||||
}
|
||||
|
||||
+ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
|
||||
+ if (mc->semid == -1) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "Unable to obtain semaphore.");
|
||||
+ nss_die();
|
||||
+ }
|
||||
+
|
||||
+ /* Initialize the semaphore */
|
||||
+ sb.sem_num = 0;
|
||||
+ sb.sem_op = 1;
|
||||
+ sb.sem_flg = 0;
|
||||
+ if ((semop(mc->semid, &sb, 1)) == -1) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "Unable to initialize semaphore.");
|
||||
+ nss_die();
|
||||
+ }
|
||||
+
|
||||
+ PR_snprintf(sembuf, 32, "%d", mc->semid);
|
||||
+
|
||||
child_argv[0] = mc->pphrase_dialog_helper;
|
||||
- child_argv[1] = fipsenabled ? "on" : "off";
|
||||
- child_argv[2] = mc->pCertificateDatabase;
|
||||
- child_argv[3] = mc->pDBPrefix;
|
||||
- child_argv[4] = NULL;
|
||||
+ child_argv[1] = sembuf;
|
||||
+ child_argv[2] = fipsenabled ? "on" : "off";
|
||||
+ child_argv[3] = mc->pCertificateDatabase;
|
||||
+ child_argv[4] = mc->pDBPrefix;
|
||||
+ child_argv[5] = NULL;
|
||||
|
||||
rv = apr_procattr_create(&mc->procattr, mc->pPool);
|
||||
|
||||
diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c
|
||||
--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400
|
||||
+++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500
|
||||
@@ -279,6 +279,16 @@
|
||||
char buf[1024];
|
||||
apr_status_t rv;
|
||||
apr_size_t nBytes = 1024;
|
||||
+ struct sembuf sb;
|
||||
+
|
||||
+ /* lock the pipe */
|
||||
+ sb.sem_num = 0;
|
||||
+ sb.sem_op = -1;
|
||||
+ sb.sem_flg = SEM_UNDO;
|
||||
+ if (semop(parg->mc->semid, &sb, 1) == -1) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
+ "Unable to reserve semaphore resource");
|
||||
+ }
|
||||
|
||||
snprintf(buf, 1024, "RETR\t%s", token_name);
|
||||
rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
|
||||
@@ -293,6 +303,13 @@
|
||||
*/
|
||||
memset(buf, 0, sizeof(buf));
|
||||
rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
|
||||
+ sb.sem_op = 1;
|
||||
+ if (semop(parg->mc->semid, &sb, 1) == -1) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
+ "Unable to free semaphore resource");
|
||||
+ /* perror("semop free resource id"); */
|
||||
+ }
|
||||
+
|
||||
if (rv != APR_SUCCESS) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
"Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
|
||||
diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c
|
||||
--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500
|
||||
+++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500
|
||||
@@ -21,6 +21,9 @@
|
||||
#include <pk11func.h>
|
||||
#include <secmod.h>
|
||||
#include <signal.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/ipc.h>
|
||||
+#include <sys/sem.h>
|
||||
#include "nss_pcache.h"
|
||||
|
||||
static char * getstr(const char * cmd, int el);
|
||||
@@ -70,6 +73,13 @@
|
||||
unsigned char *crypt;
|
||||
};
|
||||
|
||||
+union semun {
|
||||
+ int val;
|
||||
+ struct semid_ds *buf;
|
||||
+ unsigned short *array;
|
||||
+ struct seminfo *__buf;
|
||||
+};
|
||||
+
|
||||
/*
|
||||
* Node - for maintaining link list of tokens with cached PINs
|
||||
*/
|
||||
@@ -304,15 +314,19 @@
|
||||
char * tokenName;
|
||||
char * tokenpw;
|
||||
int fipsmode = 0;
|
||||
+ int semid = 0;
|
||||
+ union semun semarg;
|
||||
|
||||
- if (argc < 3 || argc > 4) {
|
||||
- fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n");
|
||||
+ if (argc < 4 || argc > 5) {
|
||||
+ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
signal(SIGHUP, SIG_IGN);
|
||||
|
||||
- if (!strcasecmp(argv[1], "on"))
|
||||
+ semid = strtol(argv[1], NULL, 10);
|
||||
+
|
||||
+ if (!strcasecmp(argv[2], "on"))
|
||||
fipsmode = 1;
|
||||
|
||||
/* Initialize NSPR */
|
||||
@@ -322,7 +336,7 @@
|
||||
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
|
||||
|
||||
/* Initialize NSS and open the certificate database read-only. */
|
||||
- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY);
|
||||
+ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
|
||||
@@ -437,6 +451,11 @@
|
||||
}
|
||||
freeList(pinList);
|
||||
PR_Close(in);
|
||||
+ /* Remove the semaphore used for locking here. This is because this
|
||||
+ * program only goes away when Apache shuts down so we don't have to
|
||||
+ * worry about reloads.
|
||||
+ */
|
||||
+ semctl(semid, 0, IPC_RMID, semarg);
|
||||
return 0;
|
||||
}
|
||||
|
||||
Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig
|
||||
Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej
|
@ -1,159 +0,0 @@
|
||||
|
||||
diff -up ./mod_nss.c.norego ./mod_nss.c
|
||||
--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100
|
||||
+++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100
|
||||
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
|
||||
SSL_CMD_SRV(Nickname, TAKE1,
|
||||
"SSL RSA Server Certificate nickname "
|
||||
"(`Server-Cert'")
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+ SSL_CMD_SRV(Renegotiation, FLAG,
|
||||
+ "Enable SSL Renegotiation (default off) "
|
||||
+ "(`on', `off')")
|
||||
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
|
||||
+ "If Rengotiation is allowed, require safe negotiation (default off) "
|
||||
+ "(`on', `off')")
|
||||
+#endif
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
SSL_CMD_SRV(ECCNickname, TAKE1,
|
||||
"SSL ECC Server Certificate nickname "
|
||||
diff -up ./mod_nss.h.norego ./mod_nss.h
|
||||
--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100
|
||||
+++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100
|
||||
@@ -269,6 +269,10 @@ typedef struct {
|
||||
int tls;
|
||||
int tlsrollback;
|
||||
int enforce;
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+ int enablerenegotiation;
|
||||
+ int requiresafenegotiation;
|
||||
+#endif
|
||||
const char *nickname;
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
const char *eccnickname;
|
||||
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
|
||||
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
||||
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
||||
+#endif
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
#endif
|
||||
diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
|
||||
--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100
|
||||
+++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100
|
||||
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
|
||||
mctx->tls = PR_FALSE;
|
||||
mctx->tlsrollback = PR_FALSE;
|
||||
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+ mctx->enablerenegotiation = PR_FALSE;
|
||||
+ mctx->requiresafenegotiation = PR_FALSE;
|
||||
+#endif
|
||||
mctx->enforce = PR_TRUE;
|
||||
mctx->nickname = NULL;
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
|
||||
cfgMerge(eccnickname, NULL);
|
||||
#endif
|
||||
cfgMerge(enforce, PR_TRUE);
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+ cfgMerge(enablerenegotiation, PR_FALSE);
|
||||
+ cfgMerge(requiresafenegotiation, PR_FALSE);
|
||||
+#endif
|
||||
}
|
||||
|
||||
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
|
||||
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
|
||||
+{
|
||||
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
+
|
||||
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
|
||||
+{
|
||||
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
+
|
||||
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
|
||||
void *dcfg,
|
||||
diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
|
||||
--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100
|
||||
+++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100
|
||||
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
|
||||
nss_die();
|
||||
}
|
||||
}
|
||||
+#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
|
||||
+ mctx->enablerenegotiation ?
|
||||
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
|
||||
+ ) != SECSuccess) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "Unable to set SSL renegotiation");
|
||||
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
|
||||
+ mctx->requiresafenegotiation) != SECSuccess) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "Unable to set SSL safe negotiation");
|
||||
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
+ nss_die();
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
static void nss_init_ctx_protocol(server_rec *s,
|
||||
|
||||
|
||||
diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
|
||||
--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
|
||||
+++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000
|
||||
@@ -27,7 +27,7 @@
|
||||
#define LIBSEC_ERROR_BASE (-8192)
|
||||
#define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
|
||||
#define LIBSSL_ERROR_BASE (-12288)
|
||||
-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
|
||||
+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
|
||||
|
||||
typedef struct l_error_t {
|
||||
int errorNumber;
|
||||
@@ -296,7 +296,19 @@
|
||||
{ 99, "Server requires ciphers more secure than those supported by client" },
|
||||
{ 100, "Peer reports it experienced an internal error" },
|
||||
{ 101, "Peer user canceled handshake" },
|
||||
- { 102, "Peer does not permit renegotiation of SSL security parameters" }
|
||||
+ { 102, "Peer does not permit renegotiation of SSL security parameters" },
|
||||
+ { 103, "Server cache not configured" },
|
||||
+ { 104, "Unsupported extension" },
|
||||
+ { 105, "Certificate unobtainable" },
|
||||
+ { 106, "Unrecognized name" },
|
||||
+ { 107, "Bad certificate status" },
|
||||
+ { 108, "Bad certificate hash value" },
|
||||
+ { 109, "Unexpected new session ticket" },
|
||||
+ { 110, "Malformed new session ticket" },
|
||||
+ { 111, "Decompression failure" },
|
||||
+ { 112, "Renegotiation not allowed" },
|
||||
+ { 113, "Safe negotiation required but not provided by client" },
|
||||
+ { 114, "Unexpected uncompressed record" },
|
||||
};
|
||||
|
||||
void nss_die(void)
|
@ -1,23 +0,0 @@
|
||||
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800
|
||||
@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da
|
||||
server_rec *s;
|
||||
int shutdown = 0;
|
||||
|
||||
- /* Clear any client-side session cache data */
|
||||
- SSL_ClearSessionCache();
|
||||
-
|
||||
/*
|
||||
* Free the non-pool allocated structures
|
||||
* in the per-server configurations
|
||||
@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da
|
||||
}
|
||||
|
||||
if (shutdown) {
|
||||
+ /* Clear any client-side session cache data */
|
||||
+ SSL_ClearSessionCache();
|
||||
+
|
||||
if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
|
||||
!= SECSuccess) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
@ -1,24 +0,0 @@
|
||||
Bug 669118
|
||||
|
||||
memcpy of overlapping memory is no longer allowed by glibc.
|
||||
|
||||
This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
|
||||
|
||||
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500
|
||||
+++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500
|
||||
@@ -123,13 +123,13 @@
|
||||
|
||||
if (buffer->length > inl) {
|
||||
/* we have have enough to fill the caller's buffer */
|
||||
- memcpy(in, buffer->value, inl);
|
||||
+ memmove(in, buffer->value, inl);
|
||||
buffer->value += inl;
|
||||
buffer->length -= inl;
|
||||
}
|
||||
else {
|
||||
/* swallow remainder of the buffer */
|
||||
- memcpy(in, buffer->value, buffer->length);
|
||||
+ memmove(in, buffer->value, buffer->length);
|
||||
inl = buffer->length;
|
||||
buffer->value = NULL;
|
||||
buffer->length = 0;
|
@ -1,21 +0,0 @@
|
||||
diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
|
||||
--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400
|
||||
+++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <seccomon.h>
|
||||
#include <pk11func.h>
|
||||
#include <secmod.h>
|
||||
+#include <signal.h>
|
||||
#include "nss_pcache.h"
|
||||
|
||||
static char * getstr(const char * cmd, int el);
|
||||
@@ -309,6 +310,8 @@
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+ signal(SIGHUP, SIG_IGN);
|
||||
+
|
||||
if (!strcasecmp(argv[1], "on"))
|
||||
fipsmode = 1;
|
||||
|
||||
Only in mod_nss-1.0.8: nss_pcache.c.rej
|
@ -1,83 +0,0 @@
|
||||
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
|
||||
@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
|
||||
tls = 1;
|
||||
} else {
|
||||
if (mctx->auth.protocols == NULL) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
- "NSSProtocols not set; using: SSLv3 and TLSv1");
|
||||
+ /*
|
||||
+ * Since this routine will be invoked individually for every
|
||||
+ * thread associated with each 'server' object as well as for
|
||||
+ * every thread associated with each 'proxy' object, issue a
|
||||
+ * single per-thread 'warning' message for either a 'server'
|
||||
+ * or a 'proxy' based upon the thread's object type.
|
||||
+ */
|
||||
+ if (mctx == mctx->sc->server) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
+ "NSSProtocol value not set; using: SSLv3 and TLSv1");
|
||||
+ } else if (mctx == mctx->sc->proxy) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
+ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
|
||||
+ }
|
||||
+
|
||||
ssl3 = tls = 1;
|
||||
} else {
|
||||
lprotocols = strdup(mctx->auth.protocols);
|
||||
@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
|
||||
* Configure SSL Cipher Suite
|
||||
*/
|
||||
if (!suite) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "Required value NSSCipherSuite not set.");
|
||||
+ /*
|
||||
+ * Since this is a 'fatal' error, regardless of whether this
|
||||
+ * particular invocation is from a 'server' object or a 'proxy'
|
||||
+ * object, issue all error message(s) as appropriate.
|
||||
+ */
|
||||
+ if ((mctx->sc->enabled == TRUE) &&
|
||||
+ (mctx->sc->server) &&
|
||||
+ (!mctx->sc->server->auth.cipher_suite)) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "NSSEngine on; required value NSSCipherSuite not set.");
|
||||
+ }
|
||||
+
|
||||
+ if ((mctx->sc->proxy_enabled == TRUE) &&
|
||||
+ (mctx->sc->proxy) &&
|
||||
+ (!mctx->sc->proxy->auth.cipher_suite)) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
|
||||
+ }
|
||||
+
|
||||
nss_die();
|
||||
}
|
||||
ciphers = strdup(suite);
|
||||
@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
|
||||
if (mctx->nickname == NULL)
|
||||
#endif
|
||||
{
|
||||
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "No certificate nickname provided.");
|
||||
+ /*
|
||||
+ * Since this is a 'fatal' error, regardless of whether this
|
||||
+ * particular invocation is from a 'server' object or a 'proxy'
|
||||
+ * object, issue all error message(s) as appropriate.
|
||||
+ */
|
||||
+ if ((mctx->sc->enabled == TRUE) &&
|
||||
+ (mctx->sc->server) &&
|
||||
+ (mctx->sc->server->nickname == NULL)) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "NSSEngine on; no certificate nickname provided by NSSNickname.");
|
||||
+ }
|
||||
+
|
||||
+ if ((mctx->sc->proxy_enabled == TRUE) &&
|
||||
+ (mctx->sc->proxy) &&
|
||||
+ (mctx->sc->proxy->nickname == NULL)) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
+ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
|
||||
+ }
|
||||
+
|
||||
nss_die();
|
||||
}
|
||||
|
@ -1,10 +0,0 @@
|
||||
--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400
|
||||
+++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400
|
||||
@@ -348,6 +348,7 @@
|
||||
break;
|
||||
}
|
||||
|
||||
+ PR_SetError(0, 0);
|
||||
rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes);
|
||||
|
||||
if (rc > 0) {
|
@ -1,64 +0,0 @@
|
||||
Index: mod_nss-1.0.8/nss_engine_io.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200
|
||||
+++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200
|
||||
@@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
|
||||
+static apr_status_t nss_io_filter_handshake(ap_filter_t *f)
|
||||
+{
|
||||
+ conn_rec *c = f->c;
|
||||
+ SSLConnRec *sslconn = myConnConfig(c);
|
||||
+
|
||||
+ /*
|
||||
+ * Enable SNI for backend requests. Make sure we don't do it for
|
||||
+ * pure SSLv3 connections
|
||||
+ */
|
||||
+ if (sslconn->is_proxy) {
|
||||
+ const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname");
|
||||
+ if (hostname_note) {
|
||||
+ if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
|
||||
+ "Error setting SNI extension for SSL Proxy request: %d",
|
||||
+ PR_GetError());
|
||||
+ } else {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
|
||||
+ "SNI extension for SSL Proxy request set to '%s'",
|
||||
+ hostname_note);
|
||||
+ }
|
||||
+ }
|
||||
+ else {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
|
||||
+ "Can't set SNI extension: no hostname available");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return APR_SUCCESS;
|
||||
+}
|
||||
+
|
||||
static apr_status_t nss_io_filter_input(ap_filter_t *f,
|
||||
apr_bucket_brigade *bb,
|
||||
ap_input_mode_t mode,
|
||||
@@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input(
|
||||
inctx->mode = mode;
|
||||
inctx->block = block;
|
||||
|
||||
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
|
||||
+ return nss_io_filter_error(f, bb, status);
|
||||
+ }
|
||||
+
|
||||
if (is_init) {
|
||||
/* protocol module needs to handshake before sending
|
||||
* data to client (e.g. NNTP or FTP)
|
||||
@@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output
|
||||
inctx->mode = AP_MODE_READBYTES;
|
||||
inctx->block = APR_BLOCK_READ;
|
||||
|
||||
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
|
||||
+ return nss_io_filter_error(f, bb, status);
|
||||
+ }
|
||||
+
|
||||
while (!APR_BRIGADE_EMPTY(bb)) {
|
||||
apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
|
||||
|
@ -1,182 +0,0 @@
|
||||
mod_proxy now sets the requested remote host name. Use this to compare
|
||||
to the CN value of the peer certificate and reject the request if they
|
||||
do not match (and we are have NSSProxyCheckPeerCN set to on).
|
||||
|
||||
diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
|
||||
--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
|
||||
+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
|
||||
@@ -1028,7 +1028,21 @@
|
||||
<br>
|
||||
<span style="font-weight: bold;">Example</span><br>
|
||||
<br>
|
||||
-<code>NSSProxyNickname beta</code><br>
|
||||
+<code>NSSProxyNickname beta<br>
|
||||
+<br>
|
||||
+</code><big><big>NSSProxyCheckPeerCN</big></big><br>
|
||||
+<br>
|
||||
+Compare the CN value of the peer certificate with the hostname being
|
||||
+requested. If this is set to on, the default, then the request will
|
||||
+fail if they do not match. If this is set to off then this comparison
|
||||
+is not done. Note that this test is your only protection against a
|
||||
+man-in-the-middle attack so leaving this as on is strongly recommended.<br>
|
||||
+<br>
|
||||
+<span style="font-weight: bold;">Example</span><br>
|
||||
+<br>
|
||||
+<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code>
|
||||
+on<br>
|
||||
+</code><br>
|
||||
<h1><a name="Environment"></a>Environment Variables</h1>
|
||||
Quite a few environment variables (for CGI and SSI) may be set
|
||||
depending on the NSSOptions configuration. It can be expensive to set
|
||||
@@ -1435,42 +1449,9 @@
|
||||
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
|
||||
Q. Does mod_nss support mod_proxy?<br>
|
||||
<br>
|
||||
-A. In order to use the mod_nss proxy support you will need to build
|
||||
-your own mod_proxy by applying a patch found in bug <a
|
||||
- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>.
|
||||
-The patch is needed so we can compare the hostname contained in the
|
||||
-remote certificate with the hostname you meant to visit. This prevents
|
||||
-man-in-the-middle attacks.<br>
|
||||
-<br>
|
||||
-You also have to change the SSL functions that mod_proxy looks to use.
|
||||
-You'll need to apply this patch:<br>
|
||||
-<br>
|
||||
-<code>1038,1039c1038,1039<br>
|
||||
-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br>
|
||||
-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br>
|
||||
----<br>
|
||||
-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br>
|
||||
-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br>
|
||||
-1041,1042c1041,1042<br>
|
||||
-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
|
||||
-NULL;<br>
|
||||
-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
|
||||
-= NULL;<br>
|
||||
----<br>
|
||||
-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
|
||||
-NULL;<br>
|
||||
-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
|
||||
-= NULL;<br>
|
||||
-1069,1070c1069,1070<br>
|
||||
-< proxy_ssl_enable =
|
||||
-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br>
|
||||
-< proxy_ssl_disable =
|
||||
-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br>
|
||||
----<br>
|
||||
-> proxy_ssl_enable =
|
||||
-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br>
|
||||
-> proxy_ssl_disable =
|
||||
-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br>
|
||||
-</code><br>
|
||||
+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
|
||||
+provides a single interface for SSL providers and mod_nss defers to
|
||||
+mod_ssl
|
||||
+if it is loaded.
|
||||
</body>
|
||||
</html>
|
||||
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
|
||||
--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
|
||||
+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
|
||||
@@ -142,6 +142,8 @@
|
||||
SSL_CMD_SRV(ProxyNickname, TAKE1,
|
||||
"SSL Proxy: client certificate Nickname to be for proxy connections "
|
||||
"(`nickname')")
|
||||
+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
|
||||
+ "SSL Proxy: check the peers certificate CN")
|
||||
|
||||
#ifdef IGNORE
|
||||
/* Deprecated directives. */
|
||||
@@ -238,23 +240,30 @@
|
||||
SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
|
||||
{
|
||||
conn_rec *c = (conn_rec *)arg;
|
||||
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
|
||||
PRErrorCode err = PR_GetError();
|
||||
SECStatus rv = SECFailure;
|
||||
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
|
||||
+ const char *hostname_note;
|
||||
|
||||
switch (err) {
|
||||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||
- if (c->remote_host != NULL) {
|
||||
- rv = CERT_VerifyCertName(peerCert, c->remote_host);
|
||||
- if (rv != SECSuccess) {
|
||||
- char *remote = CERT_GetCommonName(&peerCert->subject);
|
||||
+ if (sc->proxy_ssl_check_peer_cn == TRUE) {
|
||||
+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
|
||||
+ apr_table_unset(c->notes, "proxy-request-hostname");
|
||||
+ rv = CERT_VerifyCertName(peerCert, hostname_note);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ char *remote = CERT_GetCommonName(&peerCert->subject);
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
|
||||
+ PORT_Free(remote);
|
||||
+ }
|
||||
+ } else {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
|
||||
- PORT_Free(remote);
|
||||
+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
|
||||
}
|
||||
} else {
|
||||
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
||||
- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
|
||||
+ rv = SECSuccess;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
|
||||
--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
|
||||
+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
|
||||
@@ -306,6 +306,7 @@
|
||||
int vhost_id_len;
|
||||
modnss_ctx_t *server;
|
||||
modnss_ctx_t *proxy;
|
||||
+ BOOL proxy_ssl_check_peer_cn;
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -410,6 +411,7 @@
|
||||
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
|
||||
|
||||
/* module initialization */
|
||||
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
|
||||
diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
|
||||
--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
|
||||
+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
|
||||
@@ -140,6 +140,7 @@
|
||||
sc->vhost_id_len = 0; /* set during module init */
|
||||
sc->proxy = NULL;
|
||||
sc->server = NULL;
|
||||
+ sc->proxy_ssl_check_peer_cn = TRUE;
|
||||
|
||||
modnss_ctx_init_proxy(sc, p);
|
||||
|
||||
@@ -214,6 +215,7 @@
|
||||
cfgMergeBool(fips);
|
||||
cfgMergeBool(enabled);
|
||||
cfgMergeBool(proxy_enabled);
|
||||
+ cfgMergeBool(proxy_ssl_check_peer_cn);
|
||||
|
||||
modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
|
||||
|
||||
@@ -544,6 +546,15 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
|
||||
+{
|
||||
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
+
|
||||
+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
|
||||
void *dcfg,
|
||||
int flag)
|
@ -1,214 +0,0 @@
|
||||
Index: mod_nss-1.0.8/mod_nss.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.c
|
||||
+++ mod_nss-1.0.8/mod_nss.c
|
||||
@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
|
||||
return sslconn;
|
||||
}
|
||||
|
||||
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
|
||||
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
|
||||
+
|
||||
int nss_proxy_enable(conn_rec *c)
|
||||
{
|
||||
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
|
||||
@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
|
||||
SSLConnRec *sslconn = nss_init_connection_ctx(c);
|
||||
|
||||
if (!sc->proxy_enabled) {
|
||||
+ if (othermod_proxy_enable) {
|
||||
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
|
||||
+ "mod_nss proxy not configured, passing through to mod_ssl module");
|
||||
+ return othermod_proxy_enable(c);
|
||||
+ }
|
||||
+
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
|
||||
"SSL Proxy requested for %s but not enabled "
|
||||
"[Hint: NSSProxyEngine]", sc->vhost_id);
|
||||
@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
|
||||
return 1;
|
||||
}
|
||||
|
||||
-int ssl_proxy_enable(conn_rec *c) {
|
||||
+static int ssl_proxy_enable(conn_rec *c) {
|
||||
return nss_proxy_enable(c);
|
||||
}
|
||||
|
||||
@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
|
||||
|
||||
SSLConnRec *sslconn;
|
||||
|
||||
+ if (othermod_engine_disable) {
|
||||
+ othermod_engine_disable(c);
|
||||
+ }
|
||||
+
|
||||
if (sc->enabled == FALSE) {
|
||||
return 0;
|
||||
}
|
||||
@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
|
||||
return 1;
|
||||
}
|
||||
|
||||
-int ssl_engine_disable(conn_rec *c) {
|
||||
+static int ssl_engine_disable(conn_rec *c) {
|
||||
return nss_engine_disable(c);
|
||||
}
|
||||
|
||||
@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
|
||||
|
||||
nss_var_register();
|
||||
|
||||
+ /* Always register these mod_nss optional functions */
|
||||
APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
|
||||
APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
|
||||
|
||||
- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
|
||||
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
|
||||
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
|
||||
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
|
||||
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
|
||||
+ /* Save the state of any previously registered mod_ssl functions */
|
||||
+ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
|
||||
+ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
|
||||
+
|
||||
+ /* Always register these local mod_ssl optional functions */
|
||||
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
|
||||
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
|
||||
}
|
||||
|
||||
module AP_MODULE_DECLARE_DATA nss_module = {
|
||||
Index: mod_nss-1.0.8/mod_nss.h
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.h
|
||||
+++ mod_nss-1.0.8/mod_nss.h
|
||||
@@ -13,8 +13,8 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
-#ifndef __MOD_SSL_H__
|
||||
-#define __MOD_SSL_H__
|
||||
+#ifndef __MOD_NSS_H__
|
||||
+#define __MOD_NSS_H__
|
||||
|
||||
/* Apache headers */
|
||||
#include "httpd.h"
|
||||
@@ -25,6 +25,7 @@
|
||||
#include "http_connection.h"
|
||||
#include "http_request.h"
|
||||
#include "http_protocol.h"
|
||||
+#include "mod_ssl.h"
|
||||
#include "util_script.h"
|
||||
#include "util_filter.h"
|
||||
#include "mpm.h"
|
||||
@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
|
||||
/* Variables */
|
||||
void nss_var_register(void);
|
||||
char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
|
||||
-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
|
||||
void nss_var_log_config_register(apr_pool_t *p);
|
||||
|
||||
APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
|
||||
(apr_pool_t *, server_rec *,
|
||||
conn_rec *, request_rec *,
|
||||
char *));
|
||||
-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
|
||||
- (apr_pool_t *, server_rec *,
|
||||
- conn_rec *, request_rec *,
|
||||
- char *));
|
||||
|
||||
/* An optional function which returns non-zero if the given connection
|
||||
* is using SSL/TLS. */
|
||||
APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
|
||||
-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
|
||||
|
||||
/* Proxy Support */
|
||||
int nss_proxy_enable(conn_rec *c);
|
||||
int nss_engine_disable(conn_rec *c);
|
||||
-int ssl_proxy_enable(conn_rec *c);
|
||||
-int ssl_engine_disable(conn_rec *c);
|
||||
|
||||
APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
|
||||
-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
|
||||
|
||||
APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
|
||||
-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
|
||||
|
||||
/* I/O */
|
||||
PRFileDesc * nss_io_new_fd();
|
||||
@@ -495,4 +486,4 @@ void nss_die(void);
|
||||
|
||||
/* NSS callback */
|
||||
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
||||
-#endif /* __MOD_SSL_H__ */
|
||||
+#endif /* __MOD_NSS_H__ */
|
||||
Index: mod_nss-1.0.8/nss_engine_vars.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_vars.c
|
||||
+++ mod_nss-1.0.8/nss_engine_vars.c
|
||||
@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
|
||||
static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
|
||||
static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
|
||||
static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
|
||||
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
|
||||
+
|
||||
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
|
||||
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
|
||||
|
||||
static int nss_is_https(conn_rec *c)
|
||||
{
|
||||
SSLConnRec *sslconn = myConnConfig(c);
|
||||
- return sslconn && sslconn->ssl;
|
||||
+
|
||||
+ return (sslconn && sslconn->ssl)
|
||||
+ || (othermod_is_https && othermod_is_https(c));
|
||||
}
|
||||
|
||||
static int ssl_is_https(conn_rec *c) {
|
||||
@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
|
||||
|
||||
void nss_var_register(void)
|
||||
{
|
||||
+ /* Always register these mod_nss optional functions */
|
||||
APR_REGISTER_OPTIONAL_FN(nss_is_https);
|
||||
APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
|
||||
|
||||
- /* These can only be registered if mod_ssl is not loaded */
|
||||
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
|
||||
- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
|
||||
- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
|
||||
- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
|
||||
+ /* Save the state of any previously registered mod_ssl functions */
|
||||
+ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
|
||||
+ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
|
||||
+
|
||||
+ /* Always register these local mod_ssl optional functions */
|
||||
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
|
||||
+ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
|
||||
*/
|
||||
if (result == NULL && c != NULL) {
|
||||
SSLConnRec *sslconn = myConnConfig(c);
|
||||
+
|
||||
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
|
||||
+ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
|
||||
+ /* If mod_ssl is registered for this connection,
|
||||
+ * pass any SSL_* variable through to the mod_ssl module
|
||||
+ */
|
||||
+ return othermod_var_lookup(p, s, c, r, var);
|
||||
+ }
|
||||
+
|
||||
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
|
||||
&& sslconn && sslconn->ssl)
|
||||
result = nss_var_lookup_ssl(p, c, var+4);
|
||||
@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
|
||||
return result;
|
||||
}
|
||||
|
||||
-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
|
||||
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
|
||||
return nss_var_lookup(p, s, c, r, var);
|
||||
}
|
||||
|
@ -1,745 +0,0 @@
|
||||
Index: mod_nss-1.0.8/docs/mod_nss.html
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/docs/mod_nss.html
|
||||
+++ mod_nss-1.0.8/docs/mod_nss.html
|
||||
@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bo
|
||||
<br>
|
||||
Enables or disables FIPS 140 mode. This replaces the standard
|
||||
internal PKCS#11 module with a FIPS-enabled one. It also forces the
|
||||
-enabled protocols to TLSv1 and disables all ciphers but the
|
||||
+enabled protocols to TLSv1.2 - TLS v1.0 and disables all ciphers but the
|
||||
FIPS ones. You may still select which ciphers you would like
|
||||
limited to those that are FIPS-certified. Any non-FIPS that are
|
||||
included in the NSSCipherSuite entry are automatically disabled.
|
||||
@@ -570,7 +570,7 @@ definition<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1<br>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
@@ -578,106 +578,106 @@ definition<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_null_md5<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_null_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc2_40_md5</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc4_128_md5</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc4_128_sha</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc4_40_md5</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fortezza<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fortezza_rc4_128_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fortezza_null<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fips_des_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fips_3des_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_des_56_sha</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSL3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_aes_128_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_aes_256_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
|
||||
</td>
|
||||
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
@@ -698,127 +698,127 @@ Definition<br>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_null_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_3des_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_aes_128_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_aes_256_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_null_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_3des_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_aes_128_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_aes_256_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_rsa_null_sha</td>
|
||||
<td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_rsa_128_sha</td>
|
||||
<td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_rsa_3des_sha</td>
|
||||
<td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_rsa_aes_128_sha</td>
|
||||
<td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_rsa_aes_256_sha</td>
|
||||
<td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>echde_rsa_null</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_3des_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_aes_128_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_aes_256_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_null_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_rc4_128sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_3des_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_aes_128_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_aes_256_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
|
||||
- <td>TLSv1</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
@@ -839,16 +839,36 @@ specifically but allows ciphers for that
|
||||
Options are:<br>
|
||||
<ul>
|
||||
<li><code>SSLv3</code></li>
|
||||
- <li><code>TLSv1</code></li>
|
||||
+ <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
|
||||
+ <li><code>TLSv1.0</code></li>
|
||||
+ <li><code>TLSv1.1</code></li>
|
||||
+ <li><code>TLSv1.2</code></li>
|
||||
<li><code>All</code></li>
|
||||
</ul>
|
||||
Note that this differs from mod_ssl in that you can't add or subtract
|
||||
protocols.<br>
|
||||
+<br>
|
||||
+If no NSSProtocol is specified, mod_nss will default to allowing the use of
|
||||
+the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
|
||||
+minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
|
||||
+allowed.
|
||||
+<br>
|
||||
+If values for NSSProtocol are specified, mod_nss will set both the minimum
|
||||
+and the maximum allowed protocols based upon these entries allowing for the
|
||||
+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
|
||||
+are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
|
||||
+protocol ranges to accept all protocols inclusively
|
||||
+(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
|
||||
+in the middle of a range (e. g. - TLS 1.0).<br>
|
||||
+<br>
|
||||
+Finally, NSS will always automatically negotiate the use of the strongest
|
||||
+possible protocol that has been specified which is acceptable to both sides of
|
||||
+a given connection.<br>
|
||||
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Example</span><br>
|
||||
<br>
|
||||
-<code>NSSProtocol SSLv3,TLSv1</code><br>
|
||||
+<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
|
||||
<br>
|
||||
<big><big>NSSNickname<br>
|
||||
</big></big><br>
|
||||
@@ -1101,7 +1121,7 @@ was compiled against.<br>
|
||||
<tr>
|
||||
<td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
|
||||
</code></td>
|
||||
- <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
|
||||
+ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
@@ -1443,7 +1463,7 @@ Opera, and
|
||||
Safari) support SSL 3 and TLS so there is no need for a web server to
|
||||
support
|
||||
SSL 2. There are some known attacks against SSL 2 that are handled by
|
||||
-SSL 3/TLS. SSL2 also doesn't support useful features like client
|
||||
+SSL 3/TLS. SSLv2 also doesn't support useful features like client
|
||||
authentication.
|
||||
<br>
|
||||
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
|
||||
Index: mod_nss-1.0.8/mod_nss.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.c
|
||||
+++ mod_nss-1.0.8/mod_nss.c
|
||||
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
|
||||
"(`[+-]XXX,...,[+-]XXX' - see manual)")
|
||||
SSL_CMD_SRV(Protocol, RAW_ARGS,
|
||||
"Enable the various SSL protocols"
|
||||
- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
|
||||
+ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)")
|
||||
SSL_CMD_ALL(VerifyClient, TAKE1,
|
||||
"SSL Client Authentication "
|
||||
"(`none', `optional', `require'")
|
||||
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
|
||||
"(`on', `off')")
|
||||
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
|
||||
"SSL Proxy: enable or disable SSL protocol flavors "
|
||||
- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
|
||||
+ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)")
|
||||
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
|
||||
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
|
||||
"(`XXX:...:XXX' - see manual)")
|
||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||
@@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server
|
||||
apr_pool_t *ptemp,
|
||||
modnss_ctx_t *mctx)
|
||||
{
|
||||
- int ssl2, ssl3, tls;
|
||||
+ int ssl2, ssl3, tls, tls1_1, tls1_2;
|
||||
+ char *protocol_marker = NULL;
|
||||
char *lprotocols = NULL;
|
||||
SECStatus stat;
|
||||
+ SSLVersionRange enabledVersions;
|
||||
|
||||
- ssl2 = ssl3 = tls = 0;
|
||||
+ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
|
||||
+
|
||||
+ /*
|
||||
+ * Since this routine will be invoked individually for every thread
|
||||
+ * associated with each 'server' object as well as for every thread
|
||||
+ * associated with each 'proxy' object, identify the protocol marker
|
||||
+ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
|
||||
+ * via each thread's object type and apply this useful information to
|
||||
+ * all log messages.
|
||||
+ */
|
||||
+ if (mctx == mctx->sc->server) {
|
||||
+ protocol_marker = "NSSProtocol";
|
||||
+ } else if (mctx == mctx->sc->proxy) {
|
||||
+ protocol_marker = "NSSProxyProtocol";
|
||||
+ }
|
||||
|
||||
if (mctx->sc->fips) {
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
- "In FIPS mode, enabling TLSv1");
|
||||
- tls = 1;
|
||||
+ "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2",
|
||||
+ protocol_marker);
|
||||
+ tls = tls1_1 = tls1_2 = 1;
|
||||
} else {
|
||||
if (mctx->auth.protocols == NULL) {
|
||||
- /*
|
||||
- * Since this routine will be invoked individually for every
|
||||
- * thread associated with each 'server' object as well as for
|
||||
- * every thread associated with each 'proxy' object, issue a
|
||||
- * single per-thread 'warning' message for either a 'server'
|
||||
- * or a 'proxy' based upon the thread's object type.
|
||||
- */
|
||||
- if (mctx == mctx->sc->server) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
- "NSSProtocol value not set; using: SSLv3 and TLSv1");
|
||||
- } else if (mctx == mctx->sc->proxy) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
|
||||
- }
|
||||
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
+ "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2",
|
||||
+ protocol_marker);
|
||||
|
||||
- ssl3 = tls = 1;
|
||||
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
|
||||
} else {
|
||||
lprotocols = strdup(mctx->auth.protocols);
|
||||
ap_str_tolower(lprotocols);
|
||||
|
||||
if (strstr(lprotocols, "all") != NULL) {
|
||||
#ifdef WANT_SSL2
|
||||
- ssl2 = ssl3 = tls = 1;
|
||||
+ ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1;
|
||||
#else
|
||||
- ssl3 = tls = 1;
|
||||
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
|
||||
#endif
|
||||
} else {
|
||||
- if (strstr(lprotocols, "sslv2") != NULL) {
|
||||
+ char *protocol_list = NULL;
|
||||
+ char *saveptr = NULL;
|
||||
+ char *token = NULL;
|
||||
+
|
||||
+ for (protocol_list = lprotocols; ; protocol_list = NULL) {
|
||||
+ token = strtok_r(protocol_list, ",", &saveptr);
|
||||
+ if (token == NULL) {
|
||||
+ break;
|
||||
+ } else if (strcmp(token, "sslv2") == 0) {
|
||||
#ifdef WANT_SSL2
|
||||
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
|
||||
- ssl2 = 1;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: Enabling SSL2",
|
||||
+ protocol_marker);
|
||||
+ ssl2 = 1;
|
||||
#else
|
||||
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
|
||||
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
+ "%s: SSL2 is not supported",
|
||||
+ protocol_marker);
|
||||
#endif
|
||||
- }
|
||||
-
|
||||
- if (strstr(lprotocols, "sslv3") != NULL) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
|
||||
- ssl3 = 1;
|
||||
- }
|
||||
-
|
||||
- if (strstr(lprotocols, "tlsv1") != NULL) {
|
||||
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
|
||||
- tls = 1;
|
||||
+ } else if (strcmp(token, "sslv3") == 0) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: Enabling SSL3",
|
||||
+ protocol_marker);
|
||||
+ ssl3 = 1;
|
||||
+ } else if (strcmp(token, "tlsv1") == 0) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: Enabling TLSv1.0 via TLSv1",
|
||||
+ protocol_marker);
|
||||
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
+ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
|
||||
+ protocol_marker);
|
||||
+ tls = 1;
|
||||
+ } else if (strcmp(token, "tlsv1.0") == 0) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: Enabling TLSv1.0",
|
||||
+ protocol_marker);
|
||||
+ tls = 1;
|
||||
+ } else if (strcmp(token, "tlsv1.1") == 0) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: Enabling TLSv1.1",
|
||||
+ protocol_marker);
|
||||
+ tls1_1 = 1;
|
||||
+ } else if (strcmp(token, "tlsv1.2") == 0) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: Enabling TLSv1.2",
|
||||
+ protocol_marker);
|
||||
+ tls1_2 = 1;
|
||||
+ } else {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
+ "%s: Unknown protocol '%s' not supported",
|
||||
+ protocol_marker, token);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
free(lprotocols);
|
||||
@@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server
|
||||
stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
|
||||
}
|
||||
|
||||
+ /* Set protocol version ranges:
|
||||
+ *
|
||||
+ * (1) Set the minimum protocol accepted
|
||||
+ * (2) Set the maximum protocol accepted
|
||||
+ * (3) Protocol ranges extend from maximum down to minimum protocol
|
||||
+ * (4) All protocol ranges are completely inclusive;
|
||||
+ * no protocol in the middle of a range may be excluded
|
||||
+ * (5) NSS automatically negotiates the use of the strongest protocol
|
||||
+ * for a connection starting with the maximum specified protocol
|
||||
+ * and downgrading as necessary to the minimum specified protocol
|
||||
+ *
|
||||
+ * For example, if SSL 3.0 is chosen as the minimum protocol, and
|
||||
+ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
|
||||
+ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
|
||||
+ * cannot be excluded from this range. NSS will automatically negotiate
|
||||
+ * to utilize the strongest acceptable protocol for a connection starting
|
||||
+ * with the maximum specified protocol and downgrading as necessary to the
|
||||
+ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
|
||||
+ */
|
||||
if (stat == SECSuccess) {
|
||||
+ /* Set minimum protocol version (lowest -> highest)
|
||||
+ *
|
||||
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
|
||||
+ */
|
||||
if (ssl3 == 1) {
|
||||
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
|
||||
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [SSL 3.0] (minimum)",
|
||||
+ protocol_marker);
|
||||
+ } else if (tls == 1) {
|
||||
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.0] (minimum)",
|
||||
+ protocol_marker);
|
||||
+ } else if (tls1_1 == 1) {
|
||||
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.1] (minimum)",
|
||||
+ protocol_marker);
|
||||
+ } else if (tls1_2 == 1) {
|
||||
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.2] (minimum)",
|
||||
+ protocol_marker);
|
||||
} else {
|
||||
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
|
||||
+ /* Set default minimum protocol version to SSL 3.0 */
|
||||
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [SSL 3.0] (default minimum)",
|
||||
+ protocol_marker);
|
||||
}
|
||||
- }
|
||||
- if (stat == SECSuccess) {
|
||||
- if (tls == 1) {
|
||||
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
|
||||
+
|
||||
+ /* Set maximum protocol version (highest -> lowest)
|
||||
+ *
|
||||
+ * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
|
||||
+ */
|
||||
+ if (tls1_2 == 1) {
|
||||
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.2] (maximum)",
|
||||
+ protocol_marker);
|
||||
+ } else if (tls1_1 == 1) {
|
||||
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.1] (maximum)",
|
||||
+ protocol_marker);
|
||||
+ } else if (tls == 1) {
|
||||
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.0] (maximum)",
|
||||
+ protocol_marker);
|
||||
+ } else if (ssl3 == 1) {
|
||||
+ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [SSL 3.0] (maximum)",
|
||||
+ protocol_marker);
|
||||
} else {
|
||||
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
|
||||
+ /* Set default maximum protocol version to TLS 1.2 */
|
||||
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
+ "%s: [TLS 1.2] (default maximum)",
|
||||
+ protocol_marker);
|
||||
}
|
||||
+
|
||||
+ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
|
||||
}
|
||||
|
||||
if (stat != SECSuccess) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "SSL protocol initialization failed.");
|
||||
+ "%s: SSL/TLS protocol initialization failed.",
|
||||
+ protocol_marker);
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||
nss_die();
|
||||
}
|
||||
|
||||
mctx->ssl2 = ssl2;
|
||||
mctx->ssl3 = ssl3;
|
||||
- mctx->tls = tls;
|
||||
+ if (tls1_2 == 1) {
|
||||
+ mctx->tls = tls1_2;
|
||||
+ } else if (tls1_1 == 1) {
|
||||
+ mctx->tls = tls1_1;
|
||||
+ } else {
|
||||
+ mctx->tls = tls;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void nss_init_ctx_session_cache(server_rec *s,
|
||||
@@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se
|
||||
PRBool cipher_state[ciphernum];
|
||||
PRBool fips_state[ciphernum];
|
||||
const char *suite = mctx->auth.cipher_suite;
|
||||
+ char * object_type = NULL;
|
||||
+ char * cipher_suite_marker = NULL;
|
||||
char * ciphers;
|
||||
char * fipsciphers = NULL;
|
||||
int i;
|
||||
@@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se
|
||||
|
||||
nss_die();
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Since this routine will be invoked individually for every thread
|
||||
+ * associated with each 'server' object as well as for every thread
|
||||
+ * associated with each 'proxy' object, identify the cipher suite markers
|
||||
+ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
|
||||
+ * via each thread's object type and apply this useful information to
|
||||
+ * all log messages.
|
||||
+ */
|
||||
+ if (mctx == mctx->sc->server) {
|
||||
+ object_type = "server";
|
||||
+ cipher_suite_marker = "NSSCipherSuite";
|
||||
+ } else if (mctx == mctx->sc->proxy) {
|
||||
+ object_type = "proxy";
|
||||
+ cipher_suite_marker = "NSSProxyCipherSuite";
|
||||
+ }
|
||||
+
|
||||
ciphers = strdup(suite);
|
||||
|
||||
#define CIPHERSIZE 2048
|
||||
@@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
|
||||
- fipsciphers);
|
||||
+ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
|
||||
+ object_type, fipsciphers);
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||
- "Configuring permitted SSL ciphers [%s]",
|
||||
- suite);
|
||||
+ "%s: Configuring permitted SSL ciphers [%s]",
|
||||
+ cipher_suite_marker, suite);
|
||||
|
||||
/* Disable all NSS supported cipher suites. This is to prevent any new
|
||||
* NSS cipher suites from getting automatically and unintentionally
|
||||
@@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se
|
||||
for (i=0; i<ciphernum; i++) {
|
||||
if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
|
||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
- "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
|
||||
+ "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
|
||||
cipher_state[i] = PR_FALSE;
|
||||
}
|
||||
}
|
||||
@@ -902,19 +1041,22 @@ static void nss_init_ctx_cipher_suite(se
|
||||
/* See if any ciphers have been enabled for a given protocol */
|
||||
if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "SSL2 is enabled but no SSL2 ciphers are enabled.");
|
||||
+ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
|
||||
+ cipher_suite_marker);
|
||||
nss_die();
|
||||
}
|
||||
|
||||
if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "SSL3 is enabled but no SSL3 ciphers are enabled.");
|
||||
+ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
|
||||
+ cipher_suite_marker);
|
||||
nss_die();
|
||||
}
|
||||
|
||||
if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||
- "TLS is enabled but no TLS ciphers are enabled.");
|
||||
+ "%s: TLS is enabled but no TLS ciphers are enabled.",
|
||||
+ cipher_suite_marker);
|
||||
nss_die();
|
||||
}
|
||||
|
||||
Index: mod_nss-1.0.8/nss_engine_vars.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_vars.c
|
||||
+++ mod_nss-1.0.8/nss_engine_vars.c
|
||||
@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
|
||||
case SSL_LIBRARY_VERSION_3_0:
|
||||
result = "SSLv3";
|
||||
break;
|
||||
- case SSL_LIBRARY_VERSION_3_1_TLS:
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_0:
|
||||
+ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
|
||||
result = "TLSv1";
|
||||
break;
|
||||
+ case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||
+ result = "TLSv1.1";
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
}
|
@ -1,12 +0,0 @@
|
||||
--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400
|
||||
+++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500
|
||||
@@ -259,7 +259,8 @@
|
||||
*/
|
||||
if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
|
||||
|| (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
|
||||
- return 0;
|
||||
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
if (inctx->rc != APR_SUCCESS) {
|
@ -6,7 +6,7 @@ use Cwd;
|
||||
use Getopt::Std;
|
||||
|
||||
BEGIN {
|
||||
# $NSSDir = cwd();
|
||||
#$NSSDir = cwd();
|
||||
$NSSDir = "/etc/apache2/mod_nss.d";
|
||||
|
||||
$SSLCACertificatePath = "";
|
||||
@ -18,21 +18,34 @@ BEGIN {
|
||||
$passphrase = 0;
|
||||
}
|
||||
|
||||
%skip = ( "SSLRandomSeed" => "",
|
||||
"SSLSessionCache" => "",
|
||||
"SSLMutex" => "",
|
||||
"SSLCertificateChainFile" => "",
|
||||
"SSLVerifyDepth" => "" ,
|
||||
"SSLCryptoDevice" => "" ,
|
||||
"LoadModule" => "" ,
|
||||
);
|
||||
# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13
|
||||
%keep = ( "SSLCipherSuite" => "",
|
||||
"SSLEngine" => "",
|
||||
"SSLFIPS" => "",
|
||||
"SSLOptions" => "",
|
||||
"SSLPassPhraseDialog" => "",
|
||||
"SSLProtocol" => "",
|
||||
"SSLProxyCipherSuite" => "",
|
||||
"SSLProxyEngine" => "",
|
||||
"SSLProxyCheckPeerCN" => "",
|
||||
"SSLProxyProtocol" => "",
|
||||
"SSLRandomSeed" => "",
|
||||
"SSLRenegBufferSize" => "",
|
||||
"SSLRequire" => "",
|
||||
"SSLRequireSSL" => "",
|
||||
"SSLSessionCacheTimeout" => "",
|
||||
"SSLSessionTickets" => "",
|
||||
"SSLStrictSNIVHostCheck" => "",
|
||||
"SSLUserName" => "",
|
||||
"SSLVerifyClient" => "",
|
||||
);
|
||||
|
||||
%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
|
||||
%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
|
||||
|
||||
getopts('chr:w:' , \%opt );
|
||||
|
||||
sub usage() {
|
||||
print STDERR "Usage: mod_nss_migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n";
|
||||
print STDERR "Usage: migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n";
|
||||
print STDERR "\t-c converts the certificates\n";
|
||||
print STDERR "This conversion script is not aware of apache's configuration blocks\n";
|
||||
print STDERR "and nestable conditional directives. Please check the output of the\n";
|
||||
@ -40,27 +53,22 @@ sub usage() {
|
||||
exit();
|
||||
}
|
||||
|
||||
usage() if ( $opt{h} || !$opt{r} || !$opt{w} ) ;
|
||||
|
||||
|
||||
usage() if ($opt{h} || !$opt{r} || !$opt{w});
|
||||
|
||||
print STDERR "input: $opt{r} output: $opt{w}\n";
|
||||
|
||||
open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n";
|
||||
open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n";
|
||||
|
||||
|
||||
print NSS "## This is a conversion of mod_ssl specific options by /usr/sbin/mod_nss_migrate.pl\n";
|
||||
print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n";
|
||||
print NSS "## Most of the comments in the original .conf file have been omitted here, as\n";
|
||||
print NSS "## the comments may not be valid for mod_nss, too.\n";
|
||||
print NSS "## \n";
|
||||
print NSS "## Please read through this configuration and verify the individual options!\n\n";
|
||||
|
||||
|
||||
while (<SSL>) {
|
||||
my $comment = 0;
|
||||
|
||||
|
||||
# write through even if in comment before comments are stripped below.
|
||||
if(/(ServerName|ServerAlias)/) {
|
||||
print NSS $_;
|
||||
@ -68,9 +76,8 @@ while (<SSL>) {
|
||||
}
|
||||
|
||||
# skip blank lines and comments
|
||||
if (/^#/ || /^\s*#/ || /^\s*$/) {
|
||||
# do not copy them; they may not be useful anyway.
|
||||
# print NSS $_;
|
||||
if (/^\s*#/ || /^\s*$/) {
|
||||
print NSS $_;
|
||||
next;
|
||||
}
|
||||
|
||||
@ -93,19 +100,15 @@ while (<SSL>) {
|
||||
next;
|
||||
}
|
||||
|
||||
if ($stmt eq "SSLCipherSuite") {
|
||||
print NSS "## original SSLCipherSuite config line: $_";
|
||||
print NSS "NSSCipherSuite ", get_ciphers($val), "\n\n";
|
||||
next;
|
||||
} elsif ($stmt eq "SSLEngine" ) {
|
||||
print NSS "##$_";
|
||||
print NSS "NSSEngine $value\n\n";
|
||||
next;
|
||||
} elsif ($stmt eq "SSLProtocol" ) {
|
||||
# we support OpenSSL cipher strings now, keeping the string as is
|
||||
#if ($stmt eq "SSLCipherSuite") {
|
||||
#print NSS "NSSCipherSuite ", get_ciphers($val), "\n";
|
||||
#print NSS "NSSProtocol SSLv3,TLSv1\n";
|
||||
#$comment = 1;
|
||||
if ($stmt eq "SSLProtocol" ) {
|
||||
print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n";
|
||||
print NSS "##$_";
|
||||
print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n";
|
||||
print NSS "## You may also specify SSLv3 at the beginning of the range. Not done here:\n";
|
||||
print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n";
|
||||
next;
|
||||
} elsif ($stmt eq "SSLCACertificatePath") {
|
||||
@ -129,25 +132,27 @@ while (<SSL>) {
|
||||
$SSLCARevocationFile = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLPassPhraseDialog") {
|
||||
print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n";
|
||||
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
|
||||
$passphrase = 1;
|
||||
$comment = 1;
|
||||
}
|
||||
|
||||
if (exists($skip{$stmt})) {
|
||||
print NSS "# Skipping, not applicable in mod_nss\n";
|
||||
print NSS "##$_";
|
||||
|
||||
if (exists($insert{$stmt})) {
|
||||
#print NSS "$_";
|
||||
print NSS $insert{$stmt};
|
||||
next;
|
||||
}
|
||||
|
||||
# Fix up any remaining directive names
|
||||
s/SSL/NSS/;
|
||||
|
||||
|
||||
if (exists($insert{$stmt})) {
|
||||
print NSS "$_";
|
||||
print NSS $insert{$stmt};
|
||||
next;
|
||||
if (m/^\s*SSL/) {
|
||||
if (!exists($keep{$stmt})) {
|
||||
print NSS "# Skipping, not applicable in mod_nss\n";
|
||||
print NSS "##$_";
|
||||
next;
|
||||
} else {
|
||||
# Fix up any remaining directive names
|
||||
s/^(\s*)SSL/\1NSS/;
|
||||
}
|
||||
}
|
||||
|
||||
# Fall-through to print whatever is left
|
||||
@ -157,11 +162,11 @@ while (<SSL>) {
|
||||
} else {
|
||||
print NSS $_;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if ($passphrase == 0) {
|
||||
print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n";
|
||||
# NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.9'.
|
||||
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
|
||||
}
|
||||
|
||||
close(NSS);
|
||||
@ -179,15 +184,15 @@ if ($opt{c}) {
|
||||
if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") {
|
||||
my $subject = get_cert_subject($SSLCertificateFile);
|
||||
print STDERR "Importing certificate $subject as \"Server-Cert\".\n";
|
||||
run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo ");
|
||||
run_command("pk12util -i server.p12 -d $NSSDir -W foo ");
|
||||
run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo");
|
||||
run_command("pk12util -i server.p12 -d $NSSDir -W foo");
|
||||
}
|
||||
|
||||
if ($SSLCACertificateFile ne "") {
|
||||
my $subject = get_cert_subject($SSLCACertificateFile);
|
||||
if ($subject ne "") {
|
||||
print STDERR "Importing CA certificate $subject\n";
|
||||
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile ");
|
||||
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile");
|
||||
}
|
||||
}
|
||||
|
||||
@ -202,7 +207,7 @@ if ($opt{c}) {
|
||||
my $subject = get_cert_subject("$SSLCACertificatePath/$file");
|
||||
if ($subject ne "") {
|
||||
print STDERR "Importing CA certificate $subject\n";
|
||||
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file ");
|
||||
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file");
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -258,7 +263,7 @@ sub get_ciphers {
|
||||
my $str = shift;
|
||||
|
||||
%cipher_list = (
|
||||
"rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:",
|
||||
"rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:",
|
||||
"rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:",
|
||||
"rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:",
|
||||
"rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:",
|
||||
@ -281,21 +286,21 @@ sub get_ciphers {
|
||||
for ($i = 0; $i < $NUM_CIPHERS; $i++) {
|
||||
$selected[$i] = 0;
|
||||
}
|
||||
|
||||
|
||||
# Don't need to worry about the ordering properties of "+" because
|
||||
# NSS always chooses the "best" cipher anyway. You can't specify
|
||||
# preferred order.
|
||||
|
||||
|
||||
# -1: this cipher is completely out
|
||||
# 0: this cipher is currently unselected, but maybe added later
|
||||
# 1: this cipher is selected
|
||||
|
||||
|
||||
@s = split(/:/, $str);
|
||||
|
||||
|
||||
for ($i = 0; $i <= $#s; $i++) {
|
||||
$j = 0;
|
||||
$val = 1;
|
||||
|
||||
|
||||
# ! means this cipher is disabled forever
|
||||
if ($s[$i] =~ /^!/) {
|
||||
$val = -1;
|
||||
@ -306,10 +311,10 @@ sub get_ciphers {
|
||||
} elsif ($s[$i] =~ /^+/) {
|
||||
($s[$i] =~ s/^+//);
|
||||
}
|
||||
|
||||
|
||||
for $cipher (sort keys %cipher_list) {
|
||||
$match = 0;
|
||||
|
||||
|
||||
# For embedded + we do an AND for all options
|
||||
if ($s[$i] =~ m/(\w+\+)+/) {
|
||||
@sub = split(/^\+/, $s[$i]);
|
||||
@ -324,22 +329,22 @@ sub get_ciphers {
|
||||
$match = 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ($match && $selected[$j] != -1) {
|
||||
$selected[$j] = $val;
|
||||
}
|
||||
$j++;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# NSS doesn't honor the order of a cipher list, it uses the "strongest"
|
||||
# cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and
|
||||
# the NSS ciphers not available in OpenSSL.
|
||||
$str = "SSLv2:SSLv3";
|
||||
@s = split(/:/, $str);
|
||||
|
||||
|
||||
$ciphersuite = "";
|
||||
|
||||
|
||||
for ($i = 0; $i <= $#s; $i++) {
|
||||
$j = 0;
|
||||
for $cipher (sort keys %cipher_list) {
|
||||
@ -354,9 +359,9 @@ sub get_ciphers {
|
||||
$j++;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha";
|
||||
|
||||
|
||||
return $ciphersuite;
|
||||
}
|
||||
|
||||
@ -385,7 +390,7 @@ sub get_cert_subject {
|
||||
sub run_command {
|
||||
my @args = shift;
|
||||
my $status = 0;
|
||||
|
||||
|
||||
$status = 0xffff & system(@args);
|
||||
|
||||
return if ($status == 0);
|
||||
|
@ -1,69 +0,0 @@
|
||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200
|
||||
+++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200
|
||||
@@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc
|
||||
*/
|
||||
char* INTERNAL_TOKEN_NAME = "internal ";
|
||||
|
||||
+/* When adding or removing ciphers from this table,
|
||||
+ remember to adjust the ciphernum constant in mod_nss.h
|
||||
+*/
|
||||
cipher_properties ciphers_def[ciphernum] =
|
||||
{
|
||||
- /* SSL2 cipher suites */
|
||||
- {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
|
||||
- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
|
||||
- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
|
||||
- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
|
||||
- {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
|
||||
- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
|
||||
/* SSL3/TLS cipher suites */
|
||||
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
|
||||
@@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum]
|
||||
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
|
||||
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
|
||||
- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
|
||||
- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
|
||||
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
||||
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
|
||||
Index: mod_nss-1.0.8/mod_nss.h
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200
|
||||
+++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200
|
||||
@@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4}
|
||||
|
||||
/* the table itself is defined in nss_engine_init.c */
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
-#define ciphernum 59
|
||||
+#define ciphernum 50
|
||||
#else
|
||||
-#define ciphernum 28
|
||||
+#define ciphernum 19
|
||||
#endif
|
||||
|
||||
/*
|
||||
Index: mod_nss-1.0.8/nss.conf.in
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200
|
||||
+++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200
|
||||
@@ -90,13 +90,13 @@ NSSEngine on
|
||||
# See the mod_nss documentation for a complete list.
|
||||
|
||||
# SSL 3 ciphers. SSL 2 is disabled by default.
|
||||
-NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
||||
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
||||
|
||||
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
|
||||
#
|
||||
# Comment out the NSSCipherSuite line above and use the one below if you have
|
||||
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||
-#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||
|
||||
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||
|
Loading…
Reference in New Issue
Block a user