diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes
index 36b3f4e..4fa0c5f 100644
--- a/apache2-mod_nss.changes
+++ b/apache2-mod_nss.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com
+
+- Add support for TLS v1.1 and TLS v1.2
+ (TLS v1.2 requires mozilla nss 3.15.1 or newer.)
+ - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
+ from redhat to allow tls v1.1 too.
+ - ported the tls v1.1 patch to be tls v1.2 aware
+ - added mod_nss-proxyvariables.patch (from RHEL6 package)
+ - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
+- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun
+
-------------------------------------------------------------------
Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de
diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec
index fa435f5..c22a7f3 100644
--- a/apache2-mod_nss.spec
+++ b/apache2-mod_nss.spec
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,39 +16,44 @@
#
-Name: apache2-mod_nss
-Summary: SSL/TLS module for the Apache HTTP server
-Version: 1.0.8
-Release: 3
-Group: Productivity/Networking/Web/Servers
-License: Apache-2.0
-Url: http://directory.fedoraproject.org/wiki/Mod_nss
-Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
-Provides: mod_nss
-Requires: apache2 >= 2.0.52
-Requires: findutils
+Name: apache2-mod_nss
+Summary: SSL/TLS module for the Apache HTTP server
+License: Apache-2.0
+Group: Productivity/Networking/Web/Servers
+Version: 1.0.8
+Release: 0
+Url: http://directory.fedoraproject.org/wiki/Mod_nss
+Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
+Provides: mod_nss
+Requires: apache2 >= 2.0.52
+Requires: findutils
Requires(post): mozilla-nss-tools
-BuildRequires: bison
-BuildRequires: findutils
-BuildRequires: gcc-c++
-BuildRequires: libapr1-devel
-BuildRequires: libapr-util1-devel
-BuildRequires: mozilla-nspr-devel >= 4.6.3
-BuildRequires: mozilla-nss-devel >= 3.12.6
-BuildRequires: apache2-devel >= 2.0.52
-BuildRequires: pkgconfig
+BuildRequires: apache2-devel >= 2.0.52
+BuildRequires: bison
+BuildRequires: findutils
+BuildRequires: flex
+BuildRequires: gcc-c++
+BuildRequires: libapr-util1-devel
+BuildRequires: libapr1-devel
+BuildRequires: mozilla-nspr-devel >= 4.6.3
+BuildRequires: mozilla-nss-devel >= 3.12.6
+BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
-Patch1: mod_nss-conf.patch
-Patch2: mod_nss-gencert.patch
-Patch3: mod_nss-wouldblock.patch
-Patch4: mod_nss-negotiate.patch
-Patch5: mod_nss-reverseproxy.patch
-Patch6: mod_nss-pcachesignal.h
-Patch7: mod_nss-reseterror.patch
-Patch8: mod_nss-lockpcache.patch
+Patch1: mod_nss-conf.patch
+Patch2: mod_nss-gencert.patch
+Patch3: mod_nss-wouldblock.patch
+Patch4: mod_nss-negotiate.patch
+Patch5: mod_nss-reverseproxy.patch
+Patch6: mod_nss-pcachesignal.h
+Patch7: mod_nss-reseterror.patch
+Patch8: mod_nss-lockpcache.patch
# Fix build with apache 2.4
-Patch9: mod_nss-httpd24.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+Patch9: mod_nss-httpd24.patch
+
+Patch10: mod_nss-proxyvariables.patch
+Patch11: mod_nss-tlsv1_1.patch
+Patch12: mod_nss-array_overrun.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
%define apache apache2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
@@ -76,6 +81,9 @@ security library.
%if 0%{?suse_version} >= 1300
%patch9 -p1 -b .http24
%endif
+%patch10 -p1 -b .proxyvariables
+%patch11 -p1 -b .tlsv1_1
+%patch12 -p1 -b .array_overrun
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
diff --git a/mod_nss-array_overrun.patch b/mod_nss-array_overrun.patch
new file mode 100644
index 0000000..10b84f8
--- /dev/null
+++ b/mod_nss-array_overrun.patch
@@ -0,0 +1,16 @@
+mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
+"child_argv", with 5 elements, at position 5 with index variable "5".
+
+https://bugzilla.redhat.com/show_bug.cgi?id=714154
+diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400
++++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400
+@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
+
+ /* Do we need to fire up our password helper? */
+ if (mc->nInitCount == 1) {
+- const char * child_argv[5];
++ const char * child_argv[6];
+ apr_status_t rv;
+ struct sembuf sb;
+ char sembuf[32];
diff --git a/mod_nss-proxyvariables.patch b/mod_nss-proxyvariables.patch
new file mode 100644
index 0000000..17090db
--- /dev/null
+++ b/mod_nss-proxyvariables.patch
@@ -0,0 +1,83 @@
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
+@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
+ tls = 1;
+ } else {
+ if (mctx->auth.protocols == NULL) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProtocols not set; using: SSLv3 and TLSv1");
++ /*
++ * Since this routine will be invoked individually for every
++ * thread associated with each 'server' object as well as for
++ * every thread associated with each 'proxy' object, issue a
++ * single per-thread 'warning' message for either a 'server'
++ * or a 'proxy' based upon the thread's object type.
++ */
++ if (mctx == mctx->sc->server) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "NSSProtocol value not set; using: SSLv3 and TLSv1");
++ } else if (mctx == mctx->sc->proxy) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
++ }
++
+ ssl3 = tls = 1;
+ } else {
+ lprotocols = strdup(mctx->auth.protocols);
+@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
+ * Configure SSL Cipher Suite
+ */
+ if (!suite) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "Required value NSSCipherSuite not set.");
++ /*
++ * Since this is a 'fatal' error, regardless of whether this
++ * particular invocation is from a 'server' object or a 'proxy'
++ * object, issue all error message(s) as appropriate.
++ */
++ if ((mctx->sc->enabled == TRUE) &&
++ (mctx->sc->server) &&
++ (!mctx->sc->server->auth.cipher_suite)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSEngine on; required value NSSCipherSuite not set.");
++ }
++
++ if ((mctx->sc->proxy_enabled == TRUE) &&
++ (mctx->sc->proxy) &&
++ (!mctx->sc->proxy->auth.cipher_suite)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
++ }
++
+ nss_die();
+ }
+ ciphers = strdup(suite);
+@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
+ if (mctx->nickname == NULL)
+ #endif
+ {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "No certificate nickname provided.");
++ /*
++ * Since this is a 'fatal' error, regardless of whether this
++ * particular invocation is from a 'server' object or a 'proxy'
++ * object, issue all error message(s) as appropriate.
++ */
++ if ((mctx->sc->enabled == TRUE) &&
++ (mctx->sc->server) &&
++ (mctx->sc->server->nickname == NULL)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSEngine on; no certificate nickname provided by NSSNickname.");
++ }
++
++ if ((mctx->sc->proxy_enabled == TRUE) &&
++ (mctx->sc->proxy) &&
++ (mctx->sc->proxy->nickname == NULL)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
++ }
++
+ nss_die();
+ }
+
diff --git a/mod_nss-tlsv1_1.patch b/mod_nss-tlsv1_1.patch
new file mode 100644
index 0000000..3ddfc97
--- /dev/null
+++ b/mod_nss-tlsv1_1.patch
@@ -0,0 +1,767 @@
+Index: mod_nss-1.0.8/docs/mod_nss.html
+===================================================================
+--- mod_nss-1.0.8.orig/docs/mod_nss.html
++++ mod_nss-1.0.8/docs/mod_nss.html
+@@ -466,7 +466,7 @@ Example
SSL_RSA_WITH_3DES_EDE_CBC_SHA
+
+- SSLv3/TLSv1
++ | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2
+ |
+
+
+@@ -578,106 +578,106 @@ definition
+
+ SSL_RSA_WITH_DES_CBC_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ rsa_null_md5
+ |
+ SSL_RSA_WITH_NULL_MD5
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ rsa_null_sha
+ |
+ SSL_RSA_WITH_NULL_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | rsa_rc2_40_md5 |
+ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | rsa_rc4_128_md5 |
+ SSL_RSA_WITH_RC4_128_MD5
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | rsa_rc4_128_sha |
+ SSL_RSA_WITH_RC4_128_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | rsa_rc4_40_md5 |
+ SSL_RSA_EXPORT_WITH_RC4_40_MD5
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ fortezza
+ |
+ SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ fortezza_rc4_128_sha
+ |
+ SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ fortezza_null
+ |
+ SSL_FORTEZZA_DMS_WITH_NULL_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ fips_des_sha
+ |
+ SSL_RSA_FIPS_WITH_DES_CBC_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ fips_3des_sha
+ |
+ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | rsa_des_56_sha |
+ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
+ |
+- SSL3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | rsa_rc4_56_sha |
+ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ rsa_aes_128_sha
+ |
+ TLS_RSA_WITH_AES_128_CBC_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ rsa_aes_256_sha
+ |
+ TLS_RSA_WITH_AES_256_CBC_SHA
+ |
+- SSLv3/TLSv1 |
++ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+
+@@ -698,127 +698,127 @@ Definition
+
+ | ecdh_ecdsa_null_sha |
+ TLS_ECDH_ECDSA_WITH_NULL_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_ecdsa_rc4_128_sha |
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_ecdsa_3des_sha |
+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_ecdsa_aes_128_sha |
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_ecdsa_aes_256_sha |
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_ecdsa_null_sha |
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_ecdsa_rc4_128_sha |
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_ecdsa_3des_sha |
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_ecdsa_aes_128_sha |
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_ecdsa_aes_256_sha |
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_rsa_null_sha |
+ TLS_ECDH_RSA_WITH_NULL_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_rsa_128_sha |
+ TLS_ECDH_RSA_WITH_RC4_128_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_rsa_3des_sha |
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_rsa_aes_128_sha |
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_rsa_aes_256_sha |
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | echde_rsa_null |
+ TLS_ECDHE_RSA_WITH_NULL_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_rsa_rc4_128_sha |
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_rsa_3des_sha |
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_rsa_aes_128_sha |
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdhe_rsa_aes_256_sha |
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_anon_null_sha |
+ TLS_ECDH_anon_WITH_NULL_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_anon_rc4_128sha |
+ TLS_ECDH_anon_WITH_RC4_128_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_anon_3des_sha |
+ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_anon_aes_128_sha |
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+ | ecdh_anon_aes_256_sha |
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA |
+- TLSv1 |
++ TLSv1.0/TLSv1.1/TLSv1.2 |
+
+
+
+@@ -839,16 +839,36 @@ specifically but allows ciphers for that
+ Options are:
+
+ SSLv3TLSv1TLSv1 (legacy only; replaced by TLSv1.0)TLSv1.0TLSv1.1TLSv1.2All
+ Note that this differs from mod_ssl in that you can't add or subtract
+ protocols.
++
++If no NSSProtocol is specified, mod_nss will default to allowing the use of
++the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
++minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
++allowed.
++
++If values for NSSProtocol are specified, mod_nss will set both the minimum
++and the maximum allowed protocols based upon these entries allowing for the
++inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
++are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
++protocol ranges to accept all protocols inclusively
++(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
++in the middle of a range (e. g. - TLS 1.0).
++
++Finally, NSS will always automatically negotiate the use of the strongest
++possible protocol that has been specified which is acceptable to both sides of
++a given connection.
+ SSLv2 is not supported by default at this time.
+
+ Example
+
+-NSSProtocol SSLv3,TLSv1
++NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2
+
+ NSSNickname
+
+@@ -1101,7 +1121,7 @@ was compiled against.
+
+ SSL_PROTOCOL
+ |
+- SSLv2, SSLv3 or TLSv1
++ | SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2
+ |
+
+
+@@ -1443,7 +1463,7 @@ Opera, and
+ Safari) support SSL 3 and TLS so there is no need for a web server to
+ support
+ SSL 2. There are some known attacks against SSL 2 that are handled by
+-SSL 3/TLS. SSL2 also doesn't support useful features like client
++SSL 3/TLS. SSLv2 also doesn't support useful features like client
+ authentication.
+
+ Frequently Asked Questions
+Index: mod_nss-1.0.8/mod_nss.c
+===================================================================
+--- mod_nss-1.0.8.orig/mod_nss.c
++++ mod_nss-1.0.8/mod_nss.c
+@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
+ "(`[+-]XXX,...,[+-]XXX' - see manual)")
+ SSL_CMD_SRV(Protocol, RAW_ARGS,
+ "Enable the various SSL protocols"
+- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
++ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)")
+ SSL_CMD_ALL(VerifyClient, TAKE1,
+ "SSL Client Authentication "
+ "(`none', `optional', `require'")
+@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
+ "(`on', `off')")
+ SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+ "SSL Proxy: enable or disable SSL protocol flavors "
+- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)")
+ SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+ "(`XXX:...:XXX' - see manual)")
+Index: mod_nss-1.0.8/nss.conf.in
+===================================================================
+--- mod_nss-1.0.8.orig/nss.conf.in
++++ mod_nss-1.0.8/nss.conf.in
+@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
+ # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+ #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
+
+-NSSProtocol SSLv3,TLSv1
++# SSL Protocol:
++# Cryptographic protocols that provide communication security.
++# NSS handles the specified protocols as "ranges", and automatically
++# negotiates the use of the strongest protocol for a connection starting
++# with the maximum specified protocol and downgrading as necessary to the
++# minimum specified protocol that can be used between two processes.
++# Since all protocol ranges are completely inclusive, and no protocol in the
++# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
++# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
++NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+
+ # SSL Certificate Nickname:
+ # The nickname of the RSA server certificate you are going to use.
+Index: mod_nss-1.0.8/nss_engine_init.c
+===================================================================
+--- mod_nss-1.0.8.orig/nss_engine_init.c
++++ mod_nss-1.0.8/nss_engine_init.c
+@@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server
+ apr_pool_t *ptemp,
+ modnss_ctx_t *mctx)
+ {
+- int ssl2, ssl3, tls;
++ int ssl2, ssl3, tls, tls1_1, tls1_2;
++ char *protocol_marker = NULL;
+ char *lprotocols = NULL;
+ SECStatus stat;
++ SSLVersionRange enabledVersions;
+
+- ssl2 = ssl3 = tls = 0;
++ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
++
++ /*
++ * Since this routine will be invoked individually for every thread
++ * associated with each 'server' object as well as for every thread
++ * associated with each 'proxy' object, identify the protocol marker
++ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
++ * via each thread's object type and apply this useful information to
++ * all log messages.
++ */
++ if (mctx == mctx->sc->server) {
++ protocol_marker = "NSSProtocol";
++ } else if (mctx == mctx->sc->proxy) {
++ protocol_marker = "NSSProxyProtocol";
++ }
+
+ if (mctx->sc->fips) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+- "In FIPS mode, enabling TLSv1");
+- tls = 1;
++ "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2",
++ protocol_marker);
++ tls = tls1_1 = tls1_2 = 1;
+ } else {
+ if (mctx->auth.protocols == NULL) {
+- /*
+- * Since this routine will be invoked individually for every
+- * thread associated with each 'server' object as well as for
+- * every thread associated with each 'proxy' object, issue a
+- * single per-thread 'warning' message for either a 'server'
+- * or a 'proxy' based upon the thread's object type.
+- */
+- if (mctx == mctx->sc->server) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProtocol value not set; using: SSLv3 and TLSv1");
+- } else if (mctx == mctx->sc->proxy) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
+- }
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2",
++ protocol_marker);
+
+- ssl3 = tls = 1;
++ ssl3 = tls = tls1_1 = tls1_2 = 1;
+ } else {
+ lprotocols = strdup(mctx->auth.protocols);
+ ap_str_tolower(lprotocols);
+
+ if (strstr(lprotocols, "all") != NULL) {
+ #ifdef WANT_SSL2
+- ssl2 = ssl3 = tls = 1;
++ ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1;
+ #else
+- ssl3 = tls = 1;
++ ssl3 = tls = tls1_1 = tls1_2 = 1;
+ #endif
+ } else {
+- if (strstr(lprotocols, "sslv2") != NULL) {
++ char *protocol_list = NULL;
++ char *saveptr = NULL;
++ char *token = NULL;
++
++ for (protocol_list = lprotocols; ; protocol_list = NULL) {
++ token = strtok_r(protocol_list, ",", &saveptr);
++ if (token == NULL) {
++ break;
++ } else if (strcmp(token, "sslv2") == 0) {
+ #ifdef WANT_SSL2
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
+- ssl2 = 1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling SSL2",
++ protocol_marker);
++ ssl2 = 1;
+ #else
+- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
++ "%s: SSL2 is not supported",
++ protocol_marker);
+ #endif
+- }
+-
+- if (strstr(lprotocols, "sslv3") != NULL) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
+- ssl3 = 1;
+- }
+-
+- if (strstr(lprotocols, "tlsv1") != NULL) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
+- tls = 1;
++ } else if (strcmp(token, "sslv3") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling SSL3",
++ protocol_marker);
++ ssl3 = 1;
++ } else if (strcmp(token, "tlsv1") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.0 via TLSv1",
++ protocol_marker);
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
++ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
++ protocol_marker);
++ tls = 1;
++ } else if (strcmp(token, "tlsv1.0") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.0",
++ protocol_marker);
++ tls = 1;
++ } else if (strcmp(token, "tlsv1.1") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.1",
++ protocol_marker);
++ tls1_1 = 1;
++ } else if (strcmp(token, "tlsv1.2") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.2",
++ protocol_marker);
++ tls1_2 = 1;
++ } else {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "%s: Unknown protocol '%s' not supported",
++ protocol_marker, token);
++ }
+ }
+ }
+ free(lprotocols);
+@@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server
+ stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
+ }
+
++ /* Set protocol version ranges:
++ *
++ * (1) Set the minimum protocol accepted
++ * (2) Set the maximum protocol accepted
++ * (3) Protocol ranges extend from maximum down to minimum protocol
++ * (4) All protocol ranges are completely inclusive;
++ * no protocol in the middle of a range may be excluded
++ * (5) NSS automatically negotiates the use of the strongest protocol
++ * for a connection starting with the maximum specified protocol
++ * and downgrading as necessary to the minimum specified protocol
++ *
++ * For example, if SSL 3.0 is chosen as the minimum protocol, and
++ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
++ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
++ * cannot be excluded from this range. NSS will automatically negotiate
++ * to utilize the strongest acceptable protocol for a connection starting
++ * with the maximum specified protocol and downgrading as necessary to the
++ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
++ */
+ if (stat == SECSuccess) {
++ /* Set minimum protocol version (lowest -> highest)
++ *
++ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
++ */
+ if (ssl3 == 1) {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (minimum)",
++ protocol_marker);
++ } else if (tls == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.0] (minimum)",
++ protocol_marker);
++ } else if (tls1_1 == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (minimum)",
++ protocol_marker);
++ } else if (tls1_2 == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.2] (minimum)",
++ protocol_marker);
+ } else {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
++ /* Set default minimum protocol version to SSL 3.0 */
++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (default minimum)",
++ protocol_marker);
+ }
+- }
+- if (stat == SECSuccess) {
+- if (tls == 1) {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
++
++ /* Set maximum protocol version (highest -> lowest)
++ *
++ * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
++ */
++ if (tls1_2 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.2] (maximum)",
++ protocol_marker);
++ } else if (tls1_1 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (maximum)",
++ protocol_marker);
++ } else if (tls == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.0] (maximum)",
++ protocol_marker);
++ } else if (ssl3 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (maximum)",
++ protocol_marker);
+ } else {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
++ /* Set default maximum protocol version to TLS 1.2 */
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.2] (default maximum)",
++ protocol_marker);
+ }
++
++ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
+ }
+
+ if (stat != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL protocol initialization failed.");
++ "%s: SSL/TLS protocol initialization failed.",
++ protocol_marker);
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+
+ mctx->ssl2 = ssl2;
+ mctx->ssl3 = ssl3;
+- mctx->tls = tls;
++ if (tls1_2 == 1) {
++ mctx->tls = tls1_2;
++ } else if (tls1_1 == 1) {
++ mctx->tls = tls1_1;
++ } else {
++ mctx->tls = tls;
++ }
+ }
+
+ static void nss_init_ctx_session_cache(server_rec *s,
+@@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se
+ PRBool cipher_state[ciphernum];
+ PRBool fips_state[ciphernum];
+ const char *suite = mctx->auth.cipher_suite;
++ char * object_type = NULL;
++ char * cipher_suite_marker = NULL;
+ char * ciphers;
+ char * fipsciphers = NULL;
+ int i;
+@@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se
+
+ nss_die();
+ }
++
++ /*
++ * Since this routine will be invoked individually for every thread
++ * associated with each 'server' object as well as for every thread
++ * associated with each 'proxy' object, identify the cipher suite markers
++ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
++ * via each thread's object type and apply this useful information to
++ * all log messages.
++ */
++ if (mctx == mctx->sc->server) {
++ object_type = "server";
++ cipher_suite_marker = "NSSCipherSuite";
++ } else if (mctx == mctx->sc->proxy) {
++ object_type = "proxy";
++ cipher_suite_marker = "NSSProxyCipherSuite";
++ }
++
+ ciphers = strdup(suite);
+
+ #define CIPHERSIZE 2048
+@@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
+- fipsciphers);
++ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
++ object_type, fipsciphers);
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "Configuring permitted SSL ciphers [%s]",
+- suite);
++ "%s: Configuring permitted SSL ciphers [%s]",
++ cipher_suite_marker, suite);
+
+ /* Disable all NSS supported cipher suites. This is to prevent any new
+ * NSS cipher suites from getting automatically and unintentionally
+@@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se
+ for (i=0; issl2 && countciphers(cipher_state, SSL2) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL2 is enabled but no SSL2 ciphers are enabled.");
++ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+ if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL3 is enabled but no SSL3 ciphers are enabled.");
++ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+ if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "TLS is enabled but no TLS ciphers are enabled.");
++ "%s: TLS is enabled but no TLS ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+Index: mod_nss-1.0.8/nss_engine_vars.c
+===================================================================
+--- mod_nss-1.0.8.orig/nss_engine_vars.c
++++ mod_nss-1.0.8/nss_engine_vars.c
+@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
+ case SSL_LIBRARY_VERSION_3_0:
+ result = "SSLv3";
+ break;
+- case SSL_LIBRARY_VERSION_3_1_TLS:
++ case SSL_LIBRARY_VERSION_TLS_1_0:
++ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
+ result = "TLSv1";
+ break;
++ case SSL_LIBRARY_VERSION_TLS_1_1:
++ result = "TLSv1.1";
++ break;
+ }
+ }
+ }