forked from pool/apache2-mod_nss
Accepting request 185517 from mozilla:Factory
- Add support for TLS v1.1 and TLS v1.2 (TLS v1.2 requires mozilla nss 3.15.1 or newer.) - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch from redhat to allow tls v1.1 too. - ported the tls v1.1 patch to be tls v1.2 aware - added mod_nss-proxyvariables.patch (from RHEL6 package) - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) - mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun (forwarded request 185495 from msmeissn) OBS-URL: https://build.opensuse.org/request/show/185517 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=2
This commit is contained in:
commit
60dfc6de6c
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com
|
||||||
|
|
||||||
|
- Add support for TLS v1.1 and TLS v1.2
|
||||||
|
(TLS v1.2 requires mozilla nss 3.15.1 or newer.)
|
||||||
|
- merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
|
||||||
|
from redhat to allow tls v1.1 too.
|
||||||
|
- ported the tls v1.1 patch to be tls v1.2 aware
|
||||||
|
- added mod_nss-proxyvariables.patch (from RHEL6 package)
|
||||||
|
- added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
|
||||||
|
- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de
|
Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package apache2-mod_nss
|
# spec file for package apache2-mod_nss
|
||||||
#
|
#
|
||||||
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -16,39 +16,44 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
Name: apache2-mod_nss
|
Name: apache2-mod_nss
|
||||||
Summary: SSL/TLS module for the Apache HTTP server
|
Summary: SSL/TLS module for the Apache HTTP server
|
||||||
Version: 1.0.8
|
License: Apache-2.0
|
||||||
Release: 3
|
Group: Productivity/Networking/Web/Servers
|
||||||
Group: Productivity/Networking/Web/Servers
|
Version: 1.0.8
|
||||||
License: Apache-2.0
|
Release: 0
|
||||||
Url: http://directory.fedoraproject.org/wiki/Mod_nss
|
Url: http://directory.fedoraproject.org/wiki/Mod_nss
|
||||||
Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
|
Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
|
||||||
Provides: mod_nss
|
Provides: mod_nss
|
||||||
Requires: apache2 >= 2.0.52
|
Requires: apache2 >= 2.0.52
|
||||||
Requires: findutils
|
Requires: findutils
|
||||||
Requires(post): mozilla-nss-tools
|
Requires(post): mozilla-nss-tools
|
||||||
BuildRequires: bison
|
BuildRequires: apache2-devel >= 2.0.52
|
||||||
BuildRequires: findutils
|
BuildRequires: bison
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: findutils
|
||||||
BuildRequires: libapr1-devel
|
BuildRequires: flex
|
||||||
BuildRequires: libapr-util1-devel
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
BuildRequires: libapr-util1-devel
|
||||||
BuildRequires: mozilla-nss-devel >= 3.12.6
|
BuildRequires: libapr1-devel
|
||||||
BuildRequires: apache2-devel >= 2.0.52
|
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: mozilla-nss-devel >= 3.12.6
|
||||||
|
BuildRequires: pkgconfig
|
||||||
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
|
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
|
||||||
Patch1: mod_nss-conf.patch
|
Patch1: mod_nss-conf.patch
|
||||||
Patch2: mod_nss-gencert.patch
|
Patch2: mod_nss-gencert.patch
|
||||||
Patch3: mod_nss-wouldblock.patch
|
Patch3: mod_nss-wouldblock.patch
|
||||||
Patch4: mod_nss-negotiate.patch
|
Patch4: mod_nss-negotiate.patch
|
||||||
Patch5: mod_nss-reverseproxy.patch
|
Patch5: mod_nss-reverseproxy.patch
|
||||||
Patch6: mod_nss-pcachesignal.h
|
Patch6: mod_nss-pcachesignal.h
|
||||||
Patch7: mod_nss-reseterror.patch
|
Patch7: mod_nss-reseterror.patch
|
||||||
Patch8: mod_nss-lockpcache.patch
|
Patch8: mod_nss-lockpcache.patch
|
||||||
# Fix build with apache 2.4
|
# Fix build with apache 2.4
|
||||||
Patch9: mod_nss-httpd24.patch
|
Patch9: mod_nss-httpd24.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
|
||||||
|
Patch10: mod_nss-proxyvariables.patch
|
||||||
|
Patch11: mod_nss-tlsv1_1.patch
|
||||||
|
Patch12: mod_nss-array_overrun.patch
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
%define apxs /usr/sbin/apxs2
|
%define apxs /usr/sbin/apxs2
|
||||||
%define apache apache2
|
%define apache apache2
|
||||||
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
|
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
|
||||||
@ -76,6 +81,9 @@ security library.
|
|||||||
%if 0%{?suse_version} >= 1300
|
%if 0%{?suse_version} >= 1300
|
||||||
%patch9 -p1 -b .http24
|
%patch9 -p1 -b .http24
|
||||||
%endif
|
%endif
|
||||||
|
%patch10 -p1 -b .proxyvariables
|
||||||
|
%patch11 -p1 -b .tlsv1_1
|
||||||
|
%patch12 -p1 -b .array_overrun
|
||||||
|
|
||||||
# Touch expression parser sources to prevent regenerating it
|
# Touch expression parser sources to prevent regenerating it
|
||||||
touch nss_expr_*.[chyl]
|
touch nss_expr_*.[chyl]
|
||||||
|
16
mod_nss-array_overrun.patch
Normal file
16
mod_nss-array_overrun.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
|
||||||
|
"child_argv", with 5 elements, at position 5 with index variable "5".
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=714154
|
||||||
|
diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400
|
||||||
|
@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
||||||
|
|
||||||
|
/* Do we need to fire up our password helper? */
|
||||||
|
if (mc->nInitCount == 1) {
|
||||||
|
- const char * child_argv[5];
|
||||||
|
+ const char * child_argv[6];
|
||||||
|
apr_status_t rv;
|
||||||
|
struct sembuf sb;
|
||||||
|
char sembuf[32];
|
83
mod_nss-proxyvariables.patch
Normal file
83
mod_nss-proxyvariables.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
|
||||||
|
@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
|
||||||
|
tls = 1;
|
||||||
|
} else {
|
||||||
|
if (mctx->auth.protocols == NULL) {
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
- "NSSProtocols not set; using: SSLv3 and TLSv1");
|
||||||
|
+ /*
|
||||||
|
+ * Since this routine will be invoked individually for every
|
||||||
|
+ * thread associated with each 'server' object as well as for
|
||||||
|
+ * every thread associated with each 'proxy' object, issue a
|
||||||
|
+ * single per-thread 'warning' message for either a 'server'
|
||||||
|
+ * or a 'proxy' based upon the thread's object type.
|
||||||
|
+ */
|
||||||
|
+ if (mctx == mctx->sc->server) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
+ "NSSProtocol value not set; using: SSLv3 and TLSv1");
|
||||||
|
+ } else if (mctx == mctx->sc->proxy) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
+ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ssl3 = tls = 1;
|
||||||
|
} else {
|
||||||
|
lprotocols = strdup(mctx->auth.protocols);
|
||||||
|
@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
|
||||||
|
* Configure SSL Cipher Suite
|
||||||
|
*/
|
||||||
|
if (!suite) {
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "Required value NSSCipherSuite not set.");
|
||||||
|
+ /*
|
||||||
|
+ * Since this is a 'fatal' error, regardless of whether this
|
||||||
|
+ * particular invocation is from a 'server' object or a 'proxy'
|
||||||
|
+ * object, issue all error message(s) as appropriate.
|
||||||
|
+ */
|
||||||
|
+ if ((mctx->sc->enabled == TRUE) &&
|
||||||
|
+ (mctx->sc->server) &&
|
||||||
|
+ (!mctx->sc->server->auth.cipher_suite)) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
+ "NSSEngine on; required value NSSCipherSuite not set.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((mctx->sc->proxy_enabled == TRUE) &&
|
||||||
|
+ (mctx->sc->proxy) &&
|
||||||
|
+ (!mctx->sc->proxy->auth.cipher_suite)) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
+ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
ciphers = strdup(suite);
|
||||||
|
@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
|
||||||
|
if (mctx->nickname == NULL)
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "No certificate nickname provided.");
|
||||||
|
+ /*
|
||||||
|
+ * Since this is a 'fatal' error, regardless of whether this
|
||||||
|
+ * particular invocation is from a 'server' object or a 'proxy'
|
||||||
|
+ * object, issue all error message(s) as appropriate.
|
||||||
|
+ */
|
||||||
|
+ if ((mctx->sc->enabled == TRUE) &&
|
||||||
|
+ (mctx->sc->server) &&
|
||||||
|
+ (mctx->sc->server->nickname == NULL)) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
+ "NSSEngine on; no certificate nickname provided by NSSNickname.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((mctx->sc->proxy_enabled == TRUE) &&
|
||||||
|
+ (mctx->sc->proxy) &&
|
||||||
|
+ (mctx->sc->proxy->nickname == NULL)) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
+ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
|
767
mod_nss-tlsv1_1.patch
Normal file
767
mod_nss-tlsv1_1.patch
Normal file
@ -0,0 +1,767 @@
|
|||||||
|
Index: mod_nss-1.0.8/docs/mod_nss.html
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/docs/mod_nss.html
|
||||||
|
+++ mod_nss-1.0.8/docs/mod_nss.html
|
||||||
|
@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bo
|
||||||
|
<br>
|
||||||
|
Enables or disables FIPS 140 mode. This replaces the standard
|
||||||
|
internal PKCS#11 module with a FIPS-enabled one. It also forces the
|
||||||
|
-enabled protocols to TLSv1 and disables all ciphers but the
|
||||||
|
+enabled protocols to TLSv1.2 - TLS v1.0 and disables all ciphers but the
|
||||||
|
FIPS ones. You may still select which ciphers you would like
|
||||||
|
limited to those that are FIPS-certified. Any non-FIPS that are
|
||||||
|
included in the NSSCipherSuite entry are automatically disabled.
|
||||||
|
@@ -570,7 +570,7 @@ definition<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1<br>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
@@ -578,106 +578,106 @@ definition<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_null_md5<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_null_sha<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_rc2_40_md5</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_rc4_128_md5</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_rc4_128_sha</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_rc4_40_md5</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">fortezza<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">fortezza_rc4_128_sha<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">fortezza_null<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">fips_des_sha<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">fips_3des_sha<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_des_56_sha</td>
|
||||||
|
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSL3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
|
||||||
|
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_aes_128_sha<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">rsa_aes_256_sha<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
|
||||||
|
</td>
|
||||||
|
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
|
||||||
|
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
@@ -698,127 +698,127 @@ Definition<br>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_ecdsa_null_sha</td>
|
||||||
|
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_ecdsa_rc4_128_sha</td>
|
||||||
|
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_ecdsa_3des_sha</td>
|
||||||
|
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_ecdsa_aes_128_sha</td>
|
||||||
|
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_ecdsa_aes_256_sha</td>
|
||||||
|
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_ecdsa_null_sha</td>
|
||||||
|
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_ecdsa_rc4_128_sha</td>
|
||||||
|
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_ecdsa_3des_sha</td>
|
||||||
|
<td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_ecdsa_aes_128_sha</td>
|
||||||
|
<td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_ecdsa_aes_256_sha</td>
|
||||||
|
<td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_rsa_null_sha</td>
|
||||||
|
<td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_rsa_128_sha</td>
|
||||||
|
<td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_rsa_3des_sha</td>
|
||||||
|
<td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_rsa_aes_128_sha</td>
|
||||||
|
<td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_rsa_aes_256_sha</td>
|
||||||
|
<td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>echde_rsa_null</td>
|
||||||
|
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_rsa_rc4_128_sha</td>
|
||||||
|
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_rsa_3des_sha</td>
|
||||||
|
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_rsa_aes_128_sha</td>
|
||||||
|
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdhe_rsa_aes_256_sha</td>
|
||||||
|
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_anon_null_sha</td>
|
||||||
|
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_anon_rc4_128sha</td>
|
||||||
|
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_anon_3des_sha</td>
|
||||||
|
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_anon_aes_128_sha</td>
|
||||||
|
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>ecdh_anon_aes_256_sha</td>
|
||||||
|
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
|
||||||
|
- <td>TLSv1</td>
|
||||||
|
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
@@ -839,16 +839,36 @@ specifically but allows ciphers for that
|
||||||
|
Options are:<br>
|
||||||
|
<ul>
|
||||||
|
<li><code>SSLv3</code></li>
|
||||||
|
- <li><code>TLSv1</code></li>
|
||||||
|
+ <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
|
||||||
|
+ <li><code>TLSv1.0</code></li>
|
||||||
|
+ <li><code>TLSv1.1</code></li>
|
||||||
|
+ <li><code>TLSv1.2</code></li>
|
||||||
|
<li><code>All</code></li>
|
||||||
|
</ul>
|
||||||
|
Note that this differs from mod_ssl in that you can't add or subtract
|
||||||
|
protocols.<br>
|
||||||
|
+<br>
|
||||||
|
+If no NSSProtocol is specified, mod_nss will default to allowing the use of
|
||||||
|
+the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
|
||||||
|
+minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
|
||||||
|
+allowed.
|
||||||
|
+<br>
|
||||||
|
+If values for NSSProtocol are specified, mod_nss will set both the minimum
|
||||||
|
+and the maximum allowed protocols based upon these entries allowing for the
|
||||||
|
+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
|
||||||
|
+are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
|
||||||
|
+protocol ranges to accept all protocols inclusively
|
||||||
|
+(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
|
||||||
|
+in the middle of a range (e. g. - TLS 1.0).<br>
|
||||||
|
+<br>
|
||||||
|
+Finally, NSS will always automatically negotiate the use of the strongest
|
||||||
|
+possible protocol that has been specified which is acceptable to both sides of
|
||||||
|
+a given connection.<br>
|
||||||
|
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-weight: bold;">Example</span><br>
|
||||||
|
<br>
|
||||||
|
-<code>NSSProtocol SSLv3,TLSv1</code><br>
|
||||||
|
+<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
|
||||||
|
<br>
|
||||||
|
<big><big>NSSNickname<br>
|
||||||
|
</big></big><br>
|
||||||
|
@@ -1101,7 +1121,7 @@ was compiled against.<br>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
|
||||||
|
</code></td>
|
||||||
|
- <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
|
||||||
|
+ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2<br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
@@ -1443,7 +1463,7 @@ Opera, and
|
||||||
|
Safari) support SSL 3 and TLS so there is no need for a web server to
|
||||||
|
support
|
||||||
|
SSL 2. There are some known attacks against SSL 2 that are handled by
|
||||||
|
-SSL 3/TLS. SSL2 also doesn't support useful features like client
|
||||||
|
+SSL 3/TLS. SSLv2 also doesn't support useful features like client
|
||||||
|
authentication.
|
||||||
|
<br>
|
||||||
|
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
|
||||||
|
Index: mod_nss-1.0.8/mod_nss.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/mod_nss.c
|
||||||
|
+++ mod_nss-1.0.8/mod_nss.c
|
||||||
|
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
|
||||||
|
"(`[+-]XXX,...,[+-]XXX' - see manual)")
|
||||||
|
SSL_CMD_SRV(Protocol, RAW_ARGS,
|
||||||
|
"Enable the various SSL protocols"
|
||||||
|
- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
|
||||||
|
+ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)")
|
||||||
|
SSL_CMD_ALL(VerifyClient, TAKE1,
|
||||||
|
"SSL Client Authentication "
|
||||||
|
"(`none', `optional', `require'")
|
||||||
|
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
|
||||||
|
"(`on', `off')")
|
||||||
|
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
|
||||||
|
"SSL Proxy: enable or disable SSL protocol flavors "
|
||||||
|
- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
|
||||||
|
+ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)")
|
||||||
|
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
|
||||||
|
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
|
||||||
|
"(`XXX:...:XXX' - see manual)")
|
||||||
|
Index: mod_nss-1.0.8/nss.conf.in
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss.conf.in
|
||||||
|
+++ mod_nss-1.0.8/nss.conf.in
|
||||||
|
@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
|
||||||
|
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||||
|
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||||
|
|
||||||
|
-NSSProtocol SSLv3,TLSv1
|
||||||
|
+# SSL Protocol:
|
||||||
|
+# Cryptographic protocols that provide communication security.
|
||||||
|
+# NSS handles the specified protocols as "ranges", and automatically
|
||||||
|
+# negotiates the use of the strongest protocol for a connection starting
|
||||||
|
+# with the maximum specified protocol and downgrading as necessary to the
|
||||||
|
+# minimum specified protocol that can be used between two processes.
|
||||||
|
+# Since all protocol ranges are completely inclusive, and no protocol in the
|
||||||
|
+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
|
||||||
|
+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
|
||||||
|
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
|
||||||
|
|
||||||
|
# SSL Certificate Nickname:
|
||||||
|
# The nickname of the RSA server certificate you are going to use.
|
||||||
|
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_init.c
|
||||||
|
@@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server
|
||||||
|
apr_pool_t *ptemp,
|
||||||
|
modnss_ctx_t *mctx)
|
||||||
|
{
|
||||||
|
- int ssl2, ssl3, tls;
|
||||||
|
+ int ssl2, ssl3, tls, tls1_1, tls1_2;
|
||||||
|
+ char *protocol_marker = NULL;
|
||||||
|
char *lprotocols = NULL;
|
||||||
|
SECStatus stat;
|
||||||
|
+ SSLVersionRange enabledVersions;
|
||||||
|
|
||||||
|
- ssl2 = ssl3 = tls = 0;
|
||||||
|
+ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Since this routine will be invoked individually for every thread
|
||||||
|
+ * associated with each 'server' object as well as for every thread
|
||||||
|
+ * associated with each 'proxy' object, identify the protocol marker
|
||||||
|
+ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
|
||||||
|
+ * via each thread's object type and apply this useful information to
|
||||||
|
+ * all log messages.
|
||||||
|
+ */
|
||||||
|
+ if (mctx == mctx->sc->server) {
|
||||||
|
+ protocol_marker = "NSSProtocol";
|
||||||
|
+ } else if (mctx == mctx->sc->proxy) {
|
||||||
|
+ protocol_marker = "NSSProxyProtocol";
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (mctx->sc->fips) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||||
|
- "In FIPS mode, enabling TLSv1");
|
||||||
|
- tls = 1;
|
||||||
|
+ "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ tls = tls1_1 = tls1_2 = 1;
|
||||||
|
} else {
|
||||||
|
if (mctx->auth.protocols == NULL) {
|
||||||
|
- /*
|
||||||
|
- * Since this routine will be invoked individually for every
|
||||||
|
- * thread associated with each 'server' object as well as for
|
||||||
|
- * every thread associated with each 'proxy' object, issue a
|
||||||
|
- * single per-thread 'warning' message for either a 'server'
|
||||||
|
- * or a 'proxy' based upon the thread's object type.
|
||||||
|
- */
|
||||||
|
- if (mctx == mctx->sc->server) {
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
- "NSSProtocol value not set; using: SSLv3 and TLSv1");
|
||||||
|
- } else if (mctx == mctx->sc->proxy) {
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
|
||||||
|
- }
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
+ "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2",
|
||||||
|
+ protocol_marker);
|
||||||
|
|
||||||
|
- ssl3 = tls = 1;
|
||||||
|
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
|
||||||
|
} else {
|
||||||
|
lprotocols = strdup(mctx->auth.protocols);
|
||||||
|
ap_str_tolower(lprotocols);
|
||||||
|
|
||||||
|
if (strstr(lprotocols, "all") != NULL) {
|
||||||
|
#ifdef WANT_SSL2
|
||||||
|
- ssl2 = ssl3 = tls = 1;
|
||||||
|
+ ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1;
|
||||||
|
#else
|
||||||
|
- ssl3 = tls = 1;
|
||||||
|
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
|
||||||
|
#endif
|
||||||
|
} else {
|
||||||
|
- if (strstr(lprotocols, "sslv2") != NULL) {
|
||||||
|
+ char *protocol_list = NULL;
|
||||||
|
+ char *saveptr = NULL;
|
||||||
|
+ char *token = NULL;
|
||||||
|
+
|
||||||
|
+ for (protocol_list = lprotocols; ; protocol_list = NULL) {
|
||||||
|
+ token = strtok_r(protocol_list, ",", &saveptr);
|
||||||
|
+ if (token == NULL) {
|
||||||
|
+ break;
|
||||||
|
+ } else if (strcmp(token, "sslv2") == 0) {
|
||||||
|
#ifdef WANT_SSL2
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
|
||||||
|
- ssl2 = 1;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: Enabling SSL2",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ ssl2 = 1;
|
||||||
|
#else
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||||
|
+ "%s: SSL2 is not supported",
|
||||||
|
+ protocol_marker);
|
||||||
|
#endif
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (strstr(lprotocols, "sslv3") != NULL) {
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
|
||||||
|
- ssl3 = 1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (strstr(lprotocols, "tlsv1") != NULL) {
|
||||||
|
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
|
||||||
|
- tls = 1;
|
||||||
|
+ } else if (strcmp(token, "sslv3") == 0) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: Enabling SSL3",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ ssl3 = 1;
|
||||||
|
+ } else if (strcmp(token, "tlsv1") == 0) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: Enabling TLSv1.0 via TLSv1",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||||
|
+ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ tls = 1;
|
||||||
|
+ } else if (strcmp(token, "tlsv1.0") == 0) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: Enabling TLSv1.0",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ tls = 1;
|
||||||
|
+ } else if (strcmp(token, "tlsv1.1") == 0) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: Enabling TLSv1.1",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ tls1_1 = 1;
|
||||||
|
+ } else if (strcmp(token, "tlsv1.2") == 0) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: Enabling TLSv1.2",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ tls1_2 = 1;
|
||||||
|
+ } else {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
+ "%s: Unknown protocol '%s' not supported",
|
||||||
|
+ protocol_marker, token);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
free(lprotocols);
|
||||||
|
@@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server
|
||||||
|
stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Set protocol version ranges:
|
||||||
|
+ *
|
||||||
|
+ * (1) Set the minimum protocol accepted
|
||||||
|
+ * (2) Set the maximum protocol accepted
|
||||||
|
+ * (3) Protocol ranges extend from maximum down to minimum protocol
|
||||||
|
+ * (4) All protocol ranges are completely inclusive;
|
||||||
|
+ * no protocol in the middle of a range may be excluded
|
||||||
|
+ * (5) NSS automatically negotiates the use of the strongest protocol
|
||||||
|
+ * for a connection starting with the maximum specified protocol
|
||||||
|
+ * and downgrading as necessary to the minimum specified protocol
|
||||||
|
+ *
|
||||||
|
+ * For example, if SSL 3.0 is chosen as the minimum protocol, and
|
||||||
|
+ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
|
||||||
|
+ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
|
||||||
|
+ * cannot be excluded from this range. NSS will automatically negotiate
|
||||||
|
+ * to utilize the strongest acceptable protocol for a connection starting
|
||||||
|
+ * with the maximum specified protocol and downgrading as necessary to the
|
||||||
|
+ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
|
||||||
|
+ */
|
||||||
|
if (stat == SECSuccess) {
|
||||||
|
+ /* Set minimum protocol version (lowest -> highest)
|
||||||
|
+ *
|
||||||
|
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
|
||||||
|
+ */
|
||||||
|
if (ssl3 == 1) {
|
||||||
|
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
|
||||||
|
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [SSL 3.0] (minimum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ } else if (tls == 1) {
|
||||||
|
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.0] (minimum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ } else if (tls1_1 == 1) {
|
||||||
|
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.1] (minimum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ } else if (tls1_2 == 1) {
|
||||||
|
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.2] (minimum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
} else {
|
||||||
|
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
|
||||||
|
+ /* Set default minimum protocol version to SSL 3.0 */
|
||||||
|
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [SSL 3.0] (default minimum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
- if (stat == SECSuccess) {
|
||||||
|
- if (tls == 1) {
|
||||||
|
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
|
||||||
|
+
|
||||||
|
+ /* Set maximum protocol version (highest -> lowest)
|
||||||
|
+ *
|
||||||
|
+ * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
|
||||||
|
+ */
|
||||||
|
+ if (tls1_2 == 1) {
|
||||||
|
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.2] (maximum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ } else if (tls1_1 == 1) {
|
||||||
|
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.1] (maximum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ } else if (tls == 1) {
|
||||||
|
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.0] (maximum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
+ } else if (ssl3 == 1) {
|
||||||
|
+ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [SSL 3.0] (maximum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
} else {
|
||||||
|
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
|
||||||
|
+ /* Set default maximum protocol version to TLS 1.2 */
|
||||||
|
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
+ "%s: [TLS 1.2] (default maximum)",
|
||||||
|
+ protocol_marker);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (stat != SECSuccess) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "SSL protocol initialization failed.");
|
||||||
|
+ "%s: SSL/TLS protocol initialization failed.",
|
||||||
|
+ protocol_marker);
|
||||||
|
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
|
||||||
|
mctx->ssl2 = ssl2;
|
||||||
|
mctx->ssl3 = ssl3;
|
||||||
|
- mctx->tls = tls;
|
||||||
|
+ if (tls1_2 == 1) {
|
||||||
|
+ mctx->tls = tls1_2;
|
||||||
|
+ } else if (tls1_1 == 1) {
|
||||||
|
+ mctx->tls = tls1_1;
|
||||||
|
+ } else {
|
||||||
|
+ mctx->tls = tls;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
static void nss_init_ctx_session_cache(server_rec *s,
|
||||||
|
@@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se
|
||||||
|
PRBool cipher_state[ciphernum];
|
||||||
|
PRBool fips_state[ciphernum];
|
||||||
|
const char *suite = mctx->auth.cipher_suite;
|
||||||
|
+ char * object_type = NULL;
|
||||||
|
+ char * cipher_suite_marker = NULL;
|
||||||
|
char * ciphers;
|
||||||
|
char * fipsciphers = NULL;
|
||||||
|
int i;
|
||||||
|
@@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se
|
||||||
|
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Since this routine will be invoked individually for every thread
|
||||||
|
+ * associated with each 'server' object as well as for every thread
|
||||||
|
+ * associated with each 'proxy' object, identify the cipher suite markers
|
||||||
|
+ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
|
||||||
|
+ * via each thread's object type and apply this useful information to
|
||||||
|
+ * all log messages.
|
||||||
|
+ */
|
||||||
|
+ if (mctx == mctx->sc->server) {
|
||||||
|
+ object_type = "server";
|
||||||
|
+ cipher_suite_marker = "NSSCipherSuite";
|
||||||
|
+ } else if (mctx == mctx->sc->proxy) {
|
||||||
|
+ object_type = "proxy";
|
||||||
|
+ cipher_suite_marker = "NSSProxyCipherSuite";
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ciphers = strdup(suite);
|
||||||
|
|
||||||
|
#define CIPHERSIZE 2048
|
||||||
|
@@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se
|
||||||
|
}
|
||||||
|
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
|
||||||
|
- fipsciphers);
|
||||||
|
+ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
|
||||||
|
+ object_type, fipsciphers);
|
||||||
|
}
|
||||||
|
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
||||||
|
- "Configuring permitted SSL ciphers [%s]",
|
||||||
|
- suite);
|
||||||
|
+ "%s: Configuring permitted SSL ciphers [%s]",
|
||||||
|
+ cipher_suite_marker, suite);
|
||||||
|
|
||||||
|
/* Disable all NSS supported cipher suites. This is to prevent any new
|
||||||
|
* NSS cipher suites from getting automatically and unintentionally
|
||||||
|
@@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se
|
||||||
|
for (i=0; i<ciphernum; i++) {
|
||||||
|
if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||||
|
- "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
|
||||||
|
+ "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
|
||||||
|
cipher_state[i] = PR_FALSE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -902,19 +1041,22 @@ static void nss_init_ctx_cipher_suite(se
|
||||||
|
/* See if any ciphers have been enabled for a given protocol */
|
||||||
|
if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "SSL2 is enabled but no SSL2 ciphers are enabled.");
|
||||||
|
+ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
|
||||||
|
+ cipher_suite_marker);
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "SSL3 is enabled but no SSL3 ciphers are enabled.");
|
||||||
|
+ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
|
||||||
|
+ cipher_suite_marker);
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
||||||
|
- "TLS is enabled but no TLS ciphers are enabled.");
|
||||||
|
+ "%s: TLS is enabled but no TLS ciphers are enabled.",
|
||||||
|
+ cipher_suite_marker);
|
||||||
|
nss_die();
|
||||||
|
}
|
||||||
|
|
||||||
|
Index: mod_nss-1.0.8/nss_engine_vars.c
|
||||||
|
===================================================================
|
||||||
|
--- mod_nss-1.0.8.orig/nss_engine_vars.c
|
||||||
|
+++ mod_nss-1.0.8/nss_engine_vars.c
|
||||||
|
@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
|
||||||
|
case SSL_LIBRARY_VERSION_3_0:
|
||||||
|
result = "SSLv3";
|
||||||
|
break;
|
||||||
|
- case SSL_LIBRARY_VERSION_3_1_TLS:
|
||||||
|
+ case SSL_LIBRARY_VERSION_TLS_1_0:
|
||||||
|
+ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
|
||||||
|
result = "TLSv1";
|
||||||
|
break;
|
||||||
|
+ case SSL_LIBRARY_VERSION_TLS_1_1:
|
||||||
|
+ result = "TLSv1.1";
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user