forked from pool/apache2-mod_nss
Accepting request 223307 from mozilla:Factory
- mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of (forwarded request 222758 from wrosenauer) OBS-URL: https://build.opensuse.org/request/show/223307 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=5
This commit is contained in:
commit
b2f5ed253d
85
README-SUSE.txt
Normal file
85
README-SUSE.txt
Normal file
@ -0,0 +1,85 @@
|
||||
Fri Nov 8 00:00:00 CET 2013 - draht
|
||||
|
||||
README-SUSE.txt for apache2-mod_nss
|
||||
==============================================================================
|
||||
Rationale:
|
||||
|
||||
The apache2-mod_nss package was added to the SLES11 codebase to satisfy the
|
||||
increased demand for a TLSv1.2 capable crypto solution for the apache
|
||||
webserver, as an enhancement in parallel to the mod_ssl package that comes
|
||||
with the apache2 package set.
|
||||
|
||||
SSL/TLS support in the apache2 package is normally provided by mod_ssl, the
|
||||
apache module that provides SSL/TLS using the openssl crypto suite. The
|
||||
specific version in SLES11-SP2 and newer is "0.9.8j", which support TLS of
|
||||
version 1.0 only. TLSv1.2 can only be provided by versions that are not
|
||||
compatible with the large variety of packages contained in SLES. The
|
||||
alternative is to make use of the crypto routines provided by mozilla-nss.
|
||||
|
||||
The configuration of mod_nss is similar to that of mod_ssl, but some the
|
||||
individual options expect different values; as a consequence, a simple
|
||||
conversion of option names does not work as desired.
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
Converting SSL/TLS certificates:
|
||||
|
||||
Because mod_nss uses a database format for the server and CA certificates
|
||||
and the private key, existing mod_ssl-based certificates need to be converted
|
||||
to be used by mod_nss.
|
||||
The SUSE package apache2-mod_nss contains the perl script
|
||||
/usr/sbin/mod_nss_migrate.pl
|
||||
that can do that work for you. It may lead to satisfactory results, but in
|
||||
case it doesn't, here is what it does when it converts mod_ssl to mod_nss
|
||||
key/certificate storage:
|
||||
|
||||
# we make a backup. Good practice...
|
||||
old /etc/apache2/mod_nss.d
|
||||
# initialize the database; this creates a NEW database!
|
||||
certutil -N -d /etc/apache2/mod_nss.d
|
||||
# convert the existing openssl key and the certificate to pkcs#12 format, uses temporary password "foo":
|
||||
openssl pkcs12 -export -in your_certificate_file.crt -inkey your_keyfile.key -out server.p12 -name \"Server-Cert\" -passout pass:foo
|
||||
# import the pkcs#12 file into the freshly created NSS database, again temporary password "foo":
|
||||
pk12util -i server.p12 -d /etc/apache2/mod_nss.d -W foo
|
||||
# the last step: -n specifies a name that the certificate can be referred to
|
||||
# in an easy way from within apache config files; you may use a name of your
|
||||
# choice, provided you use the same string to reference it in mod_nss.
|
||||
# Often, the subject of a certificate is used for this.
|
||||
# set SUBJECT=your_subject from the output of "openssl x509 -subject -in your_certificate_file.crt"
|
||||
# certutil -A -n $SUBJECT -t \"CT,,\" -d /etc/apache2/mod_nss.d -i your_ca_certificate.pem
|
||||
|
||||
You are basically done now.
|
||||
Use the command
|
||||
|
||||
certutil -d /etc/apache2/mod_nss.d -L
|
||||
|
||||
to list the certificates contained in the NSS database.
|
||||
More options of the certutil utility are shown with
|
||||
|
||||
certutil -h # short help
|
||||
certutil --help # longer help
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
TLS versions:
|
||||
|
||||
This package has a direct dependency on mozilla-nss of version 3.15.1 or
|
||||
higher, as TLSv1.2 support first came with this version. The specification of
|
||||
TLS versions is done with the NSSProtocol directive in apache. Contrary to
|
||||
the SSLProtocol option from mod_ssl, the NSSProtocol directive specifies a
|
||||
range of versions, not a list.
|
||||
The default configuration file that comes with the apache2-mod_nss package
|
||||
is /etc/apache2/conf.d/mod_nss.conf and reads as follows:
|
||||
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||
|
||||
Please note that SSLv2 support is not provided by mod_nss. If you require
|
||||
the deprecated SSLv2 protocol, you may need to revert to mod_ssl.
|
||||
|
||||
|
||||
|
||||
Please read through the comments on top of the file
|
||||
/etc/apache2/conf.d/mod_nss.conf for more information about usage and
|
||||
configuration of mod_nss.
|
||||
|
||||
|
||||
Thank you,
|
||||
Roman Drahtmueller <draht@suse.com>
|
||||
|
@ -1,3 +1,65 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 18 16:31:45 CET 2014 - draht@suse.de
|
||||
|
||||
- mod_nss-cipherlist_update_for_tls12-doc.diff
|
||||
mod_nss-cipherlist_update_for_tls12.diff
|
||||
GCM mode and Camellia ciphers added to the supported ciphers list.
|
||||
The additional ciphers are:
|
||||
rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
|
||||
ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
[bnc#863035]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 29 16:30:07 CET 2013 - draht@suse.de
|
||||
|
||||
- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
|
||||
If 'NSSVerifyClient none' is set in the server / vhost context
|
||||
(i.e. when server is configured to not request or require client
|
||||
certificate authentication on the initial connection), and client
|
||||
certificate authentication is expected to be required for a
|
||||
specific directory via 'NSSVerifyClient require' setting,
|
||||
mod_nss fails to properly require certificate authentication.
|
||||
Remote attacker can use this to access content of the restricted
|
||||
directories. [bnc#853039]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 8 20:46:07 CET 2013 - draht@suse.de
|
||||
|
||||
- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
|
||||
* simultaneaous usage of mod_ssl and mod_nss
|
||||
* SNI concurrency
|
||||
* SUSE framework for apache configuration, Listen directive
|
||||
* module initialization
|
||||
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
|
||||
or mod_nss.conf, respectively. This also leads to the removal of
|
||||
nss.conf.in specific chunks in mod_nss-negotiate.patch and
|
||||
mod_nss-tlsv1_1.patch .
|
||||
- mod_nss_migrate.pl conversion script added; not patched from
|
||||
source, but partially rewritten.
|
||||
- README-SUSE.txt added with step-by-step instructions on how to
|
||||
convert and manage certificates and keys, as well as a rationale
|
||||
about why mod_nss was included in SLES.
|
||||
- package ready for submission [bnc#847216]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 5 15:45:08 CET 2013 - draht@suse.de
|
||||
|
||||
- generic cleanup of the package:
|
||||
- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support
|
||||
came with this version - this is the objective behind this
|
||||
version update of apache2-mod_nss. Tracker bug [bnc#847216]
|
||||
- change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid
|
||||
ambiguously interpreted name of directory.
|
||||
- merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if
|
||||
/etc/apache2/alias exists.
|
||||
- set explicit filemodes 640 for %post generated *.db files in
|
||||
/etc/apache2/mod_nss.d
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 2 08:29:35 UTC 2013 - meissner@suse.com
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package apache2-mod_nss
|
||||
#
|
||||
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -21,14 +21,19 @@ Summary: SSL/TLS module for the Apache HTTP server
|
||||
License: Apache-2.0
|
||||
Group: Productivity/Networking/Web/Servers
|
||||
Version: 1.0.8
|
||||
Release: 0
|
||||
Release: 0.4.<RELEASE7>
|
||||
Url: http://directory.fedoraproject.org/wiki/Mod_nss
|
||||
Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
|
||||
Source1: mod_nss.conf.in
|
||||
Source2: listen_nss.conf
|
||||
Source3: mod_nss_migrate.pl
|
||||
Source4: README-SUSE.txt
|
||||
Provides: mod_nss
|
||||
Requires: apache2 >= 2.0.52
|
||||
Requires: apache2 >= 2.2.12
|
||||
Requires: findutils
|
||||
Requires(post): mozilla-nss-tools
|
||||
BuildRequires: apache2-devel >= 2.0.52
|
||||
Requires: mozilla-nss >= 3.15.1
|
||||
PreReq: mozilla-nss-tools
|
||||
BuildRequires: apache2-devel >= 2.2.12
|
||||
BuildRequires: bison
|
||||
BuildRequires: findutils
|
||||
BuildRequires: flex
|
||||
@ -36,10 +41,12 @@ BuildRequires: gcc-c++
|
||||
BuildRequires: libapr-util1-devel
|
||||
BuildRequires: libapr1-devel
|
||||
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
||||
BuildRequires: mozilla-nss-devel >= 3.12.6
|
||||
BuildRequires: mozilla-nss-devel >= 3.15.1
|
||||
BuildRequires: mozilla-nss-tools
|
||||
BuildRequires: pkgconfig
|
||||
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
|
||||
Patch1: mod_nss-conf.patch
|
||||
# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
|
||||
#Patch1: mod_nss-conf.patch
|
||||
Patch2: mod_nss-gencert.patch
|
||||
Patch3: mod_nss-wouldblock.patch
|
||||
Patch4: mod_nss-negotiate.patch
|
||||
@ -58,6 +65,9 @@ Patch14: mod_nss-no_shutdown_if_not_init_2.patch
|
||||
Patch15: mod_nss-PK11_ListCerts_2.patch
|
||||
Patch16: mod_nss-sslmultiproxy.patch
|
||||
Patch17: mod_nss-overlapping_memcpy.patch
|
||||
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
|
||||
Patch19: mod_nss-cipherlist_update_for_tls12.diff
|
||||
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%define apxs /usr/sbin/apxs2
|
||||
%define apache apache2
|
||||
@ -66,6 +76,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
|
||||
%define apache_serverroot %(%{apxs} -q PREFIX)
|
||||
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
|
||||
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
|
||||
|
||||
%description
|
||||
The mod_nss module provides strong cryptography for the Apache Web
|
||||
@ -75,22 +86,25 @@ security library.
|
||||
|
||||
%prep
|
||||
%setup -q -n mod_nss-%{version}
|
||||
%patch1 -p1 -b .conf
|
||||
%patch2 -p1 -b .gencert
|
||||
%patch3 -p1 -b .wouldblock
|
||||
%patch4 -p1 -b .negotiate
|
||||
%patch5 -p1 -b .reverseproxy
|
||||
%patch6 -p1 -b .pcachesignal.h
|
||||
%patch7 -p1 -b .reseterror
|
||||
%patch8 -p1 -b .lockpcache
|
||||
%patch10 -p1 -b .proxyvariables
|
||||
%patch11 -p1 -b .tlsv1_1
|
||||
%patch12 -p1 -b .array_overrun
|
||||
%patch13 -p1 -b .clientauth.patch
|
||||
%patch14 -p1 -b .no_shutdown_if_not_init_2
|
||||
%patch15 -p1 -b .PK11_ListCerts_2
|
||||
%patch16 -p1 -b .sslmultiproxy
|
||||
%patch17 -p1 -b .overlapping_memcpy
|
||||
#%patch1 -p1 -b .conf.rpmpatch
|
||||
%patch2 -p1 -b .gencert.rpmpatch
|
||||
%patch3 -p1 -b .wouldblock.rpmpatch
|
||||
%patch4 -p1 -b .negotiate.rpmpatch
|
||||
%patch5 -p1 -b .reverseproxy.rpmpatch
|
||||
%patch6 -p1 -b .pcachesignal.h.rpmpatch
|
||||
%patch7 -p1 -b .reseterror.rpmpatch
|
||||
%patch8 -p1 -b .lockpcache.rpmpatch
|
||||
%patch10 -p1 -b .proxyvariables.rpmpatch
|
||||
%patch11 -p1 -b .tlsv1_1.rpmpatch
|
||||
%patch12 -p1 -b .array_overrun.rpmpatch
|
||||
%patch13 -p1 -b .clientauth.rpmpatch
|
||||
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
|
||||
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
|
||||
%patch16 -p1 -b .sslmultiproxy.rpmpatch
|
||||
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
|
||||
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
|
||||
%patch19 -p0 -b .ciphers.rpmpatch
|
||||
%patch20 -p0 -b .ciphers.doc.rpmpatch
|
||||
|
||||
# keep this last, otherwise we get fuzzyness from above
|
||||
%if 0%{?suse_version} >= 1300
|
||||
@ -111,6 +125,10 @@ NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
|
||||
# For some reason mod_nss can't find nss on SUSE unless we do the following
|
||||
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
|
||||
export C_INCLUDE_PATH
|
||||
# no more patching a config file...
|
||||
cp -a %{SOURCE1} ./nss.conf.in
|
||||
cp -a %{SOURCE4} .
|
||||
chmod 644 ./nss.conf.in
|
||||
#autoreconf -fvi
|
||||
%configure \
|
||||
--with-nss-lib=$NSS_LIB_DIR \
|
||||
@ -118,6 +136,7 @@ export C_INCLUDE_PATH
|
||||
--with-nspr-lib=$NSPR_LIB_DIR \
|
||||
--with-nspr-inc=$NSPR_INCLUDE_DIR \
|
||||
--with-apxs=%{apxs} \
|
||||
--enable-ecc \
|
||||
--with-apr-config
|
||||
make %{?_smp_mflags} all
|
||||
|
||||
@ -128,22 +147,24 @@ make %{?_smp_mflags} all
|
||||
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
|
||||
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
|
||||
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
|
||||
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/alias
|
||||
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
|
||||
|
||||
%if 0%{?suse_version}
|
||||
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
|
||||
%endif
|
||||
|
||||
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/
|
||||
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}
|
||||
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
|
||||
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
|
||||
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
|
||||
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
|
||||
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
|
||||
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
|
||||
|
||||
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconfdir}/alias/
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/secmod.db
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/cert8.db
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/key3.db
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconfdir}/alias/install.log
|
||||
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
|
||||
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
|
||||
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
||||
|
||||
%clean
|
||||
@ -152,30 +173,63 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%post
|
||||
umask 077
|
||||
if [ "$1" -eq 1 ] ; then
|
||||
if [ ! -e %{apache_sysconfdir}/alias/key3.db ]; then
|
||||
%{_sbindir}/gencert %{apache_sysconfdir}/alias > %{apache_sysconfdir}/alias/install.log 2>&1
|
||||
# this is first time installation.
|
||||
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
|
||||
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
|
||||
echo ""
|
||||
echo "%{name} certificate database generated."
|
||||
echo ""
|
||||
fi
|
||||
# Make sure that the database ownership is setup properly.
|
||||
find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chgrp www {} \;
|
||||
find %{apache_sysconfdir}/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
|
||||
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
|
||||
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
|
||||
fi
|
||||
if [ "$1" -eq 2 ]; then
|
||||
# this is the upgrade case for this %post:
|
||||
if [ -d %{apache_sysconfdir}/alias ]; then
|
||||
copied_files=""
|
||||
for dbfile in *.db; do
|
||||
if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
|
||||
cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
|
||||
copied_files="$copied_files $dbfile"
|
||||
fi
|
||||
done
|
||||
if [ "$copied_files" != "" ]; then
|
||||
{
|
||||
echo "This notice was written by the post-install script of the package"
|
||||
echo "%{name}."
|
||||
echo ""
|
||||
echo "The files $copied_files"
|
||||
echo "have been copied to the directory %{apache_sysconf_nssdir},"
|
||||
echo "as this directory is not referenced by the default configuration any longer,"
|
||||
echo "and because these files did not exist in %{apache_sysconf_nssdir}."
|
||||
echo "Existing files have not been modified."
|
||||
echo ""
|
||||
echo "Please check your configuration and remove or move your certificate and"
|
||||
echo "key storage to your desired place, and adjust your module configuration"
|
||||
echo "accordingly."
|
||||
echo ""
|
||||
echo "Thank you."
|
||||
} > %{apache_sysconfdir}/alias/README-dbfiles.txt
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%doc README LICENSE docs/mod_nss.html
|
||||
%config(noreplace) %{apache_sysconfdir}/conf.d/nss.conf
|
||||
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
|
||||
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
|
||||
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
|
||||
%dir %{apache_libexecdir}
|
||||
%{apache_libexecdir}/libmodnss.so
|
||||
%dir %{apache_sysconfdir}/alias/
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/secmod.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/cert8.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconfdir}/alias/key3.db
|
||||
%ghost %config(noreplace) %{apache_sysconfdir}/alias/install.log
|
||||
#%%{apache_sysconfdir}/alias/libnssckbi.so
|
||||
%{apache_libexecdir}/mod_nss.so
|
||||
%dir %{apache_sysconf_nssdir}/
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
|
||||
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
|
||||
#%%{apache_sysconf_nssdir}/libnssckbi.so
|
||||
%{_sbindir}/nss_pcache
|
||||
%{_sbindir}/gencert
|
||||
%{_sbindir}/mod_nss_migrate.pl
|
||||
|
||||
%changelog
|
||||
|
43
listen_nss.conf
Normal file
43
listen_nss.conf
Normal file
@ -0,0 +1,43 @@
|
||||
# This is /etc/apache2/listen-nss.conf
|
||||
#
|
||||
# This file is read from /etc/apache2/conf.d/mod_nss.conf ,
|
||||
# the starting point for all configuration of mod_nss.
|
||||
#
|
||||
# Please have a look at the top section of the file
|
||||
# /etc/apache2/conf.d/mod_nss.conf for information and
|
||||
# instructions about how to enable mod_nss.
|
||||
#
|
||||
#
|
||||
# There are two conditions that have to be met for the Listen directive
|
||||
# below to become active:
|
||||
# a) The server define "SSL" is present; this means that the apache process
|
||||
# is launched with the commandline arguments "-D SSL".
|
||||
# b) The nss apache module is loaded, which happens automatically if you add
|
||||
# the name of the module ("nss") to the variable APACHE_MODULES in
|
||||
# /etc/sysconfig/apache2
|
||||
#
|
||||
# An equivalent section for mod_ssl (openssl based support for SSL/TLS)
|
||||
# is contained in the file /etc/apache2/listen.conf, with the dependency to
|
||||
# the module "ssl" loaded ("<IfModule mod_ssl.c>").
|
||||
#
|
||||
# The difference between this file and listen.conf is that listen.conf is
|
||||
# read (included) from apache's main configuration file /etc/apache2/httpd.conf,
|
||||
# while _this_ file is included from /etc/apache2/conf.d/mod_nss.conf .
|
||||
|
||||
<IfDefine SSL>
|
||||
<IfDefine !NOSSL>
|
||||
# mod_ssl may be active and has triggered the Listen directive for 443.
|
||||
# In this case we refrain from doing a second Listen, as the
|
||||
# correspondance between the bound port and the VirtualHost does
|
||||
# not happen here anyway.
|
||||
<IfModule !mod_ssl.c>
|
||||
<IfModule mod_nss.c>
|
||||
|
||||
Listen 443
|
||||
|
||||
</IfModule>
|
||||
</IfModule>
|
||||
</IfDefine>
|
||||
</IfDefine>
|
||||
|
||||
|
319
mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Normal file
319
mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Normal file
@ -0,0 +1,319 @@
|
||||
This is CVE-2013-4566:
|
||||
The flaw is in the NSSVerifyClient (which is equivalent to mod_ssl's
|
||||
SSLVerifyClient) setting enforcement. If 'NSSVerifyClient none' is set
|
||||
in the server / vhost context (i.e. when server is configured to not
|
||||
request or require client certificate authentication on the initial
|
||||
connection), and client certificate authentication is expected to be
|
||||
required for a specific directory via 'NSSVerifyClient require'
|
||||
setting, mod_nss fails to properly require certificate authentication.
|
||||
Remote attacker can use this to access content of the restricted
|
||||
directories.
|
||||
|
||||
Reported by Thomas Hoger <thoger@redhat.com>.
|
||||
|
||||
diff -rNU 150 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c
|
||||
--- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2013-11-29 16:09:37.000000000 +0100
|
||||
+++ ./nss_engine_kernel.c 2013-11-29 16:12:20.000000000 +0100
|
||||
@@ -133,301 +133,301 @@
|
||||
/*
|
||||
* Check to see if SSL protocol is enabled. If it's not then
|
||||
* no further access control checks are relevant. The test for
|
||||
* sc->enabled is probably strictly unnecessary
|
||||
*/
|
||||
if (!((sc->enabled == TRUE) || !ssl)) {
|
||||
return DECLINED;
|
||||
}
|
||||
|
||||
/*
|
||||
* Support for per-directory reconfigured SSL connection parameters.
|
||||
*
|
||||
* This is implemented by forcing an SSL renegotiation with the
|
||||
* reconfigured parameter suite. But Apache's internal API processing
|
||||
* makes our life very hard here, because when internal sub-requests occur
|
||||
* we nevertheless should avoid multiple unnecessary SSL handshakes (they
|
||||
* require extra network I/O and especially time to perform).
|
||||
*
|
||||
* But the optimization for filtering out the unnecessary handshakes isn't
|
||||
* obvious and trivial. Especially because while Apache is in its
|
||||
* sub-request processing the client could force additional handshakes,
|
||||
* too. And these take place perhaps without our notice. So the only
|
||||
* possibility is to explicitly _ask_ OpenSSL whether the renegotiation
|
||||
* has to be performed or not. It has to performed when some parameters
|
||||
* which were previously known (by us) are not those we've now
|
||||
* reconfigured (as known by OpenSSL) or (in optimized way) at least when
|
||||
* the reconfigured parameter suite is stronger (more restrictions) than
|
||||
* the currently active one.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Override of NSSCipherSuite
|
||||
*
|
||||
* We provide two options here:
|
||||
*
|
||||
* o The paranoid and default approach where we force a renegotiation when
|
||||
* the cipher suite changed in _any_ way (which is straight-forward but
|
||||
* often forces renegotiations too often and is perhaps not what the
|
||||
* user actually wanted).
|
||||
*
|
||||
* o The optimized and still secure way where we force a renegotiation
|
||||
* only if the currently active cipher is no longer contained in the
|
||||
* reconfigured/new cipher suite. Any other changes are not important
|
||||
* because it's the servers choice to select a cipher from the ones the
|
||||
* client supports. So as long as the current cipher is still in the new
|
||||
* cipher suite we're happy. Because we can assume we would have
|
||||
* selected it again even when other (better) ciphers exists now in the
|
||||
* new cipher suite. This approach is fine because the user explicitly
|
||||
* has to enable this via ``NSSOptions +OptRenegotiate''. So we do no
|
||||
* implicit optimizations.
|
||||
*/
|
||||
if (dc->szCipherSuite) {
|
||||
/* remember old state */
|
||||
for (i=0; i < ciphernum; i++) {
|
||||
SSL_CipherPrefGet(ssl, ciphers_def[i].num, &ciphers_old[i]);
|
||||
}
|
||||
|
||||
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
|
||||
int on, keySize, secretKeySize;
|
||||
char *issuer, *subject;
|
||||
|
||||
SSL_SecurityStatus(ssl, &on, &cipher,
|
||||
&keySize, &secretKeySize, &issuer,
|
||||
&subject);
|
||||
}
|
||||
|
||||
/* configure new state */
|
||||
|
||||
ciphers = strdup(dc->szCipherSuite);
|
||||
if (nss_parse_ciphers(r->server, ciphers, ciphers_new) < 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
|
||||
r->server,
|
||||
"Unable to reconfigure (per-directory) "
|
||||
"permitted SSL ciphers");
|
||||
nss_log_nss_error(APLOG_MARK, APLOG_ERR, r->server);
|
||||
free(ciphers);
|
||||
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
free(ciphers);
|
||||
|
||||
/* Actually enable the selected ciphers. Also check to
|
||||
see if the existing cipher is in the new list for
|
||||
a possible optimization later. */
|
||||
|
||||
for (i=0; i<ciphernum;i++) {
|
||||
if (cipher && !strcasecmp(cipher, ciphers_def[i].name)) {
|
||||
if (ciphers_new[i] == PR_TRUE)
|
||||
cipher_in_list = PR_TRUE;
|
||||
}
|
||||
SSL_CipherPrefSet(ssl, ciphers_def[i].num, ciphers_new[i]);
|
||||
}
|
||||
|
||||
/* determine whether a renegotiation has to be forced */
|
||||
|
||||
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
|
||||
if (cipher_in_list != PR_TRUE)
|
||||
renegotiate = TRUE;
|
||||
}
|
||||
else {
|
||||
/* paranoid way */
|
||||
for (i=0; i<ciphernum;i++) {
|
||||
if (ciphers_new[i] != ciphers_old[i]) {
|
||||
renegotiate = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* tracing */
|
||||
if (renegotiate) {
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Reconfigured cipher suite will force renegotiation");
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* override of SSLVerifyClient
|
||||
*
|
||||
* We force a renegotiation if the reconfigured/new verify type is
|
||||
* stronger than the currently active verify type.
|
||||
*
|
||||
* The order is: none << optional_no_ca << optional << require
|
||||
*
|
||||
* Additionally the following optimization is possible here: When the
|
||||
* currently active verify type is "none" but a client certificate is
|
||||
* already known/present, it's enough to manually force a client
|
||||
* verification but at least skip the I/O-intensive renegotation
|
||||
* handshake.
|
||||
*/
|
||||
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
|
||||
PRInt32 on;
|
||||
|
||||
/* remember old state */
|
||||
SSL_OptionGet(ssl, SSL_REQUIRE_CERTIFICATE, &on);
|
||||
if (on == PR_TRUE) {
|
||||
verify_old = SSL_CVERIFY_REQUIRE;
|
||||
} else {
|
||||
SSL_OptionGet(ssl, SSL_REQUEST_CERTIFICATE, &on);
|
||||
if (on == PR_TRUE)
|
||||
verify_old = SSL_CVERIFY_OPTIONAL;
|
||||
else
|
||||
verify_old = SSL_CVERIFY_NONE;
|
||||
}
|
||||
|
||||
/* configure new state */
|
||||
verify = dc->nVerifyClient;
|
||||
|
||||
if (verify == SSL_CVERIFY_REQUIRE) {
|
||||
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
|
||||
- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
|
||||
+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
|
||||
} else if (verify == SSL_CVERIFY_OPTIONAL) {
|
||||
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
|
||||
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
|
||||
} else {
|
||||
SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_FALSE);
|
||||
SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
|
||||
}
|
||||
|
||||
/* determine whether we've to force a renegotiation */
|
||||
if (!renegotiate && verify != verify_old) {
|
||||
if (((verify_old == SSL_CVERIFY_NONE) &&
|
||||
(verify != SSL_CVERIFY_NONE)) ||
|
||||
|
||||
(!(verify_old & SSL_CVERIFY_OPTIONAL) &&
|
||||
(verify & SSL_CVERIFY_OPTIONAL)) ||
|
||||
|
||||
(!(verify_old & SSL_CVERIFY_REQUIRE) &&
|
||||
(verify & SSL_CVERIFY_REQUIRE)))
|
||||
{
|
||||
renegotiate = TRUE;
|
||||
/* optimization */
|
||||
|
||||
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
|
||||
(verify_old == SSL_CVERIFY_NONE) &&
|
||||
((peercert = SSL_PeerCertificate(ssl)) != NULL))
|
||||
{
|
||||
renegotiate_quick = TRUE;
|
||||
CERT_DestroyCertificate(peercert);
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
|
||||
r->server,
|
||||
"Changed client verification type will force "
|
||||
"%srenegotiation",
|
||||
renegotiate_quick ? "quick " : "");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* If a renegotiation is now required for this location, and the
|
||||
* request includes a message body (and the client has not
|
||||
* requested a "100 Continue" response), then the client will be
|
||||
* streaming the request body over the wire already. In that
|
||||
* case, it is not possible to stop and perform a new SSL
|
||||
* handshake immediately; once the SSL library moves to the
|
||||
* "accept" state, it will reject the SSL packets which the client
|
||||
* is sending for the request body.
|
||||
*
|
||||
* To allow authentication to complete in this auth hook, the
|
||||
* solution used here is to fill a (bounded) buffer with the
|
||||
* request body, and then to reinject that request body later.
|
||||
*/
|
||||
if (renegotiate && !renegotiate_quick
|
||||
&& (apr_table_get(r->headers_in, "transfer-encoding")
|
||||
|| (apr_table_get(r->headers_in, "content-length")
|
||||
&& strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
|
||||
&& !r->expecting_100) {
|
||||
int rv;
|
||||
|
||||
/* Fill the I/O buffer with the request body if possible. */
|
||||
rv = nss_io_buffer_fill(r);
|
||||
|
||||
if (rv) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
||||
"could not buffer message body to allow "
|
||||
"SSL renegotiation to proceed");
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* now do the renegotiation if anything was actually reconfigured
|
||||
*/
|
||||
if (renegotiate) {
|
||||
/*
|
||||
* Now we force the SSL renegotation by sending the Hello Request
|
||||
* message to the client. Here we have to do a workaround: Actually
|
||||
* OpenSSL returns immediately after sending the Hello Request (the
|
||||
* intent AFAIK is because the SSL/TLS protocol says it's not a must
|
||||
* that the client replies to a Hello Request). But because we insist
|
||||
* on a reply (anything else is an error for us) we have to go to the
|
||||
* ACCEPT state manually. Using SSL_set_accept_state() doesn't work
|
||||
* here because it resets too much of the connection. So we set the
|
||||
* state explicitly and continue the handshake manually.
|
||||
*/
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
|
||||
"Requesting connection re-negotiation");
|
||||
|
||||
if (renegotiate_quick) {
|
||||
SECStatus rv;
|
||||
CERTCertificate *peerCert;
|
||||
void *pinArg;
|
||||
|
||||
/* perform just a manual re-verification of the peer */
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Performing quick renegotiation: "
|
||||
"just re-verifying the peer");
|
||||
|
||||
peerCert = SSL_PeerCertificate(sslconn->ssl);
|
||||
|
||||
pinArg = SSL_RevealPinArg(sslconn->ssl);
|
||||
|
||||
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(),
|
||||
peerCert,
|
||||
PR_TRUE,
|
||||
certUsageSSLClient,
|
||||
pinArg);
|
||||
|
||||
CERT_DestroyCertificate(peerCert);
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
|
||||
"Re-negotiation handshake failed: "
|
||||
"Client verification failed");
|
||||
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
|
||||
/* The cert is ok, fall through to the check SSLRequires */
|
||||
}
|
||||
else {
|
||||
int handshake_done = 0;
|
||||
int result = 0;
|
||||
|
||||
/* do a full renegotiation */
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Performing full renegotiation: "
|
||||
"complete handshake protocol");
|
||||
|
||||
/* Do NOT call SSL_ResetHandshake as this will tear down the
|
||||
* existing connection.
|
||||
*/
|
||||
if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) {
|
||||
int errCode = PR_GetError();
|
||||
if (errCode == SEC_ERROR_INVALID_ARGS) {
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Re-negotation request failed: "
|
||||
"trying to do client authentication on a non-SSL3 connection");
|
||||
} else {
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Re-negotation request failed: "
|
||||
"returned error %d", errCode);
|
||||
}
|
||||
r->connection->aborted = 1;
|
||||
return HTTP_FORBIDDEN;
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
"Awaiting re-negotiation handshake");
|
||||
|
246
mod_nss-cipherlist_update_for_tls12-doc.diff
Normal file
246
mod_nss-cipherlist_update_for_tls12-doc.diff
Normal file
@ -0,0 +1,246 @@
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
|
||||
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100
|
||||
+++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100
|
||||
@@ -632,100 +632,121 @@
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fortezza_null<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fips_des_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">fips_3des_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_des_56_sha</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_aes_128_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">rsa_aes_256_sha<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_camellia_128_sha<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td style="vertical-align: top;">rsa_camellia_256_sha<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
|
||||
+ </td>
|
||||
+ <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Additionally there are a number of ECC ciphers:<br>
|
||||
<br>
|
||||
<table style="width: 70%;" border="1" cellpadding="2" cellspacing="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">Cipher Name<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">NSS Cipher
|
||||
Definition<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">Protocol<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_null_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_3des_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_aes_128_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_ecdsa_aes_256_sha</td>
|
||||
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_null_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_ecdsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
@@ -773,100 +794,120 @@
|
||||
<tr>
|
||||
<td>echde_rsa_null</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_rc4_128_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_3des_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_aes_128_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdhe_rsa_aes_256_sha</td>
|
||||
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_null_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_rc4_128sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_3des_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_aes_128_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ecdh_anon_aes_256_sha</td>
|
||||
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
|
||||
<td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
</tr>
|
||||
+ <tr>
|
||||
+ <td>ecdh_ecdsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdhe_ecdsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdh_rsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>ecdhe_rsa_aes_128_gcm_sha</td>
|
||||
+ <td>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</td>
|
||||
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
|
||||
+ </tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Example</span><br>
|
||||
<br>
|
||||
<code>NSSCipherSuite
|
||||
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,<br>
|
||||
-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,<br>
|
||||
+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha</code><br>
|
||||
<br>
|
||||
<big><big>NSSProtocol<br>
|
||||
</big></big><br>
|
||||
A comma-separated string that lists the basic protocols that the server
|
||||
can use (and clients may connect with). It doesn't enable a cipher
|
||||
specifically but allows ciphers for that protocol to be used at all.<br>
|
||||
<br>
|
||||
Options are:<br>
|
||||
<ul>
|
||||
<li><code>SSLv3</code></li>
|
||||
<li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
|
||||
<li><code>TLSv1.0</code></li>
|
||||
<li><code>TLSv1.1</code></li>
|
||||
<li><code>TLSv1.2</code></li>
|
||||
<li><code>All</code></li>
|
||||
</ul>
|
||||
Note that this differs from mod_ssl in that you can't add or subtract
|
||||
protocols.<br>
|
||||
<br>
|
||||
If no NSSProtocol is specified, mod_nss will default to allowing the use of
|
||||
the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
|
||||
minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
|
||||
allowed.
|
||||
<br>
|
||||
If values for NSSProtocol are specified, mod_nss will set both the minimum
|
||||
and the maximum allowed protocols based upon these entries allowing for the
|
||||
inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
|
||||
are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
|
||||
protocol ranges to accept all protocols inclusively
|
||||
(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
|
||||
in the middle of a range (e. g. - TLS 1.0).<br>
|
||||
<br>
|
||||
Finally, NSS will always automatically negotiate the use of the strongest
|
||||
possible protocol that has been specified which is acceptable to both sides of
|
||||
a given connection.<br>
|
||||
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Example</span><br>
|
||||
<br>
|
||||
<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
|
||||
<br>
|
243
mod_nss-cipherlist_update_for_tls12.diff
Normal file
243
mod_nss-cipherlist_update_for_tls12.diff
Normal file
@ -0,0 +1,243 @@
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
|
||||
--- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100
|
||||
+++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100
|
||||
@@ -318,103 +318,103 @@
|
||||
|
||||
/*
|
||||
* Define the mod_ssl per-directory configuration structure
|
||||
* (i.e. the local configuration for all <Directory>
|
||||
* and .htaccess contexts)
|
||||
*/
|
||||
typedef struct {
|
||||
BOOL bSSLRequired;
|
||||
apr_array_header_t *aRequirement;
|
||||
int nOptions;
|
||||
int nOptionsAdd;
|
||||
int nOptionsDel;
|
||||
const char *szCipherSuite;
|
||||
nss_verify_t nVerifyClient;
|
||||
const char *szUserName;
|
||||
} SSLDirConfigRec;
|
||||
|
||||
/*
|
||||
* Cipher definitions
|
||||
*/
|
||||
typedef struct
|
||||
{
|
||||
const char *name;
|
||||
int num;
|
||||
int fortezza_only;
|
||||
PRInt32 version; /* protocol version valid for this cipher */
|
||||
} cipher_properties;
|
||||
|
||||
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
|
||||
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
|
||||
* is the last version without this define. This is used for more than just
|
||||
* the below defines. It also determines which API is used.
|
||||
*/
|
||||
#ifndef AP_SERVER_MAJORVERSION_NUMBER
|
||||
#define AP_SERVER_MAJORVERSION_NUMBER 2
|
||||
#define AP_SERVER_MINORVERSION_NUMBER 0
|
||||
#define AP_SERVER_PATCHLEVEL_NUMBER 55
|
||||
#endif
|
||||
|
||||
#if AP_SERVER_MINORVERSION_NUMBER < 2
|
||||
typedef struct regex_t ap_regex_t;
|
||||
#define AP_REG_EXTENDED REG_EXTENDED
|
||||
#define AP_REG_NOSUB REG_NOSUB
|
||||
#define AP_REG_ICASE REG_ICASE
|
||||
#endif
|
||||
|
||||
enum sslversion { SSL2=1, SSL3=2, TLS=4};
|
||||
|
||||
/* the table itself is defined in nss_engine_init.c */
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
-#define ciphernum 48
|
||||
+#define ciphernum 55
|
||||
#else
|
||||
-#define ciphernum 23
|
||||
+#define ciphernum 26
|
||||
#endif
|
||||
|
||||
/*
|
||||
* function prototypes
|
||||
*/
|
||||
|
||||
/* API glue structures */
|
||||
extern module AP_MODULE_DECLARE_DATA nss_module;
|
||||
|
||||
/* configuration handling */
|
||||
SSLModConfigRec *nss_config_global_create(server_rec *);
|
||||
void *nss_config_perdir_create(apr_pool_t *p, char *dir);
|
||||
void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
|
||||
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
|
||||
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
|
||||
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
|
||||
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
#ifdef SSL_ENABLE_RENEGOTIATION
|
||||
const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
||||
const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
||||
#endif
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
#endif
|
||||
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
|
||||
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
|
||||
const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
|
||||
const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
|
||||
|
||||
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
|
||||
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
|
||||
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
||||
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
|
||||
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100
|
||||
+++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100
|
||||
@@ -15,122 +15,130 @@
|
||||
|
||||
#include "mod_nss.h"
|
||||
#include "apr_thread_proc.h"
|
||||
#include "ap_mpm.h"
|
||||
#include "secmod.h"
|
||||
#include "sslerr.h"
|
||||
#include "pk11func.h"
|
||||
#include "ocsp.h"
|
||||
#include "keyhi.h"
|
||||
#include "cert.h"
|
||||
|
||||
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
||||
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
||||
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
||||
static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
||||
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
||||
|
||||
/*
|
||||
* Global variables defined in this file.
|
||||
*/
|
||||
char* INTERNAL_TOKEN_NAME = "internal ";
|
||||
|
||||
cipher_properties ciphers_def[ciphernum] =
|
||||
{
|
||||
/* SSL2 cipher suites */
|
||||
{"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
|
||||
{"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
|
||||
{"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
|
||||
{"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
|
||||
{"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
|
||||
{"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
|
||||
/* SSL3/TLS cipher suites */
|
||||
{"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
|
||||
{"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
|
||||
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
|
||||
{"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
|
||||
{"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
|
||||
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
||||
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
|
||||
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
|
||||
/* AES ciphers.*/
|
||||
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
|
||||
+ {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
+ {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
|
||||
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
|
||||
+ {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
|
||||
+
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
/* ECC ciphers.*/
|
||||
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
+ {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
|
||||
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
|
||||
{"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS},
|
||||
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS},
|
||||
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS},
|
||||
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS},
|
||||
#endif
|
||||
};
|
||||
|
||||
static char *version_components[] = {
|
||||
"SSL_VERSION_PRODUCT",
|
||||
"SSL_VERSION_INTERFACE",
|
||||
"SSL_VERSION_LIBRARY",
|
||||
NULL
|
||||
};
|
||||
|
||||
static char *nss_add_version_component(apr_pool_t *p,
|
||||
server_rec *s,
|
||||
char *name)
|
||||
{
|
||||
char *val = nss_var_lookup(p, s, NULL, NULL, name);
|
||||
|
||||
if (val && *val) {
|
||||
ap_add_version_component(p, val);
|
||||
}
|
||||
|
||||
return val;
|
||||
}
|
||||
|
||||
static void nss_add_version_components(apr_pool_t *p,
|
||||
server_rec *s)
|
||||
{
|
||||
char *vals[sizeof(version_components)/sizeof(char *)];
|
||||
int i;
|
||||
|
||||
for (i=0; version_components[i]; i++) {
|
||||
vals[i] = nss_add_version_component(p, s,
|
||||
version_components[i]);
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
||||
"Server: %s, Interface: %s, Library: %s",
|
||||
AP_SERVER_BASEVERSION,
|
||||
vals[1], /* SSL_VERSION_INTERFACE */
|
||||
vals[2]); /* SSL_VERSION_LIBRARY */
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize SSL library
|
||||
*
|
@ -1,70 +0,0 @@
|
||||
--- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400
|
||||
+++ mod_nss-1.0.6/nss.conf.in 2013-01-22 10:33:25.000000000 +0100
|
||||
@@ -8,14 +8,16 @@
|
||||
# consult the online docs. You have been warned.
|
||||
#
|
||||
|
||||
+LoadModule nss_module @apache_lib@/libmodnss.so
|
||||
+
|
||||
#
|
||||
# When we also provide SSL we have to listen to the
|
||||
# standard HTTP port (see above) and to the HTTPS port
|
||||
#
|
||||
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
|
||||
-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
|
||||
+# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
|
||||
#
|
||||
-Listen 443
|
||||
+Listen 8443
|
||||
|
||||
##
|
||||
## SSL Global Context
|
||||
@@ -40,7 +42,7 @@
|
||||
# Pass Phrase Helper:
|
||||
# This helper program stores the token password pins between
|
||||
# restarts of Apache.
|
||||
-NSSPassPhraseHelper @apache_bin@/nss_pcache
|
||||
+NSSPassPhraseHelper /usr/sbin/nss_pcache
|
||||
|
||||
# Configure the SSL Session Cache.
|
||||
# NSSSessionCacheSize is the number of entries in the cache.
|
||||
@@ -68,17 +70,17 @@
|
||||
## SSL Virtual Host Context
|
||||
##
|
||||
|
||||
-<VirtualHost _default_:443>
|
||||
+<VirtualHost _default_:8443>
|
||||
|
||||
# General setup for the virtual host
|
||||
#DocumentRoot "@apache_prefix@/htdocs"
|
||||
-#ServerName www.example.com:443
|
||||
+#ServerName www.example.com:8443
|
||||
#ServerAdmin you@example.com
|
||||
|
||||
# mod_nss can log to separate log files, you can choose to do that if you'd like
|
||||
# LogLevel is not inherited from httpd.conf.
|
||||
-#ErrorLog @apache_prefix@/logs/error_log
|
||||
-#TransferLog @apache_prefix@/logs/access_log
|
||||
+ErrorLog /var/log/apache2/error_log
|
||||
+TransferLog /var/log/apache2/access_log
|
||||
LogLevel warn
|
||||
|
||||
# SSL Engine Switch:
|
||||
@@ -113,7 +115,7 @@
|
||||
# The NSS security database directory that holds the certificates and
|
||||
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
|
||||
# Provide the directory that these files exist.
|
||||
-NSSCertificateDatabase @apache_conf@
|
||||
+NSSCertificateDatabase @apache_conf@/alias
|
||||
|
||||
# Database Prefix:
|
||||
# In order to be able to store multiple NSS databases in one directory
|
||||
@@ -189,7 +191,7 @@
|
||||
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
|
||||
NSSOptions +StdEnvVars
|
||||
</Files>
|
||||
-<Directory "@apache_prefix@/cgi-bin">
|
||||
+<Directory "@apache_prefix@/cgi-bin">
|
||||
NSSOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
@ -123,27 +123,6 @@ diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
|
||||
|
||||
static void nss_init_ctx_protocol(server_rec *s,
|
||||
|
||||
diff -up ./nss.conf.in.norego ./nss.conf.in
|
||||
--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
|
||||
+++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
|
||||
@@ -64,6 +64,17 @@
|
||||
#NSSRandomSeed startup file:/dev/random 512
|
||||
#NSSRandomSeed startup file:/dev/urandom 512
|
||||
|
||||
+#
|
||||
+# TLS Negotiation configuration under RFC 5746
|
||||
+#
|
||||
+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
|
||||
+# extension. Default off.
|
||||
+NSSRenegotiation off
|
||||
+
|
||||
+# Peer must send Signaling Cipher Suite Value (SCSV) or
|
||||
+# Renegotiation Info (RI) extension in ALL handshakes. Default: off
|
||||
+NSSRequireSafeNegotiation off
|
||||
+
|
||||
##
|
||||
## SSL Virtual Host Context
|
||||
##
|
||||
|
||||
diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
|
||||
--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
|
||||
|
@ -375,28 +375,6 @@ Index: mod_nss-1.0.8/mod_nss.c
|
||||
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
|
||||
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
|
||||
"(`XXX:...:XXX' - see manual)")
|
||||
Index: mod_nss-1.0.8/nss.conf.in
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss.conf.in
|
||||
+++ mod_nss-1.0.8/nss.conf.in
|
||||
@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
|
||||
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||
|
||||
-NSSProtocol SSLv3,TLSv1
|
||||
+# SSL Protocol:
|
||||
+# Cryptographic protocols that provide communication security.
|
||||
+# NSS handles the specified protocols as "ranges", and automatically
|
||||
+# negotiates the use of the strongest protocol for a connection starting
|
||||
+# with the maximum specified protocol and downgrading as necessary to the
|
||||
+# minimum specified protocol that can be used between two processes.
|
||||
+# Since all protocol ranges are completely inclusive, and no protocol in the
|
||||
+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2"
|
||||
+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2".
|
||||
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2
|
||||
|
||||
# SSL Certificate Nickname:
|
||||
# The nickname of the RSA server certificate you are going to use.
|
||||
Index: mod_nss-1.0.8/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.8.orig/nss_engine_init.c
|
||||
|
330
mod_nss.conf.in
Normal file
330
mod_nss.conf.in
Normal file
@ -0,0 +1,330 @@
|
||||
# This is /etc/apache2/conf.d/mod_nss.conf
|
||||
#
|
||||
# Configuration for mod_nss starts in this file.
|
||||
#
|
||||
# Contents:
|
||||
# 1) generic information about mod_nss and its relation to mod_ssl
|
||||
# 2) initialization and loading of the apache module in the SUSE framework
|
||||
# 3) hints on specifics for the configuration.
|
||||
#..............................................................................
|
||||
#
|
||||
# 1) generic information about mod_nss and its relation to mod_ssl
|
||||
#
|
||||
# Concurrency of apache crypto modules:
|
||||
#
|
||||
# mod_nss implements SSL/TLS protocol support for the apache webserver and
|
||||
# is an alternative to mod_ssl. Both modules can be initialized at the same
|
||||
# time, but, obviously, the protocol handlers ("SSLEngine on" for mod_ssl
|
||||
# and "NSSEngine on" for mod_nss) cannot be active simultaneously, at a
|
||||
# global scope, or in the context of a VirtualHost configuration directive
|
||||
# block.
|
||||
#
|
||||
# If for a port that apache listens on, only one VirtualHost section
|
||||
# has the directive "NSSEngine" set to "on", it will have precedence over
|
||||
# all other VirtualHost declarations (that may have SSLEngine set to on
|
||||
# in their context). A simultaneaous operation of both modules for different
|
||||
# VirtualHosts on the same IP Address and port is not possible.
|
||||
#
|
||||
# Reason:
|
||||
# The brwoser/client connects to the web server's port 443 and initializes
|
||||
# an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the
|
||||
# client to specify the host that it wants to connect to, unless the crypto
|
||||
# has been fully initialized already. Similarly, the server cannot present
|
||||
# the correct certificate to the browser that matches the requested hostname.
|
||||
# As a consequence, if endpoints are limited to SSLv3, only one web server and
|
||||
# no virtual servers can be bound to one address. Each additional web server
|
||||
# would need a new IP address.
|
||||
# Starting with TLSv1.0, the protocol comes with the Server Name Indication
|
||||
# (SNI) extension that allows the client to specify the requested hostname
|
||||
# before the cryptographical part of the protocol is initialized. However,
|
||||
# this type of hostname distinction is handled by the crypto library in
|
||||
# combination with mod_ssl or mod_nss, not by apache's core.
|
||||
# This means that in a dual mod_ssl and mod_nss configuration that is not
|
||||
# selective on IP addresses, and even if you use TLSv1.0 and newer only,
|
||||
# only one out of mod_ssl or mod_nss will be active.
|
||||
# Consequences:
|
||||
# a) If you need support for encrypted connections using _both_ mod_nss and
|
||||
# mod_ssl, you should consider using more than one IP addresses, and
|
||||
# configure the server's crypto engine/module bound to the IP address.
|
||||
# b) If you do NOT need both mod_nss and mod_ssl simultaneaously in apache,
|
||||
# it is recommended to decide for one and deactivate the other.
|
||||
#
|
||||
# Certificates:
|
||||
# The directory /etc/apache/mod_nss.d contains everything that mod_nss
|
||||
# needs: keys, certificates. The default configuration has reference
|
||||
# to .db files in /etc/apache/mod_nss.d that shall illustrate how the
|
||||
# configuration should/could look like.
|
||||
#
|
||||
# In addition to providing a central location to store keys and certificates,
|
||||
# /etc/apache/mod_nss.d may also contain configuration files that are
|
||||
# included directly after this documentation text. Note that only files
|
||||
# named *.conf are included!
|
||||
#
|
||||
#
|
||||
#..............................................................................
|
||||
# 2) initialization and loading of the apache module in the SUSE framework
|
||||
#
|
||||
# To get SSL/TLS support activated in apache, two things have to be done:
|
||||
# a) configure and initialize the crypto module that provides the SSL/TLS
|
||||
# protocol support in apache
|
||||
# b) tell apache to listen on the port where browsers typically connect to
|
||||
# if they want to talk SSL/TLS. Normally TCP port 443.
|
||||
#
|
||||
# about a):
|
||||
# The apache module (a shared object file) is loaded by the framework if
|
||||
# the config variable APACHE_MODULES set in /etc/sysconfig/apache2
|
||||
# contains the module name ("nss", without the preceding "mod_").
|
||||
# Either you edit /etc/sysconfig/apache2 manually and add the module name
|
||||
# nss to the other modules in APACHE_MODULES, or you let the command
|
||||
#
|
||||
# a2enmod nss
|
||||
#
|
||||
# do this for you. "a2enmod -d nss" reverses that change and disables mod_nss
|
||||
# again.
|
||||
# All of the configuration directives set in the default config files are
|
||||
# conditional for the loading of the module, which is evident when looking at
|
||||
# the "<IfModule mod_ssl.c>" that shows up further below.
|
||||
#
|
||||
# about b)
|
||||
# The Listen directive in /etc/apache2/listen_nss.conf is conditional on
|
||||
# the server-define "SSL". Add the word SSL to the variable
|
||||
# APACHE_SERVER_FLAGS in the file /etc/sysconfig/apache2 .
|
||||
#
|
||||
# Please note that /etc/apache2/listen.conf is read/included from the apache
|
||||
# main configuration file /etc/apache2/httpd.conf;
|
||||
# /etc/apache2/listen_nss.conf is read from this file, just below.
|
||||
#
|
||||
# Additional information can also be found in
|
||||
# /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt
|
||||
#
|
||||
# Roman Drahtmueller <draht@suse.com>
|
||||
#
|
||||
|
||||
|
||||
<IfDefine SSL>
|
||||
<IfDefine !NOSSL>
|
||||
<IfModule mod_nss.c>
|
||||
|
||||
Include /etc/apache2/listen_nss.conf
|
||||
Include /etc/apache2/mod_nss.d/*.conf
|
||||
|
||||
|
||||
|
||||
##
|
||||
## SSL Global Context
|
||||
##
|
||||
## All SSL configuration in this context applies both to
|
||||
## the main server and all SSL-enabled virtual hosts.
|
||||
##
|
||||
|
||||
#
|
||||
# Some MIME-types for downloading Certificates and CRLs
|
||||
#
|
||||
AddType application/x-x509-ca-cert .crt
|
||||
AddType application/x-pkcs7-crl .crl
|
||||
|
||||
# Pass Phrase Dialog:
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
NSSPassPhraseDialog builtin
|
||||
|
||||
|
||||
# Pass Phrase Helper:
|
||||
# This helper program stores the token password pins between
|
||||
# restarts of Apache.
|
||||
NSSPassPhraseHelper @apache_bin@/nss_pcache
|
||||
|
||||
# Configure the SSL Session Cache.
|
||||
# NSSSessionCacheSize is the number of entries in the cache.
|
||||
# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
|
||||
# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
|
||||
NSSSessionCacheSize 10000
|
||||
NSSSessionCacheTimeout 100
|
||||
NSSSession3CacheTimeout 86400
|
||||
|
||||
#
|
||||
# Pseudo Random Number Generator (PRNG):
|
||||
# Configure one or more sources to seed the PRNG of the SSL library.
|
||||
# The seed data should be of good random quality.
|
||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||
# is available. Those platforms usually also provide a non-blocking
|
||||
# device, /dev/urandom, which may be used instead.
|
||||
# As a rule of thumb, /dev/urandom should only be used for short-term
|
||||
# secrets (eg. keys, session keys, credentials), while longer-living
|
||||
# secrets such as key pair for a certificate should receive its
|
||||
# randomness from /dev/random .
|
||||
#
|
||||
# This does not support seeding the RNG with each connection.
|
||||
|
||||
NSSRandomSeed startup builtin
|
||||
#NSSRandomSeed startup file:/dev/random 512
|
||||
#NSSRandomSeed startup file:/dev/urandom 512
|
||||
|
||||
|
||||
#
|
||||
# TLS Negotiation configuration under RFC 5746
|
||||
#
|
||||
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
|
||||
# extension. Default off.
|
||||
NSSRenegotiation off
|
||||
|
||||
# Peer must send Signaling Cipher Suite Value (SCSV) or
|
||||
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
|
||||
NSSRequireSafeNegotiation off
|
||||
|
||||
|
||||
|
||||
##
|
||||
## SSL Virtual Host Context
|
||||
##
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
|
||||
# General setup for the virtual host
|
||||
#DocumentRoot "@apache_prefix@/htdocs"
|
||||
#ServerName www.example.com:443
|
||||
#ServerAdmin you@example.com
|
||||
|
||||
# mod_nss can log to separate log files, you can choose to do that if you'd like
|
||||
# LogLevel is not inherited from httpd.conf.
|
||||
#ErrorLog /var/log/apache2/error_log
|
||||
#TransferLog /var/log/apache2/access_log
|
||||
LogLevel warn
|
||||
|
||||
# SSL Engine Switch:
|
||||
# Enable/Disable SSL for this virtual host.
|
||||
NSSEngine on
|
||||
|
||||
# SSL Cipher Suite:
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_nss documentation for a complete list.
|
||||
|
||||
# SSL 3 ciphers. SSL 2 is disabled by default.
|
||||
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
||||
|
||||
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
|
||||
#
|
||||
# Comment out the NSSCipherSuite line above and use the one below if you have
|
||||
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||
|
||||
|
||||
# SSL Protocol:
|
||||
# Cryptographic protocols that provide communication security.
|
||||
# NSS handles the specified protocols as "ranges", and automatically
|
||||
# negotiates the use of the strongest protocol for a connection starting
|
||||
# with the maximum specified protocol and downgrading as necessary to the
|
||||
# minimum specified protocol that can be used between two processes.
|
||||
# Since all protocol ranges are completely inclusive, and no protocol in the
|
||||
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2"
|
||||
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2".
|
||||
# Here, we disable SSLv3, but allow TLSv1.0 through TLSv1.2 :
|
||||
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
||||
|
||||
# SSL Certificate Nickname:
|
||||
# The nickname of the RSA server certificate you are going to use.
|
||||
NSSNickname Server-Cert
|
||||
|
||||
# SSL Certificate Nickname:
|
||||
# The nickname of the ECC server certificate you are going to use, if you
|
||||
# have an ECC-enabled version of NSS and mod_nss
|
||||
#NSSECCNickname Server-Cert-ecc
|
||||
|
||||
# Server Certificate Database:
|
||||
# The NSS security database directory that holds the certificates and
|
||||
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
|
||||
# Provide the directory that these files exist.
|
||||
NSSCertificateDatabase @apache_conf@/mod_nss.d
|
||||
|
||||
# Database Prefix:
|
||||
# In order to be able to store multiple NSS databases in one directory
|
||||
# they need unique names. This option sets the database prefix used for
|
||||
# cert8.db and key3.db.
|
||||
#NSSDBPrefix my-prefix-
|
||||
|
||||
# Client Authentication (Type):
|
||||
# Client certificate verification type. Types are none, optional and
|
||||
# require.
|
||||
#NSSVerifyClient none
|
||||
|
||||
#
|
||||
# Online Certificate Status Protocol (OCSP).
|
||||
# Verify that certificates have not been revoked before accepting them.
|
||||
#NSSOCSP off
|
||||
|
||||
#
|
||||
# Use a default OCSP responder. If enabled this will be used regardless
|
||||
# of whether one is included in a client certificate. Note that the
|
||||
# server certificate is verified during startup.
|
||||
#
|
||||
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
|
||||
# NSSOCSPDefaultName is the nickname of the certificate to trust to
|
||||
# sign the OCSP responses.
|
||||
#NSSOCSPDefaultResponder on
|
||||
#NSSOCSPDefaultURL http://example.com/ocsp/status
|
||||
#NSSOCSPDefaultName ocsp-nickname
|
||||
|
||||
# Access Control:
|
||||
# With SSLRequire you can do per-directory access control based
|
||||
# on arbitrary complex boolean expressions containing server
|
||||
# variable checks and other lookup directives. The syntax is a
|
||||
# mixture between C and Perl. See the mod_nss documentation
|
||||
# for more details.
|
||||
#<Location />
|
||||
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||
#</Location>
|
||||
|
||||
# SSL Engine Options:
|
||||
# Set various options for the SSL engine.
|
||||
# o FakeBasicAuth:
|
||||
# Translate the client X.509 into a Basic Authorisation. This means that
|
||||
# the standard Auth/DBMAuth methods can be used for access control. The
|
||||
# user name is the `one line' version of the client's X.509 certificate.
|
||||
# Note that no password is obtained from the user. Every entry in the user
|
||||
# file needs this password: `xxj31ZMTZzkVA'.
|
||||
# o ExportCertData:
|
||||
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||||
# server (always existing) and the client (only existing when client
|
||||
# authentication is used). This can be used to import the certificates
|
||||
# into CGI scripts.
|
||||
# o StdEnvVars:
|
||||
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||||
# Per default this exportation is switched off for performance reasons,
|
||||
# because the extraction step is an expensive operation and is usually
|
||||
# useless for serving static content. So one usually enables the
|
||||
# exportation for CGI and SSI requests only.
|
||||
# o StrictRequire:
|
||||
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
|
||||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||
# and no other module can change it.
|
||||
# o OptRenegotiate:
|
||||
# This enables optimized SSL connection renegotiation handling when SSL
|
||||
# directives are used in per-directory context.
|
||||
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
|
||||
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
|
||||
NSSOptions +StdEnvVars
|
||||
</Files>
|
||||
<Directory "@apache_prefix@/cgi-bin">
|
||||
NSSOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
# Per-Server Logging:
|
||||
# The home of a custom SSL log file. Use this when you want a
|
||||
# compact non-error SSL logfile on a virtual host basis.
|
||||
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
|
||||
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
|
||||
</IfModule>
|
||||
</IfDefine>
|
||||
</IfDefine>
|
||||
|
396
mod_nss_migrate.pl
Normal file
396
mod_nss_migrate.pl
Normal file
@ -0,0 +1,396 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Migrate configuration from OpenSSL to NSS
|
||||
|
||||
use Cwd;
|
||||
use Getopt::Std;
|
||||
|
||||
BEGIN {
|
||||
# $NSSDir = cwd();
|
||||
$NSSDir = "/etc/apache2/mod_nss.d";
|
||||
|
||||
$SSLCACertificatePath = "";
|
||||
$SSLCACertificateFile = "";
|
||||
$SSLCertificateFile = "";
|
||||
$SSLCARevocationPath = "";
|
||||
$SSLCARevocationFile = "";
|
||||
$SSLCertificateKeyFile = "";
|
||||
$passphrase = 0;
|
||||
}
|
||||
|
||||
%skip = ( "SSLRandomSeed" => "",
|
||||
"SSLSessionCache" => "",
|
||||
"SSLMutex" => "",
|
||||
"SSLCertificateChainFile" => "",
|
||||
"SSLVerifyDepth" => "" ,
|
||||
"SSLCryptoDevice" => "" ,
|
||||
"LoadModule" => "" ,
|
||||
);
|
||||
|
||||
%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
|
||||
|
||||
getopts('chr:w:' , \%opt );
|
||||
|
||||
sub usage() {
|
||||
print STDERR "Usage: mod_nss_migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n";
|
||||
print STDERR "\t-c converts the certificates\n";
|
||||
print STDERR "This conversion script is not aware of apache's configuration blocks\n";
|
||||
print STDERR "and nestable conditional directives. Please check the output of the\n";
|
||||
print STDERR "conversion and adjust manually if necessary!\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
usage() if ( $opt{h} || !$opt{r} || !$opt{w} ) ;
|
||||
|
||||
|
||||
|
||||
print STDERR "input: $opt{r} output: $opt{w}\n";
|
||||
|
||||
open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n";
|
||||
open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n";
|
||||
|
||||
|
||||
print NSS "## This is a conversion of mod_ssl specific options by /usr/sbin/mod_nss_migrate.pl\n";
|
||||
print NSS "## Most of the comments in the original .conf file have been omitted here, as\n";
|
||||
print NSS "## the comments may not be valid for mod_nss, too.\n";
|
||||
print NSS "## \n";
|
||||
print NSS "## Please read through this configuration and verify the individual options!\n\n";
|
||||
|
||||
|
||||
while (<SSL>) {
|
||||
my $comment = 0;
|
||||
|
||||
|
||||
# write through even if in comment before comments are stripped below.
|
||||
if(/(ServerName|ServerAlias)/) {
|
||||
print NSS $_;
|
||||
next;
|
||||
}
|
||||
|
||||
# skip blank lines and comments
|
||||
if (/^#/ || /^\s*#/ || /^\s*$/) {
|
||||
# do not copy them; they may not be useful anyway.
|
||||
# print NSS $_;
|
||||
next;
|
||||
}
|
||||
|
||||
s/mod_ssl\.c/mod_nss.c/;
|
||||
|
||||
# write through nestable apache configuration block directives:
|
||||
if (/^</ || /^\s</) {
|
||||
print NSS $_;
|
||||
next;
|
||||
}
|
||||
|
||||
m/(\w+)\s+(.+)/;
|
||||
$stmt = $1;
|
||||
$value = $2;
|
||||
|
||||
# Handle the special cases
|
||||
if ($stmt eq "SSLVerifyClient" && $value eq "optional_no_ca") {
|
||||
print NSS "# Replaced optional_no_ca with optional\n";
|
||||
print NSS "SSLVerifyClient optional\n";
|
||||
next;
|
||||
}
|
||||
|
||||
if ($stmt eq "SSLCipherSuite") {
|
||||
print NSS "## original SSLCipherSuite config line: $_";
|
||||
print NSS "NSSCipherSuite ", get_ciphers($val), "\n\n";
|
||||
next;
|
||||
} elsif ($stmt eq "SSLEngine" ) {
|
||||
print NSS "##$_";
|
||||
print NSS "NSSEngine $value\n\n";
|
||||
next;
|
||||
} elsif ($stmt eq "SSLProtocol" ) {
|
||||
print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n";
|
||||
print NSS "##$_";
|
||||
print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n";
|
||||
print NSS "## You may also specify SSLv3 at the beginning of the range. Not done here:\n";
|
||||
print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n";
|
||||
next;
|
||||
} elsif ($stmt eq "SSLCACertificatePath") {
|
||||
$SSLCACertificatePath = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLCACertificateFile") {
|
||||
$SSLCACertificateFile = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLCertificateFile") {
|
||||
print NSS "NSSCertificateDatabase $NSSDir\n";
|
||||
print NSS "NSSNickName Server-Cert\n";
|
||||
$SSLCertificateFile = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLCertificateKeyFile") {
|
||||
$SSLCertificateKeyFile = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLCARevocationPath") {
|
||||
$SSLCARevocationPath = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLCARevocationFile") {
|
||||
$SSLCARevocationFile = $value;
|
||||
$comment = 1;
|
||||
} elsif ($stmt eq "SSLPassPhraseDialog") {
|
||||
print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n";
|
||||
$passphrase = 1;
|
||||
$comment = 1;
|
||||
}
|
||||
|
||||
if (exists($skip{$stmt})) {
|
||||
print NSS "# Skipping, not applicable in mod_nss\n";
|
||||
print NSS "##$_";
|
||||
next;
|
||||
}
|
||||
|
||||
# Fix up any remaining directive names
|
||||
s/SSL/NSS/;
|
||||
|
||||
|
||||
if (exists($insert{$stmt})) {
|
||||
print NSS "$_";
|
||||
print NSS $insert{$stmt};
|
||||
next;
|
||||
}
|
||||
|
||||
# Fall-through to print whatever is left
|
||||
if ($comment) {
|
||||
print NSS "##$_";
|
||||
$comment = 0;
|
||||
} else {
|
||||
print NSS $_;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if ($passphrase == 0) {
|
||||
print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n";
|
||||
}
|
||||
|
||||
close(NSS);
|
||||
close(SSL);
|
||||
|
||||
#
|
||||
# Create NSS certificate database and import any existing certificates
|
||||
#
|
||||
|
||||
if ($opt{c}) {
|
||||
print STDERR "Creating NSS certificate database.\n";
|
||||
run_command("certutil -N -d $NSSDir");
|
||||
|
||||
# Convert the certificate into pkcs12 format
|
||||
if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") {
|
||||
my $subject = get_cert_subject($SSLCertificateFile);
|
||||
print STDERR "Importing certificate $subject as \"Server-Cert\".\n";
|
||||
run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo ");
|
||||
run_command("pk12util -i server.p12 -d $NSSDir -W foo ");
|
||||
}
|
||||
|
||||
if ($SSLCACertificateFile ne "") {
|
||||
my $subject = get_cert_subject($SSLCACertificateFile);
|
||||
if ($subject ne "") {
|
||||
print STDERR "Importing CA certificate $subject\n";
|
||||
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile ");
|
||||
}
|
||||
}
|
||||
|
||||
if ($SSLCACertificatePath ne "") {
|
||||
opendir(DIR, $SSLCACertificatePath) or die "can't opendir $SSLCACertificatePath: $!";
|
||||
while (defined($file = readdir(DIR))) {
|
||||
next if -d $file;
|
||||
|
||||
# we can operate directly on the hash files so don't have to worry
|
||||
# about any SKIPME's.
|
||||
if ($file =~ /hash.*/) {
|
||||
my $subject = get_cert_subject("$SSLCACertificatePath/$file");
|
||||
if ($subject ne "") {
|
||||
print STDERR "Importing CA certificate $subject\n";
|
||||
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file ");
|
||||
}
|
||||
}
|
||||
}
|
||||
closedir(DIR);
|
||||
}
|
||||
|
||||
if ($SSLCARevocationFile ne "") {
|
||||
print STDERR "Importing CRL file $CARevocationFile\n";
|
||||
# Convert to DER format
|
||||
run_command("openssl crl -in $SSLCARevocationFile -out /root/crl.tmp -inform PEM -outform DER");
|
||||
run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp");
|
||||
unlink("/root/crl.tmp");
|
||||
}
|
||||
|
||||
if ($SSLCARevocationPath ne "") {
|
||||
opendir(DIR, $SSLCARevocationPath) or die "can't opendir $SSLCARevocationPath: $!";
|
||||
while (defined($file = readdir(DIR))) {
|
||||
next if -d $file;
|
||||
|
||||
# we can operate directly on the hash files so don't have to worry
|
||||
# about any SKIPME's.
|
||||
if ($file =~ /hash.*/) {
|
||||
my $subject = get_cert_subject("$SSLCARevocationPath/$file");
|
||||
if ($subject ne "") {
|
||||
print STDERR "Importing CRL file $file\n";
|
||||
# Convert to DER format
|
||||
run_command("openssl crl -in $SSLCARevocationPath/$file -out /root/crl.tmp -inform PEM -outform DER");
|
||||
run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp");
|
||||
unlink("/root/crl.tmp");
|
||||
}
|
||||
}
|
||||
}
|
||||
closedir(DIR);
|
||||
}
|
||||
}
|
||||
|
||||
print STDERR "\n\nConversion complete.\n";
|
||||
print STDERR "The output file should contain a valid mod_nss configuration based on\n";
|
||||
print STDERR "the mod_ssl directives from the input file.\n";
|
||||
print STDERR "Recommended directory: /etc/apache2/mod_nss.d , suffix .conf!\n";
|
||||
print STDERR "Also make sure to edit /etc/apache2/conf.d/mod_nss.conf and to remove the\n";
|
||||
print STDERR "<VirtualHost> section if you do not need it.\n\n";
|
||||
print STDERR "Also, do not forget to rename the ssl based apache config file";
|
||||
print STDERR "(our example: myhost-ssl.conf) to a file that does not end in .conf\n";
|
||||
print STDERR "(our example: myhost-ssl.conf-disabled-for-nss)\n\n";
|
||||
print STDERR "Then, restart apache (rcapache2 restart) and have a look into the error logs.\n";
|
||||
|
||||
exit(0);
|
||||
|
||||
|
||||
# Migrate configuration from OpenSSL to NSS
|
||||
sub get_ciphers {
|
||||
my $str = shift;
|
||||
|
||||
%cipher_list = (
|
||||
"rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:",
|
||||
"rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:",
|
||||
"rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:",
|
||||
"rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:",
|
||||
"des" => ":ALL:SSLv2:RSA:EXP:EXPORT56:MD5:DES:LOW:",
|
||||
"desede3" => ":ALL:SSLv2:RSA:MD5:3DES:HIGH:",
|
||||
"rsa_rc4_128_md5" => ":ALL:SSLv3:TLSv1:RSA:MD5:RC4:MEDIUM:",
|
||||
"rsa_rc4_128_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:RC4:MEDIUM:",
|
||||
"rsa_3des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:3DES:HIGH:",
|
||||
"rsa_des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:DES:LOW:",
|
||||
"rsa_rc4_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC4:",
|
||||
"rsa_rc2_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC2:",
|
||||
"rsa_null_md5" => ":SSLv3:TLSv1:RSA:MD5:NULL:",
|
||||
"rsa_null_sha" => ":SSLv3:TLSv1:RSA:SHA:NULL:",
|
||||
"rsa_des_56_sha" => ":ALL:SSLv3:TLSv1:RSA:DES:SHA:EXP:EXPORT56:",
|
||||
"rsa_rc4_56_sha" => ":ALL:SSLv3:TLSv1:RSA:RC4:SHA:EXP:EXPORT56:",
|
||||
);
|
||||
|
||||
$NUM_CIPHERS = 16;
|
||||
|
||||
for ($i = 0; $i < $NUM_CIPHERS; $i++) {
|
||||
$selected[$i] = 0;
|
||||
}
|
||||
|
||||
# Don't need to worry about the ordering properties of "+" because
|
||||
# NSS always chooses the "best" cipher anyway. You can't specify
|
||||
# preferred order.
|
||||
|
||||
# -1: this cipher is completely out
|
||||
# 0: this cipher is currently unselected, but maybe added later
|
||||
# 1: this cipher is selected
|
||||
|
||||
@s = split(/:/, $str);
|
||||
|
||||
for ($i = 0; $i <= $#s; $i++) {
|
||||
$j = 0;
|
||||
$val = 1;
|
||||
|
||||
# ! means this cipher is disabled forever
|
||||
if ($s[$i] =~ /^!/) {
|
||||
$val = -1;
|
||||
($s[$i] =~ s/^!//);
|
||||
} elsif ($s[$i] =~ /^-/) {
|
||||
$val = 0;
|
||||
($s[$i] =~ s/^-//);
|
||||
} elsif ($s[$i] =~ /^+/) {
|
||||
($s[$i] =~ s/^+//);
|
||||
}
|
||||
|
||||
for $cipher (sort keys %cipher_list) {
|
||||
$match = 0;
|
||||
|
||||
# For embedded + we do an AND for all options
|
||||
if ($s[$i] =~ m/(\w+\+)+/) {
|
||||
@sub = split(/^\+/, $s[$i]);
|
||||
$match = 1;
|
||||
for ($k = 0; $k <=$#sub; $k++) {
|
||||
if ($cipher_list{$cipher} !=~ m/:$sub[$k]:/) {
|
||||
$match = 0;
|
||||
}
|
||||
}
|
||||
} else { # straightforward match
|
||||
if ($cipher_list{$cipher} =~ m/:$s[$i]:/) {
|
||||
$match = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if ($match && $selected[$j] != -1) {
|
||||
$selected[$j] = $val;
|
||||
}
|
||||
$j++;
|
||||
}
|
||||
}
|
||||
|
||||
# NSS doesn't honor the order of a cipher list, it uses the "strongest"
|
||||
# cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and
|
||||
# the NSS ciphers not available in OpenSSL.
|
||||
$str = "SSLv2:SSLv3";
|
||||
@s = split(/:/, $str);
|
||||
|
||||
$ciphersuite = "";
|
||||
|
||||
for ($i = 0; $i <= $#s; $i++) {
|
||||
$j = 0;
|
||||
for $cipher (sort keys %cipher_list) {
|
||||
if ($cipher_list{$cipher} =~ m/:$s[$i]:/) {
|
||||
if ($selected[$j]) {
|
||||
$ciphersuite .= "+";
|
||||
} else {
|
||||
$ciphersuite .= "-";
|
||||
}
|
||||
$ciphersuite .= $cipher . ",";
|
||||
}
|
||||
$j++;
|
||||
}
|
||||
}
|
||||
|
||||
$ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha";
|
||||
|
||||
return $ciphersuite;
|
||||
}
|
||||
|
||||
# Given the filename of a PEM file, use openssl to fetch the certificate
|
||||
# subject
|
||||
sub get_cert_subject {
|
||||
my $file = shift;
|
||||
my $subject = "";
|
||||
|
||||
return "" if ! -T $file;
|
||||
|
||||
$subject = `openssl x509 -subject < $file | head -1`;
|
||||
$subject =~ s/subject= \///; # Remove leading subject= \
|
||||
$subject =~ s/\//,/g; # Replace / with , as separator
|
||||
$subject =~ s/Email=.*(,){0,1}//; # Remove Email attribute
|
||||
$subject =~ s/,$//; # Remove any trailing commas
|
||||
|
||||
chomp($subject);
|
||||
|
||||
return $subject;
|
||||
}
|
||||
|
||||
#
|
||||
# Wrapper around the system() command
|
||||
|
||||
sub run_command {
|
||||
my @args = shift;
|
||||
my $status = 0;
|
||||
|
||||
$status = 0xffff & system(@args);
|
||||
|
||||
return if ($status == 0);
|
||||
|
||||
print STDERR "Command '@args' failed: $!\n";
|
||||
|
||||
exit;
|
||||
}
|
Loading…
Reference in New Issue
Block a user