forked from pool/apache2-mod_nss
Accepting request 242385 from home:draht:branches:mozilla:Factory
- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and
open("/dev/tty", ...) to make sure that stdin can be read from.
startproc may inherit wrongly opened file descriptors to httpd.
(Note: An analogous fix exists in startproc(8), too.)
[bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
externalized to /etc/apache2/conf.d/vhost-nss.template and not
activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
change. [bnc#878681]
- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
server side SNI was not implemented when mod_nss was made;
patches implement SNI with checks if SNI provided hostname
equals Host: field in http request header.
OBS-URL: https://build.opensuse.org/request/show/242385
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=10
This commit is contained in:
Wolfgang Rosenauer
committed by
Git OBS Bridge
Git OBS Bridge
parent
1d3e419a19
commit
ce9f02cd08
141
vhost-nss.template
Normal file
141
vhost-nss.template
Normal file
@@ -0,0 +1,141 @@
|
||||
|
||||
##
|
||||
## SSL Virtual Host Context
|
||||
##
|
||||
|
||||
|
||||
## The idea is that certificate specific options belong to a VirtualHost
|
||||
## directive block, while the cipher and protocol configuration is a global
|
||||
## setting that comes from /etc/apache2/conf.d/mod_nss.conf .
|
||||
## The system-wide mod_nss.conf does not have any certificate-specific
|
||||
## options set, so you would need to set them in your own config.
|
||||
##
|
||||
## Please place this file into /etc/apache2/vhosts.d with a name that ends
|
||||
## in .conf . Files not named *.conf are ignored by the configuration
|
||||
## framework.
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
|
||||
# General setup for the virtual host
|
||||
#DocumentRoot "@apache_prefix@/htdocs"
|
||||
#ServerName www.example.com:443
|
||||
#ServerAdmin you@example.com
|
||||
|
||||
# mod_nss can log to separate log files, you can choose to do that if you'd like
|
||||
# LogLevel is not inherited from httpd.conf.
|
||||
#ErrorLog /var/log/apache2/error_log
|
||||
#TransferLog /var/log/apache2/access_log
|
||||
LogLevel warn
|
||||
|
||||
# SSL Engine Switch:
|
||||
# Enable/Disable SSL for this virtual host.
|
||||
NSSEngine on
|
||||
|
||||
# SSL Cipher Suite:
|
||||
#
|
||||
# The NSSCipherSuite directive is present in the NSS-specific system-wide
|
||||
# configuration file /etc/apache2/conf.d/mod_nss.conf .
|
||||
# You may set the cipher suite on a virtual host basis here, too.
|
||||
|
||||
|
||||
# SSL Certificate Nickname:
|
||||
# The nickname of the RSA server certificate you are going to use.
|
||||
NSSNickname Server-Cert
|
||||
|
||||
# SSL Certificate Nickname:
|
||||
# The nickname of the ECC server certificate you are going to use, if you
|
||||
# have an ECC-enabled version of NSS and mod_nss
|
||||
#NSSECCNickname Server-Cert-ecc
|
||||
|
||||
# Server Certificate Database:
|
||||
# The NSS security database directory that holds the certificates and
|
||||
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
|
||||
# Provide the directory that these files exist.
|
||||
NSSCertificateDatabase /etc/apache2/mod_nss.d
|
||||
|
||||
# Database Prefix:
|
||||
# In order to be able to store multiple NSS databases in one directory
|
||||
# they need unique names. This option sets the database prefix used for
|
||||
# cert8.db and key3.db.
|
||||
#NSSDBPrefix my-prefix-
|
||||
|
||||
# Client Authentication (Type):
|
||||
# Client certificate verification type. Types are none, optional and
|
||||
# require.
|
||||
#NSSVerifyClient none
|
||||
|
||||
#
|
||||
# Online Certificate Status Protocol (OCSP).
|
||||
# Verify that certificates have not been revoked before accepting them.
|
||||
#NSSOCSP off
|
||||
|
||||
#
|
||||
# Use a default OCSP responder. If enabled this will be used regardless
|
||||
# of whether one is included in a client certificate. Note that the
|
||||
# server certificate is verified during startup.
|
||||
#
|
||||
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
|
||||
# NSSOCSPDefaultName is the nickname of the certificate to trust to
|
||||
# sign the OCSP responses.
|
||||
#NSSOCSPDefaultResponder on
|
||||
#NSSOCSPDefaultURL http://example.com/ocsp/status
|
||||
#NSSOCSPDefaultName ocsp-nickname
|
||||
|
||||
# Access Control:
|
||||
# With SSLRequire you can do per-directory access control based
|
||||
# on arbitrary complex boolean expressions containing server
|
||||
# variable checks and other lookup directives. The syntax is a
|
||||
# mixture between C and Perl. See the mod_nss documentation
|
||||
# for more details.
|
||||
#<Location />
|
||||
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||
#</Location>
|
||||
|
||||
# SSL Engine Options:
|
||||
# Set various options for the SSL engine.
|
||||
# o FakeBasicAuth:
|
||||
# Translate the client X.509 into a Basic Authorisation. This means that
|
||||
# the standard Auth/DBMAuth methods can be used for access control. The
|
||||
# user name is the `one line' version of the client's X.509 certificate.
|
||||
# Note that no password is obtained from the user. Every entry in the user
|
||||
# file needs this password: `xxj31ZMTZzkVA'.
|
||||
# o ExportCertData:
|
||||
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||||
# server (always existing) and the client (only existing when client
|
||||
# authentication is used). This can be used to import the certificates
|
||||
# into CGI scripts.
|
||||
# o StdEnvVars:
|
||||
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||||
# Per default this exportation is switched off for performance reasons,
|
||||
# because the extraction step is an expensive operation and is usually
|
||||
# useless for serving static content. So one usually enables the
|
||||
# exportation for CGI and SSI requests only.
|
||||
# o StrictRequire:
|
||||
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
|
||||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||
# and no other module can change it.
|
||||
# o OptRenegotiate:
|
||||
# This enables optimized SSL connection renegotiation handling when SSL
|
||||
# directives are used in per-directory context.
|
||||
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
|
||||
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
|
||||
NSSOptions +StdEnvVars
|
||||
</Files>
|
||||
<Directory "@apache_prefix@/cgi-bin">
|
||||
NSSOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
# Per-Server Logging:
|
||||
# The home of a custom SSL log file. Use this when you want a
|
||||
# compact non-error SSL logfile on a virtual host basis.
|
||||
#CustomLog /var/log/apache2/ssl_request_log \
|
||||
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
Reference in New Issue
Block a user