From 4b69663a7b3e07fe5e8a20eddb52070f041b2fa1f5a52bb3a713964880678133 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 6 Aug 2013 09:34:39 +0000 Subject: [PATCH] Accepting request 186032 from home:msmeissn:branches:mozilla:Factory - mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. - mod_nss-clientauth.patch: merged from RHEL6 pkg - mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg - mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg - mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg - make it build on both Apache2 2.4 and 2.2 systems OBS-URL: https://build.opensuse.org/request/show/186032 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=6 --- apache2-mod_nss.changes | 10 ++ apache2-mod_nss.spec | 18 +- mod_nss-PK11_ListCerts_2.patch | 201 ++++++++++++++++++++++ mod_nss-clientauth.patch | 50 ++++++ mod_nss-httpd24.patch | 73 ++++---- mod_nss-no_shutdown_if_not_init_2.patch | 23 +++ mod_nss-sslmultiproxy.patch | 214 ++++++++++++++++++++++++ mod_nss-tlsv1_1.patch | 6 +- 8 files changed, 556 insertions(+), 39 deletions(-) create mode 100644 mod_nss-PK11_ListCerts_2.patch create mode 100644 mod_nss-clientauth.patch create mode 100644 mod_nss-no_shutdown_if_not_init_2.patch create mode 100644 mod_nss-sslmultiproxy.patch diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index 4fa0c5f..2d8e8d4 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Aug 2 08:29:35 UTC 2013 - meissner@suse.com + +- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. +- mod_nss-clientauth.patch: merged from RHEL6 pkg +- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg +- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg +- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg +- make it build on both Apache2 2.4 and 2.2 systems + ------------------------------------------------------------------- Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index c22a7f3..f20fd6a 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -53,6 +53,11 @@ Patch9: mod_nss-httpd24.patch Patch10: mod_nss-proxyvariables.patch Patch11: mod_nss-tlsv1_1.patch Patch12: mod_nss-array_overrun.patch +Patch13: mod_nss-clientauth.patch +Patch14: mod_nss-no_shutdown_if_not_init_2.patch +Patch15: mod_nss-PK11_ListCerts_2.patch +Patch16: mod_nss-sslmultiproxy.patch +Patch17: mod_nss-overlapping_memcpy.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 @@ -78,12 +83,19 @@ security library. %patch6 -p1 -b .pcachesignal.h %patch7 -p1 -b .reseterror %patch8 -p1 -b .lockpcache -%if 0%{?suse_version} >= 1300 -%patch9 -p1 -b .http24 -%endif %patch10 -p1 -b .proxyvariables %patch11 -p1 -b .tlsv1_1 %patch12 -p1 -b .array_overrun +%patch13 -p1 -b .clientauth.patch +%patch14 -p1 -b .no_shutdown_if_not_init_2 +%patch15 -p1 -b .PK11_ListCerts_2 +%patch16 -p1 -b .sslmultiproxy +%patch17 -p1 -b .overlapping_memcpy + +# keep this last, otherwise we get fuzzyness from above +%if 0%{?suse_version} >= 1300 +%patch9 -p1 -b .http24 +%endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] diff --git a/mod_nss-PK11_ListCerts_2.patch b/mod_nss-PK11_ListCerts_2.patch new file mode 100644 index 0000000..800f0b3 --- /dev/null +++ b/mod_nss-PK11_ListCerts_2.patch @@ -0,0 +1,201 @@ +diff -pu mod_nss.h mod_nss.h.PK11_ListCerts +--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800 ++++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800 +@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); + void nss_init_Child(apr_pool_t *, server_rec *); +-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); ++void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); + apr_status_t nss_init_ModuleKill(void *data); + apr_status_t nss_init_ChildKill(void *data); + int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); +diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts +--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800 ++++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800 +@@ -26,7 +26,7 @@ + static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); + static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); + static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); +-static CERTCertificate* FindServerCertFromNickname(const char* name); ++static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); + + /* +@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "Init: Initializing (virtual) servers for SSL"); + ++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); ++ + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); + /* +@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p + /* + * Read the server certificate and key + */ +- nss_init_ConfigureServer(s, p, ptemp, sc); ++ nss_init_ConfigureServer(s, p, ptemp, sc, clist); ++ } ++ ++ if (clist) { ++ CERT_DestroyCertList(clist); + } + } + +@@ -880,7 +886,8 @@ static void nss_init_certificate(server_ + SECKEYPrivateKey **serverkey, + SSLKEAType *KEAtype, + PRFileDesc *model, +- int enforce) ++ int enforce, ++ const CERTCertList* clist) + { + SECCertTimeValidity certtimestatus; + SECStatus secstatus; +@@ -894,17 +901,15 @@ static void nss_init_certificate(server_ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Using nickname %s.", nickname); + +- *servercert = FindServerCertFromNickname(nickname); ++ *servercert = FindServerCertFromNickname(nickname, clist); + + /* Verify the certificate chain. */ + if (*servercert != NULL) { + SECCertificateUsage usage = certificateUsageSSLServer; + +- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "Certificate not verified: '%s'", nickname); ++ if (enforce) { ++ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); +- if (enforce) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); + nss_die(); +@@ -994,7 +999,8 @@ static void nss_init_certificate(server_ + static void nss_init_server_certs(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- modnss_ctx_t *mctx) ++ modnss_ctx_t *mctx, ++ const CERTCertList* clist) + { + SECStatus secstatus; + +@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server + + nss_init_certificate(s, mctx->nickname, &mctx->servercert, + &mctx->serverkey, &mctx->serverKEAType, +- mctx->model, mctx->enforce); ++ mctx->model, mctx->enforce, clist); + #ifdef NSS_ENABLE_ECC + nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, + &mctx->eccserverkey, &mctx->eccserverKEAType, +- mctx->model, mctx->enforce); ++ mctx->model, mctx->enforce, clist); + #endif + } + +@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server + static void nss_init_proxy_ctx(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- SSLSrvConfigRec *sc) ++ SSLSrvConfigRec *sc, ++ const CERTCertList* clist) + { + nss_init_ctx(s, p, ptemp, sc->proxy); + +- nss_init_server_certs(s, p, ptemp, sc->proxy); ++ nss_init_server_certs(s, p, ptemp, sc->proxy, clist); + } + + static void nss_init_server_ctx(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- SSLSrvConfigRec *sc) ++ SSLSrvConfigRec *sc, ++ const CERTCertList* clist) + { + nss_init_server_check(s, p, ptemp, sc->server); + + nss_init_ctx(s, p, ptemp, sc->server); + +- nss_init_server_certs(s, p, ptemp, sc->server); ++ nss_init_server_certs(s, p, ptemp, sc->server, clist); + } + + /* +@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r + void nss_init_ConfigureServer(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- SSLSrvConfigRec *sc) ++ SSLSrvConfigRec *sc, ++ const CERTCertList* clist) + { + if (sc->enabled == TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Configuring server for SSL protocol"); +- nss_init_server_ctx(s, p, ptemp, sc); ++ nss_init_server_ctx(s, p, ptemp, sc, clist); + } + + if (sc->proxy_enabled == TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Enabling proxy."); +- nss_init_proxy_ctx(s, p, ptemp, sc); ++ nss_init_proxy_ctx(s, p, ptemp, sc, clist); + } + } + +@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve + nss_init_SSLLibrary(base_server); + + /* Configure all virtual servers */ ++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); + if (sc->server->servercert == NULL && NSS_IsInitialized()) +- nss_init_ConfigureServer(s, p, mc->ptemp, sc); ++ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); ++ } ++ if (clist) { ++ CERT_DestroyCertList(clist); + } + + /* +@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER + * newest, valid server certificate. + */ + static CERTCertificate* +-FindServerCertFromNickname(const char* name) ++FindServerCertFromNickname(const char* name, const CERTCertList* clist) + { +- CERTCertList* clist; + CERTCertificate* bestcert = NULL; + + CERTCertListNode *cln; +@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n + if (name == NULL) + return NULL; + +- clist = PK11_ListCerts(PK11CertListUser, NULL); +- + for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist); + cln = CERT_LIST_NEXT(cln)) { + CERTCertificate* cert = cln->cert; +@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n + if (bestcert) { + bestcert = CERT_DupCertificate(bestcert); + } +- if (clist) { +- CERT_DestroyCertList(clist); +- } + return bestcert; + } + + diff --git a/mod_nss-clientauth.patch b/mod_nss-clientauth.patch new file mode 100644 index 0000000..7a4c075 --- /dev/null +++ b/mod_nss-clientauth.patch @@ -0,0 +1,50 @@ +The first fix is to retrieve the full certificate subject instead of just the +CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL. + +The second always attempts to retrieve the client certificate in +nss_hook_ReadReq(). + +https://bugzilla.redhat.com/show_bug.cgi?id=702437 +--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400 ++++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400 +@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes + + status = SSL_AuthCertificate(arg, socket, checksig, isServer); + +- if (status == SECSuccess) { +- conn_rec *c = filter_ctx->c; +- SSLConnRec *sslconn = myConnConfig(c); +- +- sslconn->client_cert = SSL_PeerCertificate(socket); +- sslconn->client_dn = NULL; +- } ++ /* The certificate is copied to sslconn->client_cert in ++ * nss_hook_ReadReq() ++ */ + + return status; + } +--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400 ++++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400 +@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) + nss_util_vhostid(r->pool, r->server)); + } + ++ if (sslconn->client_cert != NULL) ++ CERT_DestroyCertificate(sslconn->client_cert); ++ sslconn->client_cert = SSL_PeerCertificate(ssl); ++ sslconn->client_dn = NULL; ++ + return DECLINED; + } + +@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) + } + + if (!sslconn->client_dn) { +- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); +- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); ++ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); ++ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); + PORT_Free(cp); + } diff --git a/mod_nss-httpd24.patch b/mod_nss-httpd24.patch index e047653..18abbcb 100644 --- a/mod_nss-httpd24.patch +++ b/mod_nss-httpd24.patch @@ -1,7 +1,8 @@ -diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c ---- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700 -+++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700 -@@ -349,7 +349,7 @@ +Index: mod_nss-1.0.8/mod_nss.c +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.c ++++ mod_nss-1.0.8/mod_nss.c +@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld established " "(server %s, client %s)", c->id, sc->vhost_id, @@ -10,18 +11,19 @@ diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c mctx = sslconn->is_proxy ? sc->proxy : sc->server; -diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h ---- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700 -+++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700 -@@ -27,7 +27,6 @@ - #include "http_protocol.h" +Index: mod_nss-1.0.8/mod_nss.h +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.h ++++ mod_nss-1.0.8/mod_nss.h +@@ -28,7 +28,6 @@ + #include "mod_ssl.h" #include "util_script.h" #include "util_filter.h" -#include "mpm.h" #include "apr.h" #include "apr_strings.h" #define APR_WANT_STRFUNC -@@ -490,7 +489,7 @@ +@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo SECStatus nss_Init_Tokens(server_rec *s); /* Logging */ @@ -30,9 +32,10 @@ diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h void nss_die(void); /* NSS callback */ -diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c ---- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700 -+++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700 +Index: mod_nss-1.0.8/nss_engine_init.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_init.c ++++ mod_nss-1.0.8/nss_engine_init.c @@ -15,7 +15,7 @@ #include "mod_nss.h" @@ -42,10 +45,11 @@ diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c #include "secmod.h" #include "sslerr.h" #include "pk11func.h" -diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c ---- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700 -+++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700 -@@ -621,13 +621,13 @@ +Index: mod_nss-1.0.8/nss_engine_io.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_io.c ++++ mod_nss-1.0.8/nss_engine_io.c +@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo PR_Close(ssl); /* log the fact that we've closed the connection */ @@ -61,7 +65,7 @@ diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c } /* deallocate the SSL connection */ -@@ -1165,7 +1165,7 @@ +@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_ filter_ctx = (nss_filter_ctx_t *)(fd->secret); c = filter_ctx->c; @@ -70,10 +74,11 @@ diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c } /* -diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c ---- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700 -+++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700 -@@ -73,7 +73,7 @@ +Index: mod_nss-1.0.8/nss_engine_kernel.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_kernel.c ++++ mod_nss-1.0.8/nss_engine_kernel.c +@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r) /* * Log information about incoming HTTPS requests */ @@ -82,7 +87,7 @@ diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "%s HTTPS request received for child %ld (server %s)", (r->connection->keepalives <= 0 ? -@@ -530,7 +530,7 @@ +@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r) ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Access to %s denied for %s " "(requirement expression not fulfilled)", @@ -91,10 +96,11 @@ diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Failed expression: %s", req->cpExpr); -diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c ---- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700 -+++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700 -@@ -321,7 +321,7 @@ +Index: mod_nss-1.0.8/nss_engine_log.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_log.c ++++ mod_nss-1.0.8/nss_engine_log.c +@@ -321,7 +321,7 @@ void nss_die(void) exit(1); } @@ -103,7 +109,7 @@ diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c { const char *err; PRInt32 error; -@@ -340,7 +340,7 @@ +@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file, err = "Unknown"; } @@ -112,10 +118,11 @@ diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c "SSL Library Error: %d %s", error, err); } -diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c ---- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700 -+++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700 -@@ -178,7 +178,7 @@ +Index: mod_nss-1.0.8/nss_engine_vars.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_vars.c ++++ mod_nss-1.0.8/nss_engine_vars.c +@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv && sslconn && sslconn->ssl) result = nss_var_lookup_ssl(p, c, var+4); else if (strcEQ(var, "REMOTE_ADDR")) @@ -124,7 +131,7 @@ diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c else if (strcEQ(var, "HTTPS")) { if (sslconn && sslconn->ssl) result = "on"; -@@ -194,7 +194,7 @@ +@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) result = nss_var_lookup_nss_version(p, var+12); else if (strcEQ(var, "SERVER_SOFTWARE")) diff --git a/mod_nss-no_shutdown_if_not_init_2.patch b/mod_nss-no_shutdown_if_not_init_2.patch new file mode 100644 index 0000000..2374820 --- /dev/null +++ b/mod_nss-no_shutdown_if_not_init_2.patch @@ -0,0 +1,23 @@ +diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800 ++++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800 +@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da + server_rec *s; + int shutdown = 0; + +- /* Clear any client-side session cache data */ +- SSL_ClearSessionCache(); +- + /* + * Free the non-pool allocated structures + * in the per-server configurations +@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da + } + + if (shutdown) { ++ /* Clear any client-side session cache data */ ++ SSL_ClearSessionCache(); ++ + if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()) + != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, diff --git a/mod_nss-sslmultiproxy.patch b/mod_nss-sslmultiproxy.patch new file mode 100644 index 0000000..5bde820 --- /dev/null +++ b/mod_nss-sslmultiproxy.patch @@ -0,0 +1,214 @@ +Index: mod_nss-1.0.8/mod_nss.c +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.c ++++ mod_nss-1.0.8/mod_nss.c +@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c + return sslconn; + } + ++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; ++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; ++ + int nss_proxy_enable(conn_rec *c) + { + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); +@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c) + SSLConnRec *sslconn = nss_init_connection_ctx(c); + + if (!sc->proxy_enabled) { ++ if (othermod_proxy_enable) { ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ "mod_nss proxy not configured, passing through to mod_ssl module"); ++ return othermod_proxy_enable(c); ++ } ++ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, + "SSL Proxy requested for %s but not enabled " + "[Hint: NSSProxyEngine]", sc->vhost_id); +@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c) + return 1; + } + +-int ssl_proxy_enable(conn_rec *c) { ++static int ssl_proxy_enable(conn_rec *c) { + return nss_proxy_enable(c); + } + +@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c) + + SSLConnRec *sslconn; + ++ if (othermod_engine_disable) { ++ othermod_engine_disable(c); ++ } ++ + if (sc->enabled == FALSE) { + return 0; + } +@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c) + return 1; + } + +-int ssl_engine_disable(conn_rec *c) { ++static int ssl_engine_disable(conn_rec *c) { + return nss_engine_disable(c); + } + +@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_ + + nss_var_register(); + ++ /* Always register these mod_nss optional functions */ + APR_REGISTER_OPTIONAL_FN(nss_proxy_enable); + APR_REGISTER_OPTIONAL_FN(nss_engine_disable); + +- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */ +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); ++ /* Save the state of any previously registered mod_ssl functions */ ++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); ++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); ++ ++ /* Always register these local mod_ssl optional functions */ ++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); ++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + } + + module AP_MODULE_DECLARE_DATA nss_module = { +Index: mod_nss-1.0.8/mod_nss.h +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.h ++++ mod_nss-1.0.8/mod_nss.h +@@ -13,8 +13,8 @@ + * limitations under the License. + */ + +-#ifndef __MOD_SSL_H__ +-#define __MOD_SSL_H__ ++#ifndef __MOD_NSS_H__ ++#define __MOD_NSS_H__ + + /* Apache headers */ + #include "httpd.h" +@@ -25,6 +25,7 @@ + #include "http_connection.h" + #include "http_request.h" + #include "http_protocol.h" ++#include "mod_ssl.h" + #include "util_script.h" + #include "util_filter.h" + #include "mpm.h" +@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r); + /* Variables */ + void nss_var_register(void); + char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); +-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); + void nss_var_log_config_register(apr_pool_t *p); + + APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup, + (apr_pool_t *, server_rec *, + conn_rec *, request_rec *, + char *)); +-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, +- (apr_pool_t *, server_rec *, +- conn_rec *, request_rec *, +- char *)); + + /* An optional function which returns non-zero if the given connection + * is using SSL/TLS. */ + APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); + + /* Proxy Support */ + int nss_proxy_enable(conn_rec *c); + int nss_engine_disable(conn_rec *c); +-int ssl_proxy_enable(conn_rec *c); +-int ssl_engine_disable(conn_rec *c); + + APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); + + APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + + /* I/O */ + PRFileDesc * nss_io_new_fd(); +@@ -495,4 +486,4 @@ void nss_die(void); + + /* NSS callback */ + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); +-#endif /* __MOD_SSL_H__ */ ++#endif /* __MOD_NSS_H__ */ +Index: mod_nss-1.0.8/nss_engine_vars.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_vars.c ++++ mod_nss-1.0.8/nss_engine_vars.c +@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver + static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var); + static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var); + static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c); ++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); ++ ++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; ++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; + + static int nss_is_https(conn_rec *c) + { + SSLConnRec *sslconn = myConnConfig(c); +- return sslconn && sslconn->ssl; ++ ++ return (sslconn && sslconn->ssl) ++ || (othermod_is_https && othermod_is_https(c)); + } + + static int ssl_is_https(conn_rec *c) { +@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) { + + void nss_var_register(void) + { ++ /* Always register these mod_nss optional functions */ + APR_REGISTER_OPTIONAL_FN(nss_is_https); + APR_REGISTER_OPTIONAL_FN(nss_var_lookup); + +- /* These can only be registered if mod_ssl is not loaded */ +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_is_https); +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); ++ /* Save the state of any previously registered mod_ssl functions */ ++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); ++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); ++ ++ /* Always register these local mod_ssl optional functions */ ++ APR_REGISTER_OPTIONAL_FN(ssl_is_https); ++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + + return; + } +@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv + */ + if (result == NULL && c != NULL) { + SSLConnRec *sslconn = myConnConfig(c); ++ ++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) ++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { ++ /* If mod_ssl is registered for this connection, ++ * pass any SSL_* variable through to the mod_ssl module ++ */ ++ return othermod_var_lookup(p, s, c, r, var); ++ } ++ + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) + result = nss_var_lookup_ssl(p, c, var+4); +@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv + return result; + } + +-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { ++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { + return nss_var_lookup(p, s, c, r, var); + } + diff --git a/mod_nss-tlsv1_1.patch b/mod_nss-tlsv1_1.patch index 3ddfc97..4dee39b 100644 --- a/mod_nss-tlsv1_1.patch +++ b/mod_nss-tlsv1_1.patch @@ -391,9 +391,9 @@ Index: mod_nss-1.0.8/nss.conf.in +# with the maximum specified protocol and downgrading as necessary to the +# minimum specified protocol that can be used between two processes. +# Since all protocol ranges are completely inclusive, and no protocol in the -+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" -+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". -+NSSProtocol SSLv3,TLSv1.0,TLSv1.1 ++# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2" ++# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2". ++NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use.