Accepting request 186068 from mozilla:Factory

- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. - mod_nss-clientauth.patch: merged from RHEL6 pkg - mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg - mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg - mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg - make it build on both Apache2 2.4 and 2.2 systems (forwarded request 186032 from msmeissn) OBS-URL: https://build.opensuse.org/request/show/186068 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=3
2013-08-07 18:43:06 +00:00 · 2013-08-07 18:43:06 +00:00 · d291160bc1
commit d291160bc1
parent 60dfc6de6c 4b69663a7b
8 changed files with 556 additions and 39 deletions
--- a/apache2-mod_nss.changes
+++ b/apache2-mod_nss.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Fri Aug  2 08:29:35 UTC 2013 - meissner@suse.com
 - mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
 - mod_nss-clientauth.patch: merged from RHEL6 pkg
 - mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
 - mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
 - mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
 - make it build on both Apache2 2.4 and 2.2 systems
 -------------------------------------------------------------------
 Thu Aug  1 15:06:55 UTC 2013 - meissner@suse.com
--- a/apache2-mod_nss.spec
+++ b/apache2-mod_nss.spec
@ -53,6 +53,11 @@ Patch9:         mod_nss-httpd24.patch
 Patch10:        mod_nss-proxyvariables.patch
 Patch11:        mod_nss-tlsv1_1.patch
 Patch12:        mod_nss-array_overrun.patch
 Patch13:        mod_nss-clientauth.patch
 Patch14:        mod_nss-no_shutdown_if_not_init_2.patch
 Patch15:        mod_nss-PK11_ListCerts_2.patch
 Patch16:        mod_nss-sslmultiproxy.patch
 Patch17:        mod_nss-overlapping_memcpy.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define    apxs /usr/sbin/apxs2
 %define    apache apache2
@ -78,12 +83,19 @@ security library.
 %patch6 -p1 -b .pcachesignal.h
 %patch7 -p1 -b .reseterror
 %patch8 -p1 -b .lockpcache
 %if 0%{?suse_version} >= 1300
 %patch9 -p1 -b .http24
 %endif
 %patch10 -p1 -b .proxyvariables
 %patch11 -p1 -b .tlsv1_1
 %patch12 -p1 -b .array_overrun
 %patch13 -p1 -b .clientauth.patch
 %patch14 -p1 -b .no_shutdown_if_not_init_2
 %patch15 -p1 -b .PK11_ListCerts_2
 %patch16 -p1 -b .sslmultiproxy
 %patch17 -p1 -b .overlapping_memcpy
 # keep this last, otherwise we get fuzzyness from above
 %if 0%{?suse_version} >= 1300
 %patch9 -p1 -b .http24
 %endif
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
--- a/mod_nss-PK11_ListCerts_2.patch
+++ b/mod_nss-PK11_ListCerts_2.patch
@ -0,0 +1,201 @@
 diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
 --- ./mod_nss.h   2010-09-08 21:06:49.000000000 +0800
 +++ ./mod_nss.h.PK11_ListCerts    2010-09-08 21:06:22.000000000 +0800
@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
 /*  module initialization  */
 int  nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
 void nss_init_Child(apr_pool_t *, server_rec *);
 -void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
 +void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
 apr_status_t nss_init_ModuleKill(void *data);
 apr_status_t nss_init_ChildKill(void *data);
 int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
 diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
 --- ./nss_engine_init.c   2010-09-08 21:07:13.000000000 +0800
 +++ ./nss_engine_init.c.PK11_ListCerts    2010-09-09 00:21:59.000000000 +0800
@@ -26,7 +26,7 @@
 static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
 static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
 static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
 -static CERTCertificate* FindServerCertFromNickname(const char* name);
 +static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
 SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
 /*
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
                      "Init: Initializing (virtual) servers for SSL");
 +        CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
 +
         for (s = base_server; s; s = s->next) {
             sc = mySrvConfig(s);
             /*
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
             /*
              * Read the server certificate and key
              */
 -            nss_init_ConfigureServer(s, p, ptemp, sc);
 +            nss_init_ConfigureServer(s, p, ptemp, sc, clist);
 +        }
 +
 +        if (clist) {
 +            CERT_DestroyCertList(clist);
         }
     }
@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
                                  SECKEYPrivateKey **serverkey,
                                  SSLKEAType *KEAtype,
                                  PRFileDesc *model,
 -                                 int enforce)
 +                                 int enforce,
 +                                 const CERTCertList* clist)
 {
     SECCertTimeValidity certtimestatus;
     SECStatus secstatus;
@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
          "Using nickname %s.", nickname);
 -    *servercert = FindServerCertFromNickname(nickname);
 +    *servercert = FindServerCertFromNickname(nickname, clist);
     /* Verify the certificate chain. */
     if (*servercert != NULL) {
         SECCertificateUsage usage = certificateUsageSSLServer;
 -        if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess)  {
 -            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
 -                "Certificate not verified: '%s'", nickname);
 +        if (enforce) {
 +            if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess)  {
             nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
 -            if (enforce) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
                 nss_die();
@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
 static void nss_init_server_certs(server_rec *s,
                                   apr_pool_t *p,
                                   apr_pool_t *ptemp,
 -                                  modnss_ctx_t *mctx)
 +                                  modnss_ctx_t *mctx,
 +                                  const CERTCertList* clist)
 {
     SECStatus secstatus;
@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
         nss_init_certificate(s, mctx->nickname, &mctx->servercert,
                              &mctx->serverkey, &mctx->serverKEAType,
 -                             mctx->model, mctx->enforce);
 +                             mctx->model, mctx->enforce, clist);
 #ifdef NSS_ENABLE_ECC
         nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
                              &mctx->eccserverkey, &mctx->eccserverKEAType,
 -                             mctx->model, mctx->enforce);
 +                             mctx->model, mctx->enforce, clist);
 #endif
     }
@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
 static void nss_init_proxy_ctx(server_rec *s,
                                 apr_pool_t *p,
                                 apr_pool_t *ptemp,
 -                                SSLSrvConfigRec *sc)
 +                                SSLSrvConfigRec *sc,
 +                                const CERTCertList* clist)
 {
     nss_init_ctx(s, p, ptemp, sc->proxy);
 -    nss_init_server_certs(s, p, ptemp, sc->proxy);
 +    nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
 }
 static void nss_init_server_ctx(server_rec *s,
                                 apr_pool_t *p,
                                 apr_pool_t *ptemp,
 -                                SSLSrvConfigRec *sc)
 +                                SSLSrvConfigRec *sc,
 +                                const CERTCertList* clist)
 {
     nss_init_server_check(s, p, ptemp, sc->server);
     nss_init_ctx(s, p, ptemp, sc->server);
 -    nss_init_server_certs(s, p, ptemp, sc->server);
 +    nss_init_server_certs(s, p, ptemp, sc->server, clist);
 }
 /*
@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
 void nss_init_ConfigureServer(server_rec *s,
                               apr_pool_t *p,
                               apr_pool_t *ptemp,
 -                              SSLSrvConfigRec *sc)
 +                              SSLSrvConfigRec *sc,
 +                              const CERTCertList* clist)
 {
     if (sc->enabled == TRUE) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                      "Configuring server for SSL protocol");
 -        nss_init_server_ctx(s, p, ptemp, sc);
 +        nss_init_server_ctx(s, p, ptemp, sc, clist);
     }
     if (sc->proxy_enabled == TRUE) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                      "Enabling proxy.");
 -        nss_init_proxy_ctx(s, p, ptemp, sc);
 +        nss_init_proxy_ctx(s, p, ptemp, sc, clist);
     }
 }
@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
     nss_init_SSLLibrary(base_server);
     /* Configure all virtual servers */
 +    CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
     for (s = base_server; s; s = s->next) {
         sc = mySrvConfig(s);
         if (sc->server->servercert == NULL && NSS_IsInitialized())
 -            nss_init_ConfigureServer(s, p, mc->ptemp, sc);
 +            nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
 +    }
 +    if (clist) {
 +        CERT_DestroyCertList(clist);
     }
     /* 
@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
  * newest, valid server certificate.
  */
 static CERTCertificate*
 -FindServerCertFromNickname(const char* name)
 +FindServerCertFromNickname(const char* name, const CERTCertList* clist)
 {
 -    CERTCertList* clist;
     CERTCertificate* bestcert = NULL;
     CERTCertListNode *cln;
@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
     if (name == NULL)
         return NULL;
 -    clist = PK11_ListCerts(PK11CertListUser, NULL);
 -
     for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
         cln = CERT_LIST_NEXT(cln)) {
         CERTCertificate* cert = cln->cert;
@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
     if (bestcert) {
         bestcert = CERT_DupCertificate(bestcert);
     }
 -    if (clist) {
 -        CERT_DestroyCertList(clist);
 -    }
     return bestcert;
 }
--- a/mod_nss-clientauth.patch
+++ b/mod_nss-clientauth.patch
@ -0,0 +1,50 @@
 The first fix is to retrieve the full certificate subject instead of just the
 CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
 The second always attempts to retrieve the client certificate in
 nss_hook_ReadReq().
 https://bugzilla.redhat.com/show_bug.cgi?id=702437
 --- mod_nss-1.0.8.orig/nss_engine_io.c	2011-05-10 15:45:49.000000000 -0400
 +++ mod_nss-1.0.8.orig/nss_engine_io.c	2011-05-11 15:21:30.000000000 -0400
@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
     status = SSL_AuthCertificate(arg, socket, checksig, isServer);
 -    if (status == SECSuccess) {
 -        conn_rec *c = filter_ctx->c;
 -        SSLConnRec *sslconn = myConnConfig(c);
 -
 -        sslconn->client_cert = SSL_PeerCertificate(socket);
 -        sslconn->client_dn = NULL;
 -    }
 +    /* The certificate is copied to sslconn->client_cert in
 +     * nss_hook_ReadReq()
 +     */
     return status;
 }
 --- mod_nss-1.0.8.orig/nss_engine_kernel.c	2007-05-31 17:36:03.000000000 -0400
 +++ mod_nss-1.0.8.orig/nss_engine_kernel.c	2011-05-11 15:30:38.000000000 -0400
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
                      nss_util_vhostid(r->pool, r->server));
     }
 +    if (sslconn->client_cert != NULL)
 +        CERT_DestroyCertificate(sslconn->client_cert);
 +    sslconn->client_cert = SSL_PeerCertificate(ssl);
 +    sslconn->client_dn = NULL;
 +
     return DECLINED;
 }
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
     }
     if (!sslconn->client_dn) {
 -        char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
 -        sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
 +        char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
 +        sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
         PORT_Free(cp);
     }
--- a/mod_nss-httpd24.patch
+++ b/mod_nss-httpd24.patch
@ -1,7 +1,8 @@
-diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c
+Index: mod_nss-1.0.8/mod_nss.c
--- mod_nss/mod_nss.c	2012-06-12 12:23:29.961000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/mod_nss.c	2012-06-12 12:00:35.957002099 -0700
+--- mod_nss-1.0.8.orig/mod_nss.c
-@@ -349,7 +349,7 @@
+++ mod_nss-1.0.8/mod_nss.c
@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
                  "Connection to child %ld established "
                  "(server %s, client %s)", c->id, sc->vhost_id, 
@ -10,18 +11,19 @@ diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c
     mctx = sslconn->is_proxy ? sc->proxy : sc->server;
-diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h
+Index: mod_nss-1.0.8/mod_nss.h
--- mod_nss/mod_nss.h	2012-06-12 12:23:29.962000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/mod_nss.h	2012-06-12 12:00:35.955002240 -0700
+--- mod_nss-1.0.8.orig/mod_nss.h
-@@ -27,7 +27,6 @@
+++ mod_nss-1.0.8/mod_nss.h
- #include "http_protocol.h"
+@@ -28,7 +28,6 @@
 #include "mod_ssl.h"
 #include "util_script.h"
 #include "util_filter.h"
 -#include "mpm.h"
 #include "apr.h"
 #include "apr_strings.h"
 #define APR_WANT_STRFUNC
-@@ -490,7 +489,7 @@
+@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo
 SECStatus nss_Init_Tokens(server_rec *s);
 /* Logging */
@ -30,9 +32,10 @@ diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h
 void nss_die(void);
 /* NSS callback */
-diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+Index: mod_nss-1.0.8/nss_engine_init.c
--- mod_nss/nss_engine_init.c	2012-06-12 12:23:29.962000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/nss_engine_init.c	2012-06-12 12:00:35.955002240 -0700
+--- mod_nss-1.0.8.orig/nss_engine_init.c
 +++ mod_nss-1.0.8/nss_engine_init.c
@@ -15,7 +15,7 @@
 #include "mod_nss.h"
@ -42,10 +45,11 @@ diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
 #include "secmod.h"
 #include "sslerr.h"
 #include "pk11func.h"
-diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
+Index: mod_nss-1.0.8/nss_engine_io.c
--- mod_nss/nss_engine_io.c	2012-06-12 12:23:29.963000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/nss_engine_io.c	2012-06-12 12:00:35.956002167 -0700
+--- mod_nss-1.0.8.orig/nss_engine_io.c
-@@ -621,13 +621,13 @@
+++ mod_nss-1.0.8/nss_engine_io.c
@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo
     PR_Close(ssl);
     /* log the fact that we've closed the connection */
@ -61,7 +65,7 @@ diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
     }
     /* deallocate the SSL connection */
-@@ -1165,7 +1165,7 @@
+@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_
     filter_ctx = (nss_filter_ctx_t *)(fd->secret);
     c = filter_ctx->c;
@ -70,10 +74,11 @@ diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c
 }
 /* 
-diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
+Index: mod_nss-1.0.8/nss_engine_kernel.c
--- mod_nss/nss_engine_kernel.c	2012-06-12 12:23:29.963000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/nss_engine_kernel.c	2012-06-12 12:00:35.954002314 -0700
+--- mod_nss-1.0.8.orig/nss_engine_kernel.c
-@@ -73,7 +73,7 @@
+++ mod_nss-1.0.8/nss_engine_kernel.c
@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r)
     /*
      * Log information about incoming HTTPS requests
      */
@ -82,7 +87,7 @@ diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
                      "%s HTTPS request received for child %ld (server %s)",
                      (r->connection->keepalives <= 0 ?
-@@ -530,7 +530,7 @@
+@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r)
             ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
                          "Access to %s denied for %s "
                          "(requirement expression not fulfilled)",
@ -91,10 +96,11 @@ diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c
             ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
                          "Failed expression: %s", req->cpExpr);
-diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
+Index: mod_nss-1.0.8/nss_engine_log.c
--- mod_nss/nss_engine_log.c	2012-06-12 12:23:29.964000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/nss_engine_log.c	2012-06-12 12:00:35.955002240 -0700
+--- mod_nss-1.0.8.orig/nss_engine_log.c
-@@ -321,7 +321,7 @@
+++ mod_nss-1.0.8/nss_engine_log.c
@@ -321,7 +321,7 @@ void nss_die(void)
     exit(1); 
 }
@ -103,7 +109,7 @@ diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
 {
     const char *err;
     PRInt32 error;
-@@ -340,7 +340,7 @@
+@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file,
          err = "Unknown";
     }
@ -112,10 +118,11 @@ diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c
                  "SSL Library Error: %d %s",
                  error, err);
 }
-diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+Index: mod_nss-1.0.8/nss_engine_vars.c
--- mod_nss/nss_engine_vars.c	2012-06-12 12:23:29.965000000 -0700
+===================================================================
-+++ mod_nss-1.0.8/nss_engine_vars.c	2012-06-12 12:00:35.948002812 -0700
+--- mod_nss-1.0.8.orig/nss_engine_vars.c
-@@ -178,7 +178,7 @@
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
                  && sslconn && sslconn->ssl)
             result = nss_var_lookup_ssl(p, c, var+4);
         else if (strcEQ(var, "REMOTE_ADDR"))
@ -124,7 +131,7 @@ diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
         else if (strcEQ(var, "HTTPS")) {
             if (sslconn && sslconn->ssl)
                 result = "on";
-@@ -194,7 +194,7 @@
+@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
         if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
             result = nss_var_lookup_nss_version(p, var+12);
         else if (strcEQ(var, "SERVER_SOFTWARE"))
--- a/mod_nss-no_shutdown_if_not_init_2.patch
+++ b/mod_nss-no_shutdown_if_not_init_2.patch
@ -0,0 +1,23 @@
 diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
 --- mod_nss-1.0.8.orig/nss_engine_init.c	2012-01-27 17:18:41.001015000 -0800
 +++ mod_nss-1.0.8/nss_engine_init.c	2012-01-27 17:20:14.093830000 -0800
@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da
     server_rec *s;
     int shutdown = 0;
 -    /* Clear any client-side session cache data */
 -    SSL_ClearSessionCache();
 -
     /*
      * Free the non-pool allocated structures
      * in the per-server configurations
@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da
     }
     if (shutdown) {
 +        /* Clear any client-side session cache data */
 +        SSL_ClearSessionCache();
 +
         if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
             != SECSuccess) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
--- a/mod_nss-sslmultiproxy.patch
+++ b/mod_nss-sslmultiproxy.patch
@ -0,0 +1,214 @@
 Index: mod_nss-1.0.8/mod_nss.c
 ===================================================================
 --- mod_nss-1.0.8.orig/mod_nss.c
 +++ mod_nss-1.0.8/mod_nss.c
@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
     return sslconn;
 }
 +static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
 +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
 +
 int nss_proxy_enable(conn_rec *c)
 {
     SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
     SSLConnRec *sslconn = nss_init_connection_ctx(c);
     if (!sc->proxy_enabled) {
 +        if (othermod_proxy_enable) {
 +            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
 +                          "mod_nss proxy not configured, passing through to mod_ssl module");
 +            return othermod_proxy_enable(c);
 +        }
 +
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
                      "SSL Proxy requested for %s but not enabled "
                      "[Hint: NSSProxyEngine]", sc->vhost_id);
@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
     return 1;
 }
 -int ssl_proxy_enable(conn_rec *c) {
 +static int ssl_proxy_enable(conn_rec *c) {
     return nss_proxy_enable(c);
 }
@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
     SSLConnRec *sslconn;
 +    if (othermod_engine_disable) {
 +        othermod_engine_disable(c);
 +    }
 +
     if (sc->enabled == FALSE) {
         return 0;
     }
@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
     return 1;
 }
 -int ssl_engine_disable(conn_rec *c) {
 +static int ssl_engine_disable(conn_rec *c) {
     return nss_engine_disable(c);
 }
@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
     nss_var_register();
 +    /* Always register these mod_nss optional functions */
     APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
 -    /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
 -    if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
 -        APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
 -    if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
 -        APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
 +    /* Save the state of any previously registered mod_ssl functions */
 +    othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
 +    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
 +
 +    /* Always register these local mod_ssl optional functions */
 +    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
 +    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
 }
 module AP_MODULE_DECLARE_DATA nss_module = {
 Index: mod_nss-1.0.8/mod_nss.h
 ===================================================================
 --- mod_nss-1.0.8.orig/mod_nss.h
 +++ mod_nss-1.0.8/mod_nss.h
@@ -13,8 +13,8 @@
  * limitations under the License.
  */
 -#ifndef __MOD_SSL_H__
 -#define __MOD_SSL_H__
 +#ifndef __MOD_NSS_H__
 +#define __MOD_NSS_H__
 /* Apache headers */
 #include "httpd.h"
@@ -25,6 +25,7 @@
 #include "http_connection.h"
 #include "http_request.h"
 #include "http_protocol.h"
 +#include "mod_ssl.h"
 #include "util_script.h"
 #include "util_filter.h"
 #include "mpm.h"
@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
 /*  Variables  */
 void         nss_var_register(void);
 char        *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
 -char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
 void         nss_var_log_config_register(apr_pool_t *p);
 APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
                         (apr_pool_t *, server_rec *,
                          conn_rec *, request_rec *, 
                          char *));
 -APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
 -                        (apr_pool_t *, server_rec *,
 -                         conn_rec *, request_rec *, 
 -                         char *));
 /* An optional function which returns non-zero if the given connection
  * is using SSL/TLS. */
 APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
 -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
 /* Proxy Support */
 int nss_proxy_enable(conn_rec *c);
 int nss_engine_disable(conn_rec *c);
 -int ssl_proxy_enable(conn_rec *c);
 -int ssl_engine_disable(conn_rec *c);
 APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
 -APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
 -APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
 /* I/O */
 PRFileDesc * nss_io_new_fd();
@@ -495,4 +486,4 @@ void nss_die(void);
 /* NSS callback */
 SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
 -#endif /* __MOD_SSL_H__ */
 +#endif /* __MOD_NSS_H__ */
 Index: mod_nss-1.0.8/nss_engine_vars.c
 ===================================================================
 --- mod_nss-1.0.8.orig/nss_engine_vars.c
 +++ mod_nss-1.0.8/nss_engine_vars.c
@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
 static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
 static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
 static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
 +static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
 +
 +static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
 +static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
 static int nss_is_https(conn_rec *c)
 {
     SSLConnRec *sslconn = myConnConfig(c);
 -    return sslconn && sslconn->ssl;
 +
 +    return (sslconn && sslconn->ssl)
 +        || (othermod_is_https && othermod_is_https(c));
 }
 static int ssl_is_https(conn_rec *c) {
@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
 void nss_var_register(void)
 {
 +    /* Always register these mod_nss optional functions */
     APR_REGISTER_OPTIONAL_FN(nss_is_https);
     APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
 -    /* These can only be registered if mod_ssl is not loaded */
 -    if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
 -        APR_REGISTER_OPTIONAL_FN(ssl_is_https);
 -    if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
 -        APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
 +    /* Save the state of any previously registered mod_ssl functions */
 +    othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
 +    othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
 +
 +    /* Always register these local mod_ssl optional functions */
 +    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
 +    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     return;
 }
@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
      */
     if (result == NULL && c != NULL) {
         SSLConnRec *sslconn = myConnConfig(c);
 +
 +        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
 +            && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
 +            /* If mod_ssl is registered for this connection,
 +             * pass any SSL_* variable through to the mod_ssl module
 +             */
 +            return othermod_var_lookup(p, s, c, r, var);
 +        }
 +
         if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) 
                  && sslconn && sslconn->ssl)
             result = nss_var_lookup_ssl(p, c, var+4);
@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
     return result;
 }
 -char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
 +static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
     return nss_var_lookup(p, s, c, r, var);
 }
--- a/mod_nss-tlsv1_1.patch
+++ b/mod_nss-tlsv1_1.patch
@ -391,9 +391,9 @@ Index: mod_nss-1.0.8/nss.conf.in
 +#   with the maximum specified protocol and downgrading as necessary to the
 +#   minimum specified protocol that can be used between two processes.
 +#   Since all protocol ranges are completely inclusive, and no protocol in the
-+#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2"
-+#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2".
-+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2
 #   SSL Certificate Nickname:
 #   The nickname of the RSA server certificate you are going to use.