From 22be7caef1990e6f527ddf1e944d094d5f78b9dd9e105edb9ed352ac650c4c48 Mon Sep 17 00:00:00 2001
From: Wolfgang Rosenauer <wolfgang@rosenauer.org>
Date: Wed, 5 Nov 2014 05:44:27 +0000
Subject: [PATCH] Accepting request 259693 from
 home:kstreitova:branches:mozilla:Factory

- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
  that adding small fixes for support of TLS v1.2

OBS-URL: https://build.opensuse.org/request/show/259693
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=16
---
 apache2-mod_nss.changes                       |  6 ++
 apache2-mod_nss.spec                          |  3 +
 ...ss-add_support_for_enabling_TLS_v1.2.patch | 61 +++++++++++++++++++
 3 files changed, 70 insertions(+)
 create mode 100644 mod_nss-add_support_for_enabling_TLS_v1.2.patch

diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes
index 18ea48e..984edf6 100644
--- a/apache2-mod_nss.changes
+++ b/apache2-mod_nss.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Nov  4 14:13:46 UTC 2014 - kstreitova@suse.com
+
+- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
+  that adding small fixes for support of TLS v1.2 
+
 -------------------------------------------------------------------
 Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com
 
diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec
index 4a69190..579bcf9 100644
--- a/apache2-mod_nss.spec
+++ b/apache2-mod_nss.spec
@@ -72,6 +72,8 @@ Patch20:        mod_nss-cipherlist_update_for_tls12-doc.diff
 Patch23:        mod_nss-bnc863518-reopen_dev_tty.diff
 # PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
 Patch24:        mod_nss-compare_subject_CN_and_VS_hostname.patch
+# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
+Patch25:        mod_nss-add_support_for_enabling_TLS_v1.2.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define    apxs /usr/sbin/apxs2
@@ -112,6 +114,7 @@ security library.
 %patch20 -p0 -b .ciphers.doc.rpmpatch
 %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
 %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
+%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
 
 # keep this last, otherwise we get fuzzyness from above
 %if 0%{?suse_version} >= 1300
diff --git a/mod_nss-add_support_for_enabling_TLS_v1.2.patch b/mod_nss-add_support_for_enabling_TLS_v1.2.patch
new file mode 100644
index 0000000..8393563
--- /dev/null
+++ b/mod_nss-add_support_for_enabling_TLS_v1.2.patch
@@ -0,0 +1,61 @@
+From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 16 Oct 2014 14:05:05 -0400
+Subject: [PATCH] Add support for enabling TLS v1.2
+
+If support is available in NSS then it is just a matter of including
+TLS 1.2 in the protocol range.
+---
+ docs/mod_nss.html | 97 ++++++++++++++++++++++++++++---------------------------
+ mod_nss.c         |  4 +--
+ nss.conf.in       |  2 +-
+ nss_engine_init.c | 51 +++++++++++++++++------------
+ nss_engine_vars.c |  3 ++
+ 5 files changed, 86 insertions(+), 71 deletions(-)
+
+Index: mod_nss-1.0.8/nss.conf.in
+===================================================================
+--- mod_nss-1.0.8.orig/nss.conf.in
++++ mod_nss-1.0.8/nss.conf.in
+@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
+ # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+ #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
+ 
+-NSSProtocol SSLv3,TLSv1
++NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
+ 
+ #   SSL Certificate Nickname:
+ #   The nickname of the RSA server certificate you are going to use.
+Index: mod_nss-1.0.8/nss_engine_vars.c
+===================================================================
+--- mod_nss-1.0.8.orig/nss_engine_vars.c
++++ mod_nss-1.0.8/nss_engine_vars.c
+@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver
+                 case SSL_LIBRARY_VERSION_TLS_1_1:
+                     result = "TLSv1.1";
+                     break;
++                case SSL_LIBRARY_VERSION_TLS_1_2:
++                    result = "TLSv1.2";
++                    break;
+             }
+         }
+     }
+Index: mod_nss-1.0.8/nss_engine_init.c
+===================================================================
+--- mod_nss-1.0.8.orig/nss_engine_init.c
++++ mod_nss-1.0.8/nss_engine_init.c
+@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server
+      * cannot be excluded from this range. NSS will automatically negotiate
+      * to utilize the strongest acceptable protocol for a connection starting
+      * with the maximum specified protocol and downgrading as necessary to the
+-     * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
++     * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+      */
+     if (stat == SECSuccess) {
+         /* Set minimum protocol version (lowest -> highest)
+          *
+-         *     SSL 3.0 -> TLS 1.0 -> TLS 1.1
++         *     SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
+          */
+         if (ssl3 == 1) {
+             enabledVersions.min = SSL_LIBRARY_VERSION_3_0;