Index: mod_nss-1.0.8/docs/mod_nss.html =================================================================== --- mod_nss-1.0.8.orig/docs/mod_nss.html +++ mod_nss-1.0.8/docs/mod_nss.html @@ -466,7 +466,7 @@ Example
SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSLv3/TLSv1
+ SSLv3/TLSv1.0/TLSv1.1/TLSv1.2
@@ -578,106 +578,106 @@ definition
SSL_RSA_WITH_DES_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_null_md5
SSL_RSA_WITH_NULL_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_null_sha
SSL_RSA_WITH_NULL_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_rc2_40_md5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_rc4_128_md5 SSL_RSA_WITH_RC4_128_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_rc4_128_sha SSL_RSA_WITH_RC4_128_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_rc4_40_md5 SSL_RSA_EXPORT_WITH_RC4_40_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fortezza
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fortezza_rc4_128_sha
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fortezza_null
SSL_FORTEZZA_DMS_WITH_NULL_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fips_des_sha
SSL_RSA_FIPS_WITH_DES_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 fips_3des_sha
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_des_56_sha TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- SSL3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_rc4_56_sha TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_aes_128_sha
TLS_RSA_WITH_AES_128_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 rsa_aes_256_sha
TLS_RSA_WITH_AES_256_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 @@ -698,127 +698,127 @@ Definition
ecdh_ecdsa_null_sha TLS_ECDH_ECDSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_ecdsa_rc4_128_sha TLS_ECDH_ECDSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_ecdsa_3des_sha TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_ecdsa_aes_128_sha TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_ecdsa_aes_256_sha TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_ecdsa_null_sha TLS_ECDHE_ECDSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_ecdsa_rc4_128_sha TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_ecdsa_3des_sha TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_ecdsa_aes_128_sha TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_ecdsa_aes_256_sha TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_rsa_null_sha TLS_ECDH_RSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_rsa_128_sha TLS_ECDH_RSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_rsa_3des_sha TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_rsa_aes_128_sha TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_rsa_aes_256_sha TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 echde_rsa_null TLS_ECDHE_RSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_rsa_rc4_128_sha TLS_ECDHE_RSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_rsa_3des_sha TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_rsa_aes_128_sha TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdhe_rsa_aes_256_sha TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_anon_null_sha TLS_ECDH_anon_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_anon_rc4_128sha TLS_ECDH_anon_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_anon_3des_sha TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_anon_aes_128_sha TLS_ECDH_anon_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 ecdh_anon_aes_256_sha TLS_ECDH_anon_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1/TLSv1.2 @@ -839,16 +839,36 @@ specifically but allows ciphers for that Options are:
Note that this differs from mod_ssl in that you can't add or subtract protocols.
+
+If no NSSProtocol is specified, mod_nss will default to allowing the use of +the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the +minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol +allowed. +
+If values for NSSProtocol are specified, mod_nss will set both the minimum +and the maximum allowed protocols based upon these entries allowing for the +inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2 +are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes +protocol ranges to accept all protocols inclusively +(TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols +in the middle of a range (e. g. - TLS 1.0).
+
+Finally, NSS will always automatically negotiate the use of the strongest +possible protocol that has been specified which is acceptable to both sides of +a given connection.
SSLv2 is not supported by default at this time.

Example

-NSSProtocol SSLv3,TLSv1
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2

NSSNickname

@@ -1101,7 +1121,7 @@ was compiled against.
SSL_PROTOCOL
- SSLv2, SSLv3 or TLSv1
+ SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2
@@ -1443,7 +1463,7 @@ Opera, and Safari) support SSL 3 and TLS so there is no need for a web server to support SSL 2. There are some known attacks against SSL 2 that are handled by -SSL 3/TLS. SSL2 also doesn't support useful features like client +SSL 3/TLS. SSLv2 also doesn't support useful features like client authentication.

Frequently Asked Questions

Index: mod_nss-1.0.8/mod_nss.c =================================================================== --- mod_nss-1.0.8.orig/mod_nss.c +++ mod_nss-1.0.8/mod_nss.c @@ -90,7 +90,7 @@ static const command_rec nss_config_cmds "(`[+-]XXX,...,[+-]XXX' - see manual)") SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable the various SSL protocols" - "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)") + "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)") SSL_CMD_ALL(VerifyClient, TAKE1, "SSL Client Authentication " "(`none', `optional', `require'") @@ -135,7 +135,7 @@ static const command_rec nss_config_cmds "(`on', `off')") SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, "SSL Proxy: enable or disable SSL protocol flavors " - "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") + "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)") SSL_CMD_SRV(ProxyCipherSuite, TAKE1, "SSL Proxy: colon-delimited list of permitted SSL ciphers " "(`XXX:...:XXX' - see manual)") Index: mod_nss-1.0.8/nss.conf.in =================================================================== --- mod_nss-1.0.8.orig/nss.conf.in +++ mod_nss-1.0.8/nss.conf.in @@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha -NSSProtocol SSLv3,TLSv1 +# SSL Protocol: +# Cryptographic protocols that provide communication security. +# NSS handles the specified protocols as "ranges", and automatically +# negotiates the use of the strongest protocol for a connection starting +# with the maximum specified protocol and downgrading as necessary to the +# minimum specified protocol that can be used between two processes. +# Since all protocol ranges are completely inclusive, and no protocol in the +# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2" +# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2". +NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c +++ mod_nss-1.0.8/nss_engine_init.c @@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server apr_pool_t *ptemp, modnss_ctx_t *mctx) { - int ssl2, ssl3, tls; + int ssl2, ssl3, tls, tls1_1, tls1_2; + char *protocol_marker = NULL; char *lprotocols = NULL; SECStatus stat; + SSLVersionRange enabledVersions; - ssl2 = ssl3 = tls = 0; + ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0; + + /* + * Since this routine will be invoked individually for every thread + * associated with each 'server' object as well as for every thread + * associated with each 'proxy' object, identify the protocol marker + * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy') + * via each thread's object type and apply this useful information to + * all log messages. + */ + if (mctx == mctx->sc->server) { + protocol_marker = "NSSProtocol"; + } else if (mctx == mctx->sc->proxy) { + protocol_marker = "NSSProxyProtocol"; + } if (mctx->sc->fips) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "In FIPS mode, enabling TLSv1"); - tls = 1; + "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2", + protocol_marker); + tls = tls1_1 = tls1_2 = 1; } else { if (mctx->auth.protocols == NULL) { - /* - * Since this routine will be invoked individually for every - * thread associated with each 'server' object as well as for - * every thread associated with each 'proxy' object, issue a - * single per-thread 'warning' message for either a 'server' - * or a 'proxy' based upon the thread's object type. - */ - if (mctx == mctx->sc->server) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "NSSProtocol value not set; using: SSLv3 and TLSv1"); - } else if (mctx == mctx->sc->proxy) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); - } + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2", + protocol_marker); - ssl3 = tls = 1; + ssl3 = tls = tls1_1 = tls1_2 = 1; } else { lprotocols = strdup(mctx->auth.protocols); ap_str_tolower(lprotocols); if (strstr(lprotocols, "all") != NULL) { #ifdef WANT_SSL2 - ssl2 = ssl3 = tls = 1; + ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1; #else - ssl3 = tls = 1; + ssl3 = tls = tls1_1 = tls1_2 = 1; #endif } else { - if (strstr(lprotocols, "sslv2") != NULL) { + char *protocol_list = NULL; + char *saveptr = NULL; + char *token = NULL; + + for (protocol_list = lprotocols; ; protocol_list = NULL) { + token = strtok_r(protocol_list, ",", &saveptr); + if (token == NULL) { + break; + } else if (strcmp(token, "sslv2") == 0) { #ifdef WANT_SSL2 - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2"); - ssl2 = 1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling SSL2", + protocol_marker); + ssl2 = 1; #else - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported"); + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "%s: SSL2 is not supported", + protocol_marker); #endif - } - - if (strstr(lprotocols, "sslv3") != NULL) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3"); - ssl3 = 1; - } - - if (strstr(lprotocols, "tlsv1") != NULL) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS"); - tls = 1; + } else if (strcmp(token, "sslv3") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling SSL3", + protocol_marker); + ssl3 = 1; + } else if (strcmp(token, "tlsv1") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.0 via TLSv1", + protocol_marker); + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.", + protocol_marker); + tls = 1; + } else if (strcmp(token, "tlsv1.0") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.0", + protocol_marker); + tls = 1; + } else if (strcmp(token, "tlsv1.1") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.1", + protocol_marker); + tls1_1 = 1; + } else if (strcmp(token, "tlsv1.2") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.2", + protocol_marker); + tls1_2 = 1; + } else { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: Unknown protocol '%s' not supported", + protocol_marker, token); + } } } free(lprotocols); @@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); } + /* Set protocol version ranges: + * + * (1) Set the minimum protocol accepted + * (2) Set the maximum protocol accepted + * (3) Protocol ranges extend from maximum down to minimum protocol + * (4) All protocol ranges are completely inclusive; + * no protocol in the middle of a range may be excluded + * (5) NSS automatically negotiates the use of the strongest protocol + * for a connection starting with the maximum specified protocol + * and downgrading as necessary to the minimum specified protocol + * + * For example, if SSL 3.0 is chosen as the minimum protocol, and + * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and + * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and + * cannot be excluded from this range. NSS will automatically negotiate + * to utilize the strongest acceptable protocol for a connection starting + * with the maximum specified protocol and downgrading as necessary to the + * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). + */ if (stat == SECSuccess) { + /* Set minimum protocol version (lowest -> highest) + * + * SSL 3.0 -> TLS 1.0 -> TLS 1.1 + */ if (ssl3 == 1) { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE); + enabledVersions.min = SSL_LIBRARY_VERSION_3_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [SSL 3.0] (minimum)", + protocol_marker); + } else if (tls == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.0] (minimum)", + protocol_marker); + } else if (tls1_1 == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.1] (minimum)", + protocol_marker); + } else if (tls1_2 == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.2] (minimum)", + protocol_marker); } else { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE); + /* Set default minimum protocol version to SSL 3.0 */ + enabledVersions.min = SSL_LIBRARY_VERSION_3_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [SSL 3.0] (default minimum)", + protocol_marker); } - } - if (stat == SECSuccess) { - if (tls == 1) { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE); + + /* Set maximum protocol version (highest -> lowest) + * + * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0 + */ + if (tls1_2 == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.2] (maximum)", + protocol_marker); + } else if (tls1_1 == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.1] (maximum)", + protocol_marker); + } else if (tls == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.0] (maximum)", + protocol_marker); + } else if (ssl3 == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_3_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [SSL 3.0] (maximum)", + protocol_marker); } else { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE); + /* Set default maximum protocol version to TLS 1.2 */ + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.2] (default maximum)", + protocol_marker); } + + stat = SSL_VersionRangeSet(mctx->model, &enabledVersions); } if (stat != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL protocol initialization failed."); + "%s: SSL/TLS protocol initialization failed.", + protocol_marker); nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } mctx->ssl2 = ssl2; mctx->ssl3 = ssl3; - mctx->tls = tls; + if (tls1_2 == 1) { + mctx->tls = tls1_2; + } else if (tls1_1 == 1) { + mctx->tls = tls1_1; + } else { + mctx->tls = tls; + } } static void nss_init_ctx_session_cache(server_rec *s, @@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se PRBool cipher_state[ciphernum]; PRBool fips_state[ciphernum]; const char *suite = mctx->auth.cipher_suite; + char * object_type = NULL; + char * cipher_suite_marker = NULL; char * ciphers; char * fipsciphers = NULL; int i; @@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se nss_die(); } + + /* + * Since this routine will be invoked individually for every thread + * associated with each 'server' object as well as for every thread + * associated with each 'proxy' object, identify the cipher suite markers + * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy') + * via each thread's object type and apply this useful information to + * all log messages. + */ + if (mctx == mctx->sc->server) { + object_type = "server"; + cipher_suite_marker = "NSSCipherSuite"; + } else if (mctx == mctx->sc->proxy) { + object_type = "proxy"; + cipher_suite_marker = "NSSProxyCipherSuite"; + } + ciphers = strdup(suite); #define CIPHERSIZE 2048 @@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "FIPS mode enabled, permitted SSL ciphers are: [%s]", - fipsciphers); + "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]", + object_type, fipsciphers); } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "Configuring permitted SSL ciphers [%s]", - suite); + "%s: Configuring permitted SSL ciphers [%s]", + cipher_suite_marker, suite); /* Disable all NSS supported cipher suites. This is to prevent any new * NSS cipher suites from getting automatically and unintentionally @@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se for (i=0; issl2 && countciphers(cipher_state, SSL2) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL2 is enabled but no SSL2 ciphers are enabled."); + "%s: SSL2 is enabled but no SSL2 ciphers are enabled.", + cipher_suite_marker); nss_die(); } if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL3 is enabled but no SSL3 ciphers are enabled."); + "%s: SSL3 is enabled but no SSL3 ciphers are enabled.", + cipher_suite_marker); nss_die(); } if (mctx->tls && countciphers(cipher_state, TLS) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "TLS is enabled but no TLS ciphers are enabled."); + "%s: TLS is enabled but no TLS ciphers are enabled.", + cipher_suite_marker); nss_die(); } Index: mod_nss-1.0.8/nss_engine_vars.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_vars.c +++ mod_nss-1.0.8/nss_engine_vars.c @@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver case SSL_LIBRARY_VERSION_3_0: result = "SSLv3"; break; - case SSL_LIBRARY_VERSION_3_1_TLS: + case SSL_LIBRARY_VERSION_TLS_1_0: + /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */ result = "TLSv1"; break; + case SSL_LIBRARY_VERSION_TLS_1_1: + result = "TLSv1.1"; + break; } } }