forked from pool/apache2-mod_nss
347dafaa45
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=1
181 lines
6.5 KiB
Diff
181 lines
6.5 KiB
Diff
|
|
diff -up ./mod_nss.c.norego ./mod_nss.c
|
|
--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100
|
|
+++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100
|
|
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
|
|
SSL_CMD_SRV(Nickname, TAKE1,
|
|
"SSL RSA Server Certificate nickname "
|
|
"(`Server-Cert'")
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+ SSL_CMD_SRV(Renegotiation, FLAG,
|
|
+ "Enable SSL Renegotiation (default off) "
|
|
+ "(`on', `off')")
|
|
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
|
|
+ "If Rengotiation is allowed, require safe negotiation (default off) "
|
|
+ "(`on', `off')")
|
|
+#endif
|
|
#ifdef NSS_ENABLE_ECC
|
|
SSL_CMD_SRV(ECCNickname, TAKE1,
|
|
"SSL ECC Server Certificate nickname "
|
|
diff -up ./mod_nss.h.norego ./mod_nss.h
|
|
--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100
|
|
+++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100
|
|
@@ -269,6 +269,10 @@ typedef struct {
|
|
int tls;
|
|
int tlsrollback;
|
|
int enforce;
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+ int enablerenegotiation;
|
|
+ int requiresafenegotiation;
|
|
+#endif
|
|
const char *nickname;
|
|
#ifdef NSS_ENABLE_ECC
|
|
const char *eccnickname;
|
|
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
|
|
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
|
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
|
|
+#endif
|
|
#ifdef NSS_ENABLE_ECC
|
|
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
#endif
|
|
diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
|
|
--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100
|
|
+++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100
|
|
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
|
|
mctx->tls = PR_FALSE;
|
|
mctx->tlsrollback = PR_FALSE;
|
|
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+ mctx->enablerenegotiation = PR_FALSE;
|
|
+ mctx->requiresafenegotiation = PR_FALSE;
|
|
+#endif
|
|
mctx->enforce = PR_TRUE;
|
|
mctx->nickname = NULL;
|
|
#ifdef NSS_ENABLE_ECC
|
|
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
|
|
cfgMerge(eccnickname, NULL);
|
|
#endif
|
|
cfgMerge(enforce, PR_TRUE);
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+ cfgMerge(enablerenegotiation, PR_FALSE);
|
|
+ cfgMerge(requiresafenegotiation, PR_FALSE);
|
|
+#endif
|
|
}
|
|
|
|
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
|
|
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
|
|
return NULL;
|
|
}
|
|
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
|
|
+{
|
|
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
|
+
|
|
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
|
|
+
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
|
|
+{
|
|
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
|
+
|
|
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
|
|
+
|
|
+ return NULL;
|
|
+}
|
|
+#endif
|
|
+
|
|
#ifdef NSS_ENABLE_ECC
|
|
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
|
|
void *dcfg,
|
|
diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
|
|
--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100
|
|
+++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100
|
|
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
|
|
nss_die();
|
|
}
|
|
}
|
|
+#ifdef SSL_ENABLE_RENEGOTIATION
|
|
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
|
|
+ mctx->enablerenegotiation ?
|
|
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
|
|
+ ) != SECSuccess) {
|
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
+ "Unable to set SSL renegotiation");
|
|
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
|
+ nss_die();
|
|
+ }
|
|
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
|
|
+ mctx->requiresafenegotiation) != SECSuccess) {
|
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
+ "Unable to set SSL safe negotiation");
|
|
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
|
+ nss_die();
|
|
+ }
|
|
+#endif
|
|
}
|
|
|
|
static void nss_init_ctx_protocol(server_rec *s,
|
|
|
|
diff -up ./nss.conf.in.norego ./nss.conf.in
|
|
--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
|
|
+++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
|
|
@@ -64,6 +64,17 @@
|
|
#NSSRandomSeed startup file:/dev/random 512
|
|
#NSSRandomSeed startup file:/dev/urandom 512
|
|
|
|
+#
|
|
+# TLS Negotiation configuration under RFC 5746
|
|
+#
|
|
+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
|
|
+# extension. Default off.
|
|
+NSSRenegotiation off
|
|
+
|
|
+# Peer must send Signaling Cipher Suite Value (SCSV) or
|
|
+# Renegotiation Info (RI) extension in ALL handshakes. Default: off
|
|
+NSSRequireSafeNegotiation off
|
|
+
|
|
##
|
|
## SSL Virtual Host Context
|
|
##
|
|
|
|
diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
|
|
--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
|
|
+++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000
|
|
@@ -27,7 +27,7 @@
|
|
#define LIBSEC_ERROR_BASE (-8192)
|
|
#define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
|
|
#define LIBSSL_ERROR_BASE (-12288)
|
|
-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
|
|
+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
|
|
|
|
typedef struct l_error_t {
|
|
int errorNumber;
|
|
@@ -296,7 +296,19 @@
|
|
{ 99, "Server requires ciphers more secure than those supported by client" },
|
|
{ 100, "Peer reports it experienced an internal error" },
|
|
{ 101, "Peer user canceled handshake" },
|
|
- { 102, "Peer does not permit renegotiation of SSL security parameters" }
|
|
+ { 102, "Peer does not permit renegotiation of SSL security parameters" },
|
|
+ { 103, "Server cache not configured" },
|
|
+ { 104, "Unsupported extension" },
|
|
+ { 105, "Certificate unobtainable" },
|
|
+ { 106, "Unrecognized name" },
|
|
+ { 107, "Bad certificate status" },
|
|
+ { 108, "Bad certificate hash value" },
|
|
+ { 109, "Unexpected new session ticket" },
|
|
+ { 110, "Malformed new session ticket" },
|
|
+ { 111, "Decompression failure" },
|
|
+ { 112, "Renegotiation not allowed" },
|
|
+ { 113, "Safe negotiation required but not provided by client" },
|
|
+ { 114, "Unexpected uncompressed record" },
|
|
};
|
|
|
|
void nss_die(void)
|