Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2014-10-31 18:27:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-08-25 11:05:02.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2014-10-31 19:57:44.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com + +- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch + that compare CN and VS hostname (use NSS library). Removed + following patches: + * mod_nss-SNI-checks.patch + * mod_nss-SNI-callback.patch + +------------------------------------------------------------------- Old: ---- mod_nss-SNI-callback.patch mod_nss-SNI-checks.patch New: ---- mod_nss-compare_subject_CN_and_VS_hostname.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.kxhGZ0/_old 2014-10-31 19:57:46.000000000 +0100 +++ /var/tmp/diff_new_pack.kxhGZ0/_new 2014-10-31 19:57:46.000000000 +0100 @@ -69,9 +69,10 @@ Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19: mod_nss-cipherlist_update_for_tls12.diff Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff -Patch21: mod_nss-SNI-callback.patch -Patch22: mod_nss-SNI-checks.patch Patch23: mod_nss-bnc863518-reopen_dev_tty.diff +# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name +Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 @@ -109,9 +110,8 @@ %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch -%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch -%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} >= 1300 ++++++ mod_nss-compare_subject_CN_and_VS_hostname.patch ++++++

From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 From: standa <stokos@suse.de> Date: Wed, 22 Oct 2014 16:14:29 +0200 Subject: [PATCH] Compare subject CN and VS hostname during server start up

--- nss_engine_init.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/nss_engine_init.c b/nss_engine_init.c index d74f002..2569c8d 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, *KEAtype = NSS_FindCertKEAType(*servercert); + /* Subject/hostname check */ + secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); + if (secstatus != SECSuccess) { + char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Misconfiguration of certificate's CN and virtual name." + " The certificate CN has %s. We expected %s as virtual" + " name.", cert_dns, s->server_hostname); + PORT_Free(cert_dns); + } + /* - * Check for certs that are expired or not yet valid and WARN about it - * no need to refuse working - the client gets a warning, but can work - * with the server we could also verify if the certificate is made out - * for the correct hostname but that would require a reverse DNS lookup - * for every virtual server - too expensive? + * Check for certs that are expired or not yet valid and WARN about it. + * No need to refuse working - the client gets a warning. */ certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); -- 1.9.3 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org