commit apache2-mod_nss.3121 for openSUSE:13.1:Update

Hello community, here is the log from the commit of package apache2-mod_nss.3121 for openSUSE:13.1:Update checked in at 2014-11-07 09:16:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/apache2-mod_nss.3121 (Old) and /work/SRC/openSUSE:13.1:Update/.apache2-mod_nss.3121.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2-mod_nss.3121" Changes: -------- New Changes file: --- /dev/null 2014-10-24 22:03:51.036034256 +0200 +++ /work/SRC/openSUSE:13.1:Update/.apache2-mod_nss.3121.new/apache2-mod_nss.changes 2014-11-07 09:16:35.000000000 +0100 @@ -0,0 +1,143 @@ +------------------------------------------------------------------- +Wed Oct 29 14:32:03 UTC 2014 - kstreitova@suse.com + +- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch + that compare CN and VS hostname (use NSS library). Removed + following patches: + * mod_nss-SNI-checks.patch + * mod_nss-SNI-callback.patch + +------------------------------------------------------------------- +Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de + +- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and + open("/dev/tty", ...) to make sure that stdin can be read from. + startproc may inherit wrongly opened file descriptors to httpd. + (Note: An analogous fix exists in startproc(8), too.) + [bnc#863518] +- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now + externalized to /etc/apache2/conf.d/vhost-nss.template and not + activated/read by default. [bnc#878681] +- NSSCipherSuite update following additional ciphers of Feb 18 + change. [bnc#878681] + +------------------------------------------------------------------- +Fri Jun 27 16:13:01 CEST 2014 - draht@suse.de + +- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: + server side SNI was not implemented when mod_nss was made; + patches implement SNI with checks if SNI provided hostname + equals Host: field in http request header. + +------------------------------------------------------------------- +Tue Feb 18 16:31:45 CET 2014 - draht@suse.de + +- mod_nss-cipherlist_update_for_tls12-doc.diff + mod_nss-cipherlist_update_for_tls12.diff + GCM mode and Camellia ciphers added to the supported ciphers list. + The additional ciphers are: + rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 + rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + [bnc#863035] + +------------------------------------------------------------------- +Fri Nov 29 16:30:07 CET 2013 - draht@suse.de + +- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: + If 'NSSVerifyClient none' is set in the server / vhost context + (i.e. when server is configured to not request or require client + certificate authentication on the initial connection), and client + certificate authentication is expected to be required for a + specific directory via 'NSSVerifyClient require' setting, + mod_nss fails to properly require certificate authentication. + Remote attacker can use this to access content of the restricted + directories. [bnc#853039] + +------------------------------------------------------------------- +Fri Nov 8 20:46:07 CET 2013 - draht@suse.de + +- glue documentation added to /etc/apache2/conf.d/mod_nss.conf: + * simultaneaous usage of mod_ssl and mod_nss + * SNI concurrency + * SUSE framework for apache configuration, Listen directive + * module initialization +- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in + or mod_nss.conf, respectively. This also leads to the removal of + nss.conf.in specific chunks in mod_nss-negotiate.patch and + mod_nss-tlsv1_1.patch . +- mod_nss_migrate.pl conversion script added; not patched from + source, but partially rewritten. +- README-SUSE.txt added with step-by-step instructions on how to + convert and manage certificates and keys, as well as a rationale + about why mod_nss was included in SLES. +- package ready for submission [bnc#847216] + +------------------------------------------------------------------- +Tue Nov 5 15:45:08 CET 2013 - draht@suse.de + +- generic cleanup of the package: +- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support + came with this version - this is the objective behind this + version update of apache2-mod_nss. Tracker bug [bnc#847216] +- change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid + ambiguously interpreted name of directory. +- merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if + /etc/apache2/alias exists. +- set explicit filemodes 640 for %post generated *.db files in + /etc/apache2/mod_nss.d + +------------------------------------------------------------------- +Fri Aug 2 08:29:35 UTC 2013 - meissner@suse.com + +- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. +- mod_nss-clientauth.patch: merged from RHEL6 pkg +- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg +- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg +- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg +- make it build on both Apache2 2.4 and 2.2 systems + +------------------------------------------------------------------- +Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com + +- Add support for TLS v1.1 and TLS v1.2 + (TLS v1.2 requires mozilla nss 3.15.1 or newer.) + - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch + from redhat to allow tls v1.1 too. + - ported the tls v1.1 patch to be tls v1.2 aware + - added mod_nss-proxyvariables.patch (from RHEL6 package) + - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) +- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun + +------------------------------------------------------------------- +Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de + +- Changed source to original tar.gz + +------------------------------------------------------------------- +Thu Jul 11 14:50:42 UTC 2013 - aj@ajaissle.de + +- Added mod_nns-httpd24.patch to support build with apache 2.4 + +------------------------------------------------------------------- +Tue Jan 22 09:35:41 UTC 2013 - aj@ajaissle.de + +- Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE + dir layout [bnc#799483] +- Cleaned up license tag + +------------------------------------------------------------------- +Sun Apr 15 14:17:19 UTC 2012 - wr@rosenauer.org + +- import some patches from Fedora +- removed autoreconf call + +------------------------------------------------------------------- +Wed Feb 17 13:30:47 UTC 2010 - nix@opensuse.org + +- Fix mod_nss-conf.patch to work on SUSE +- Rename package from mod_nss to apache2-mod_nss New: ---- README-SUSE.txt apache2-mod_nss.changes apache2-mod_nss.spec listen_nss.conf mod_nss-1.0.8.tar.gz mod_nss-CVE-2013-4566-NSSVerifyClient.diff mod_nss-PK11_ListCerts_2.patch mod_nss-array_overrun.patch mod_nss-bnc863518-reopen_dev_tty.diff mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff mod_nss-clientauth.patch mod_nss-compare_subject_CN_and_VS_hostname.patch mod_nss-gencert.patch mod_nss-httpd24.patch mod_nss-lockpcache.patch mod_nss-negotiate.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-overlapping_memcpy.patch mod_nss-pcachesignal.h mod_nss-proxyvariables.patch mod_nss-reseterror.patch mod_nss-reverseproxy.patch mod_nss-sslmultiproxy.patch mod_nss-tlsv1_1.patch mod_nss-wouldblock.patch mod_nss.conf.in mod_nss_migrate.pl vhost-nss.template ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ # # spec file for package apache2-mod_nss # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers Version: 1.0.8 Release: 0.4.8 Url: http://directory.fedoraproject.org/wiki/Mod_nss Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz Source1: mod_nss.conf.in Source2: listen_nss.conf Source3: mod_nss_migrate.pl Source4: README-SUSE.txt Source5: vhost-nss.template Provides: mod_nss Requires: apache2 >= 2.2.12 Requires: findutils Requires: mozilla-nss >= 3.15.1 PreReq: mozilla-nss-tools BuildRequires: apache2-devel >= 2.2.12 BuildRequires: bison BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig # [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout # Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch. #Patch1: mod_nss-conf.patch Patch2: mod_nss-gencert.patch Patch3: mod_nss-wouldblock.patch Patch4: mod_nss-negotiate.patch Patch5: mod_nss-reverseproxy.patch Patch6: mod_nss-pcachesignal.h Patch7: mod_nss-reseterror.patch Patch8: mod_nss-lockpcache.patch # Fix build with apache 2.4 Patch9: mod_nss-httpd24.patch Patch10: mod_nss-proxyvariables.patch Patch11: mod_nss-tlsv1_1.patch Patch12: mod_nss-array_overrun.patch Patch13: mod_nss-clientauth.patch Patch14: mod_nss-no_shutdown_if_not_init_2.patch Patch15: mod_nss-PK11_ListCerts_2.patch Patch16: mod_nss-sslmultiproxy.patch Patch17: mod_nss-overlapping_memcpy.patch Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19: mod_nss-cipherlist_update_for_tls12.diff Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff Patch23: mod_nss-bnc863518-reopen_dev_tty.diff # PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_includedir %(%{apxs} -q INCLUDEDIR) %define apache_serverroot %(%{apxs} -q PREFIX) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q -n mod_nss-%{version} ##%patch1 -p1 -b .conf.rpmpatch %patch2 -p1 -b .gencert.rpmpatch %patch3 -p1 -b .wouldblock.rpmpatch %patch4 -p1 -b .negotiate.rpmpatch %patch5 -p1 -b .reverseproxy.rpmpatch %patch6 -p1 -b .pcachesignal.h.rpmpatch %patch7 -p1 -b .reseterror.rpmpatch %patch8 -p1 -b .lockpcache.rpmpatch %patch10 -p1 -b .proxyvariables.rpmpatch %patch11 -p1 -b .tlsv1_1.rpmpatch %patch12 -p1 -b .array_overrun.rpmpatch %patch13 -p1 -b .clientauth.rpmpatch %patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch %patch15 -p1 -b .PK11_ListCerts_2.rpmpatch %patch16 -p1 -b .sslmultiproxy.rpmpatch %patch17 -p1 -b .overlapping_memcpy.rpmpatch %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} >= 1300 %patch9 -p1 -b .http24 %endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="$RPM_OPT_FLAGS" export CFLAGS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` # For some reason mod_nss can't find nss on SUSE unless we do the following C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/" export C_INCLUDE_PATH # no more patching a config file... cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE4} . chmod 644 ./nss.conf.in #autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ --with-nspr-lib=$NSPR_LIB_DIR \ --with-nspr-inc=$NSPR_INCLUDE_DIR \ --with-apxs=%{apxs} \ --enable-ecc \ --with-apr-config make %{?_smp_mflags} all %install # The install target of the Makefile isn't used because that uses apxs # which tries to enable the module in the build host httpd instead of in # the build root. mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir} %if 0%{?suse_version} perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf %endif install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/ #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert %clean rm -rf $RPM_BUILD_ROOT %post umask 077 if [ "$1" -eq 1 ] ; then # this is first time installation. if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \; find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \; fi if [ "$1" -eq 2 ]; then # this is the upgrade case for this %post: if [ -d %{apache_sysconfdir}/alias ]; then copied_files="" for dbfile in *.db; do if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile" copied_files="$copied_files $dbfile" fi done if [ "$copied_files" != "" ]; then { echo "This notice was written by the post-install script of the package" echo "%{name}." echo "" echo "The files $copied_files" echo "have been copied to the directory %{apache_sysconf_nssdir}," echo "as this directory is not referenced by the default configuration any longer," echo "and because these files did not exist in %{apache_sysconf_nssdir}." echo "Existing files have not been modified." echo "" echo "Please check your configuration and remove or move your certificate and" echo "key storage to your desired place, and adjust your module configuration" echo "accordingly." echo "" echo "Thank you." } > %{apache_sysconfdir}/alias/README-dbfiles.txt fi fi fi %files %defattr(-,root,root,-) %doc README LICENSE docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log #%%{apache_sysconf_nssdir}/libnssckbi.so %{_sbindir}/nss_pcache %{_sbindir}/gencert %{_sbindir}/mod_nss_migrate.pl %changelog ++++++ README-SUSE.txt ++++++ Fri Nov 8 00:00:00 CET 2013 - draht README-SUSE.txt for apache2-mod_nss ============================================================================== Rationale: The apache2-mod_nss package was added to the SLES11 codebase to satisfy the increased demand for a TLSv1.2 capable crypto solution for the apache webserver, as an enhancement in parallel to the mod_ssl package that comes with the apache2 package set. SSL/TLS support in the apache2 package is normally provided by mod_ssl, the apache module that provides SSL/TLS using the openssl crypto suite. The specific version in SLES11-SP2 and newer is "0.9.8j", which support TLS of version 1.0 only. TLSv1.2 can only be provided by versions that are not compatible with the large variety of packages contained in SLES. The alternative is to make use of the crypto routines provided by mozilla-nss. The configuration of mod_nss is similar to that of mod_ssl, but some the individual options expect different values; as a consequence, a simple conversion of option names does not work as desired. ------------------------------------------------------------------------------ Converting SSL/TLS certificates: Because mod_nss uses a database format for the server and CA certificates and the private key, existing mod_ssl-based certificates need to be converted to be used by mod_nss. The SUSE package apache2-mod_nss contains the perl script /usr/sbin/mod_nss_migrate.pl that can do that work for you. It may lead to satisfactory results, but in case it doesn't, here is what it does when it converts mod_ssl to mod_nss key/certificate storage: # we make a backup. Good practice... old /etc/apache2/mod_nss.d # initialize the database; this creates a NEW database! certutil -N -d /etc/apache2/mod_nss.d # convert the existing openssl key and the certificate to pkcs#12 format, uses temporary password "foo": openssl pkcs12 -export -in your_certificate_file.crt -inkey your_keyfile.key -out server.p12 -name \"Server-Cert\" -passout pass:foo # import the pkcs#12 file into the freshly created NSS database, again temporary password "foo": pk12util -i server.p12 -d /etc/apache2/mod_nss.d -W foo # the last step: -n specifies a name that the certificate can be referred to # in an easy way from within apache config files; you may use a name of your # choice, provided you use the same string to reference it in mod_nss. # Often, the subject of a certificate is used for this. # set SUBJECT=your_subject from the output of "openssl x509 -subject -in your_certificate_file.crt" # certutil -A -n $SUBJECT -t \"CT,,\" -d /etc/apache2/mod_nss.d -i your_ca_certificate.pem You are basically done now. Use the command certutil -d /etc/apache2/mod_nss.d -L to list the certificates contained in the NSS database. More options of the certutil utility are shown with certutil -h # short help certutil --help # longer help ------------------------------------------------------------------------------ TLS versions: This package has a direct dependency on mozilla-nss of version 3.15.1 or higher, as TLSv1.2 support first came with this version. The specification of TLS versions is done with the NSSProtocol directive in apache. Contrary to the SSLProtocol option from mod_ssl, the NSSProtocol directive specifies a range of versions, not a list. The default configuration file that comes with the apache2-mod_nss package is /etc/apache2/conf.d/mod_nss.conf and reads as follows: NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 Please note that SSLv2 support is not provided by mod_nss. If you require the deprecated SSLv2 protocol, you may need to revert to mod_ssl. Please read through the comments on top of the file /etc/apache2/conf.d/mod_nss.conf for more information about usage and configuration of mod_nss. Thank you, Roman Drahtmueller ++++++ listen_nss.conf ++++++ # This is /etc/apache2/listen-nss.conf # # This file is read from /etc/apache2/conf.d/mod_nss.conf , # the starting point for all configuration of mod_nss. # # Please have a look at the top section of the file # /etc/apache2/conf.d/mod_nss.conf for information and # instructions about how to enable mod_nss. # # # There are two conditions that have to be met for the Listen directive # below to become active: # a) The server define "SSL" is present; this means that the apache process # is launched with the commandline arguments "-D SSL". # b) The nss apache module is loaded, which happens automatically if you add # the name of the module ("nss") to the variable APACHE_MODULES in # /etc/sysconfig/apache2 # # An equivalent section for mod_ssl (openssl based support for SSL/TLS) # is contained in the file /etc/apache2/listen.conf, with the dependency to # the module "ssl" loaded ("<IfModule mod_ssl.c>"). # # The difference between this file and listen.conf is that listen.conf is # read (included) from apache's main configuration file /etc/apache2/httpd.conf, # while _this_ file is included from /etc/apache2/conf.d/mod_nss.conf . <IfDefine SSL> # mod_ssl may be active and has triggered the Listen directive for 443. # In this case we refrain from doing a second Listen, as the # correspondance between the bound port and the VirtualHost does # not happen here anyway. <IfModule mod_nss.c> Listen 443 </IfModule> </IfModule> </IfDefine> </IfDefine> ++++++ mod_nss-CVE-2013-4566-NSSVerifyClient.diff ++++++ This is CVE-2013-4566: The flaw is in the NSSVerifyClient (which is equivalent to mod_ssl's SSLVerifyClient) setting enforcement. If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. Reported by Thomas Hoger . diff -rNU 150 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c --- ../mod_nss-1.0.8-o/nss_engine_kernel.c 2013-11-29 16:09:37.000000000 +0100 +++ ./nss_engine_kernel.c 2013-11-29 16:12:20.000000000 +0100 @@ -133,301 +133,301 @@ /* * Check to see if SSL protocol is enabled. If it's not then * no further access control checks are relevant. The test for * sc->enabled is probably strictly unnecessary */ if (!((sc->enabled == TRUE) || !ssl)) { return DECLINED; } /* * Support for per-directory reconfigured SSL connection parameters. * * This is implemented by forcing an SSL renegotiation with the * reconfigured parameter suite. But Apache's internal API processing * makes our life very hard here, because when internal sub-requests occur * we nevertheless should avoid multiple unnecessary SSL handshakes (they * require extra network I/O and especially time to perform). * * But the optimization for filtering out the unnecessary handshakes isn't * obvious and trivial. Especially because while Apache is in its * sub-request processing the client could force additional handshakes, * too. And these take place perhaps without our notice. So the only * possibility is to explicitly _ask_ OpenSSL whether the renegotiation * has to be performed or not. It has to performed when some parameters * which were previously known (by us) are not those we've now * reconfigured (as known by OpenSSL) or (in optimized way) at least when * the reconfigured parameter suite is stronger (more restrictions) than * the currently active one. */ /* * Override of NSSCipherSuite * * We provide two options here: * * o The paranoid and default approach where we force a renegotiation when * the cipher suite changed in _any_ way (which is straight-forward but * often forces renegotiations too often and is perhaps not what the * user actually wanted). * * o The optimized and still secure way where we force a renegotiation * only if the currently active cipher is no longer contained in the * reconfigured/new cipher suite. Any other changes are not important * because it's the servers choice to select a cipher from the ones the * client supports. So as long as the current cipher is still in the new * cipher suite we're happy. Because we can assume we would have * selected it again even when other (better) ciphers exists now in the * new cipher suite. This approach is fine because the user explicitly * has to enable this via ``NSSOptions +OptRenegotiate''. So we do no * implicit optimizations. */ if (dc->szCipherSuite) { /* remember old state */ for (i=0; i < ciphernum; i++) { SSL_CipherPrefGet(ssl, ciphers_def[i].num, &ciphers_old[i]); } if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { int on, keySize, secretKeySize; char *issuer, *subject; SSL_SecurityStatus(ssl, &on, &cipher, &keySize, &secretKeySize, &issuer, &subject); } /* configure new state */ ciphers = strdup(dc->szCipherSuite); if (nss_parse_ciphers(r->server, ciphers, ciphers_new) < 0) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "Unable to reconfigure (per-directory) " "permitted SSL ciphers"); nss_log_nss_error(APLOG_MARK, APLOG_ERR, r->server); free(ciphers); return HTTP_FORBIDDEN; } free(ciphers); /* Actually enable the selected ciphers. Also check to see if the existing cipher is in the new list for a possible optimization later. */ for (i=0; inOptions & SSL_OPT_OPTRENEGOTIATE) { if (cipher_in_list != PR_TRUE) renegotiate = TRUE; } else { /* paranoid way */ for (i=0; iserver, "Reconfigured cipher suite will force renegotiation"); } } /* * override of SSLVerifyClient * * We force a renegotiation if the reconfigured/new verify type is * stronger than the currently active verify type. * * The order is: none << optional_no_ca << optional << require * * Additionally the following optimization is possible here: When the * currently active verify type is "none" but a client certificate is * already known/present, it's enough to manually force a client * verification but at least skip the I/O-intensive renegotation * handshake. */ if (dc->nVerifyClient != SSL_CVERIFY_UNSET) { PRInt32 on; /* remember old state */ SSL_OptionGet(ssl, SSL_REQUIRE_CERTIFICATE, &on); if (on == PR_TRUE) { verify_old = SSL_CVERIFY_REQUIRE; } else { SSL_OptionGet(ssl, SSL_REQUEST_CERTIFICATE, &on); if (on == PR_TRUE) verify_old = SSL_CVERIFY_OPTIONAL; else verify_old = SSL_CVERIFY_NONE; } /* configure new state */ verify = dc->nVerifyClient; if (verify == SSL_CVERIFY_REQUIRE) { SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE); - SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR); + SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS); } else if (verify == SSL_CVERIFY_OPTIONAL) { SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE); SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); } else { SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_FALSE); SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER); } /* determine whether we've to force a renegotiation */ if (!renegotiate && verify != verify_old) { if (((verify_old == SSL_CVERIFY_NONE) && (verify != SSL_CVERIFY_NONE)) || (!(verify_old & SSL_CVERIFY_OPTIONAL) && (verify & SSL_CVERIFY_OPTIONAL)) || (!(verify_old & SSL_CVERIFY_REQUIRE) && (verify & SSL_CVERIFY_REQUIRE))) { renegotiate = TRUE; /* optimization */ if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && (verify_old == SSL_CVERIFY_NONE) && ((peercert = SSL_PeerCertificate(ssl)) != NULL)) { renegotiate_quick = TRUE; CERT_DestroyCertificate(peercert); } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Changed client verification type will force " "%srenegotiation", renegotiate_quick ? "quick " : ""); } } } /* If a renegotiation is now required for this location, and the * request includes a message body (and the client has not * requested a "100 Continue" response), then the client will be * streaming the request body over the wire already. In that * case, it is not possible to stop and perform a new SSL * handshake immediately; once the SSL library moves to the * "accept" state, it will reject the SSL packets which the client * is sending for the request body. * * To allow authentication to complete in this auth hook, the * solution used here is to fill a (bounded) buffer with the * request body, and then to reinject that request body later. */ if (renegotiate && !renegotiate_quick && (apr_table_get(r->headers_in, "transfer-encoding") || (apr_table_get(r->headers_in, "content-length") && strcmp(apr_table_get(r->headers_in, "content-length"), "0"))) && !r->expecting_100) { int rv; /* Fill the I/O buffer with the request body if possible. */ rv = nss_io_buffer_fill(r); if (rv) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "could not buffer message body to allow " "SSL renegotiation to proceed"); return rv; } } /* * now do the renegotiation if anything was actually reconfigured */ if (renegotiate) { /* * Now we force the SSL renegotation by sending the Hello Request * message to the client. Here we have to do a workaround: Actually * OpenSSL returns immediately after sending the Hello Request (the * intent AFAIK is because the SSL/TLS protocol says it's not a must * that the client replies to a Hello Request). But because we insist * on a reply (anything else is an error for us) we have to go to the * ACCEPT state manually. Using SSL_set_accept_state() doesn't work * here because it resets too much of the connection. So we set the * state explicitly and continue the handshake manually. */ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Requesting connection re-negotiation"); if (renegotiate_quick) { SECStatus rv; CERTCertificate *peerCert; void *pinArg; /* perform just a manual re-verification of the peer */ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Performing quick renegotiation: " "just re-verifying the peer"); peerCert = SSL_PeerCertificate(sslconn->ssl); pinArg = SSL_RevealPinArg(sslconn->ssl); rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, PR_TRUE, certUsageSSLClient, pinArg); CERT_DestroyCertificate(peerCert); if (rv != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "Re-negotiation handshake failed: " "Client verification failed"); return HTTP_FORBIDDEN; } /* The cert is ok, fall through to the check SSLRequires */ } else { int handshake_done = 0; int result = 0; /* do a full renegotiation */ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Performing full renegotiation: " "complete handshake protocol"); /* Do NOT call SSL_ResetHandshake as this will tear down the * existing connection. */ if (SSL_HandshakeCallback(ssl, HandshakeDone, (void *)&handshake_done) || SSL_ReHandshake(ssl, PR_TRUE)) { int errCode = PR_GetError(); if (errCode == SEC_ERROR_INVALID_ARGS) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Re-negotation request failed: " "trying to do client authentication on a non-SSL3 connection"); } else { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Re-negotation request failed: " "returned error %d", errCode); } r->connection->aborted = 1; return HTTP_FORBIDDEN; } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Awaiting re-negotiation handshake"); ++++++ mod_nss-PK11_ListCerts_2.patch ++++++ diff -pu mod_nss.h mod_nss.h.PK11_ListCerts --- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800 +++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800 @@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void nss_init_Child(apr_pool_t *, server_rec *); -void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); apr_status_t nss_init_ModuleKill(void *data); apr_status_t nss_init_ChildKill(void *data); int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts --- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800 +++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800 @@ -26,7 +26,7 @@ static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); -static CERTCertificate* FindServerCertFromNickname(const char* name); +static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); /* @@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); + CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); /* @@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p /* * Read the server certificate and key */ - nss_init_ConfigureServer(s, p, ptemp, sc); + nss_init_ConfigureServer(s, p, ptemp, sc, clist); + } + + if (clist) { + CERT_DestroyCertList(clist); } } @@ -880,7 +886,8 @@ static void nss_init_certificate(server_ SECKEYPrivateKey **serverkey, SSLKEAType *KEAtype, PRFileDesc *model, - int enforce) + int enforce, + const CERTCertList* clist) { SECCertTimeValidity certtimestatus; SECStatus secstatus; @@ -894,17 +901,15 @@ static void nss_init_certificate(server_ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Using nickname %s.", nickname); - *servercert = FindServerCertFromNickname(nickname); + *servercert = FindServerCertFromNickname(nickname, clist); /* Verify the certificate chain. */ if (*servercert != NULL) { SECCertificateUsage usage = certificateUsageSSLServer; - if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Certificate not verified: '%s'", nickname); + if (enforce) { + if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - if (enforce) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); nss_die(); @@ -994,7 +999,8 @@ static void nss_init_certificate(server_ static void nss_init_server_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - modnss_ctx_t *mctx) + modnss_ctx_t *mctx, + const CERTCertList* clist) { SECStatus secstatus; @@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server nss_init_certificate(s, mctx->nickname, &mctx->servercert, &mctx->serverkey, &mctx->serverKEAType, - mctx->model, mctx->enforce); + mctx->model, mctx->enforce, clist); #ifdef NSS_ENABLE_ECC nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, &mctx->eccserverkey, &mctx->eccserverKEAType, - mctx->model, mctx->enforce); + mctx->model, mctx->enforce, clist); #endif } @@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server static void nss_init_proxy_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { nss_init_ctx(s, p, ptemp, sc->proxy); - nss_init_server_certs(s, p, ptemp, sc->proxy); + nss_init_server_certs(s, p, ptemp, sc->proxy, clist); } static void nss_init_server_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { nss_init_server_check(s, p, ptemp, sc->server); nss_init_ctx(s, p, ptemp, sc->server); - nss_init_server_certs(s, p, ptemp, sc->server); + nss_init_server_certs(s, p, ptemp, sc->server, clist); } /* @@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r void nss_init_ConfigureServer(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { if (sc->enabled == TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Configuring server for SSL protocol"); - nss_init_server_ctx(s, p, ptemp, sc); + nss_init_server_ctx(s, p, ptemp, sc, clist); } if (sc->proxy_enabled == TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Enabling proxy."); - nss_init_proxy_ctx(s, p, ptemp, sc); + nss_init_proxy_ctx(s, p, ptemp, sc, clist); } } @@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve nss_init_SSLLibrary(base_server); /* Configure all virtual servers */ + CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); if (sc->server->servercert == NULL && NSS_IsInitialized()) - nss_init_ConfigureServer(s, p, mc->ptemp, sc); + nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + } + if (clist) { + CERT_DestroyCertList(clist); } /* @@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER * newest, valid server certificate. */ static CERTCertificate* -FindServerCertFromNickname(const char* name) +FindServerCertFromNickname(const char* name, const CERTCertList* clist) { - CERTCertList* clist; CERTCertificate* bestcert = NULL; CERTCertListNode *cln; @@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n if (name == NULL) return NULL; - clist = PK11_ListCerts(PK11CertListUser, NULL); - for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist); cln = CERT_LIST_NEXT(cln)) { CERTCertificate* cert = cln->cert; @@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n if (bestcert) { bestcert = CERT_DupCertificate(bestcert); } - if (clist) { - CERT_DestroyCertList(clist); - } return bestcert; } ++++++ mod_nss-array_overrun.patch ++++++ mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array "child_argv", with 5 elements, at position 5 with index variable "5". https://bugzilla.redhat.com/show_bug.cgi?id=714154 diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400 +++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400 @@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p /* Do we need to fire up our password helper? */ if (mc->nInitCount == 1) { - const char * child_argv[5]; + const char * child_argv[6]; apr_status_t rv; struct sembuf sb; char sembuf[32]; ++++++ mod_nss-bnc863518-reopen_dev_tty.diff ++++++ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c --- ../mod_nss-1.0.8-o/nss_engine_pphrase.c 2014-07-24 12:23:30.000000000 +0200 +++ ./nss_engine_pphrase.c 2014-07-24 13:54:23.000000000 +0200 @@ -181,199 +181,218 @@ * that may be done. */ static PRBool nss_check_password(unsigned char *cp) { int len; unsigned char *end, ch; len = strlen((char *)cp); if (len < 8) { return PR_TRUE; } end = cp + len; while (cp < end) { ch = *cp++; if (!((ch >= 'A') && (ch <= 'Z')) && !((ch >= 'a') && (ch <= 'z'))) { /* pass phrase has at least one non alphabetic in it */ return PR_TRUE; } } return PR_TRUE; } /* * Password callback so the user is not prompted to enter the password * after the server starts. */ static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg) { return NULL; } /* * Password callback to prompt the user for a password. This requires * twiddling with the tty. Alternatively, if the file password.conf * exists then it may be used to store the token password(s). */ static char *nss_get_password(FILE *input, FILE *output, PK11SlotInfo *slot, PRBool (*ok)(unsigned char *), pphrase_arg_t *parg) { char *pwdstr = NULL; char *token_name = NULL; int tmp; FILE *pwd_fileptr; char *ptr; char line[1024]; unsigned char phrase[200]; int infd = fileno(input); + int tmpfd; int isTTY = isatty(infd); token_name = PK11_GetTokenName(slot); if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE || parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) { /* Try to get the passwords from the password file if it exists. * THIS IS UNSAFE and is provided for convenience only. Without this * capability the server would have to be started in foreground mode. */ if ((*parg->mc->pphrase_dialog_path != '\0') && ((pwd_fileptr = fopen(parg->mc->pphrase_dialog_path, "r")) != NULL)) { while(fgets(line, 1024, pwd_fileptr)) { if (PL_strstr(line, token_name) == line) { tmp = PL_strlen(line) - 1; while((line[tmp] == ' ') || (line[tmp] == '\n')) tmp--; line[tmp+1] = '\0'; ptr = PL_strchr(line, ':'); if (ptr == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Malformed password entry for token %s. Format should be token:password", token_name); continue; } for(tmp=1; ptr[tmp] == ' '; tmp++) {} pwdstr = strdup(&(ptr[tmp])); } } fclose(pwd_fileptr); } else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to open password file %s", parg->mc->pphrase_dialog_path); nss_die(); } } /* For SSL_PPTYPE_DEFER we only want to authenticate passwords found * in the password file. */ if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) && (pwdstr == NULL)) { return NULL; } /* This purposely comes after the file check because that is more * authoritative. */ if (parg->mc->nInitCount > 1) { char buf[1024]; apr_status_t rv; apr_size_t nBytes = 1024; struct sembuf sb; /* lock the pipe */ sb.sem_num = 0; sb.sem_op = -1; sb.sem_flg = SEM_UNDO; if (semop(parg->mc->semid, &sb, 1) == -1) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to reserve semaphore resource"); } snprintf(buf, 1024, "RETR\t%s", token_name); rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); nss_die(); } /* The helper just returns a token pw or "", so we don't have much * to check for. */ memset(buf, 0, sizeof(buf)); rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); sb.sem_op = 1; if (semop(parg->mc->semid, &sb, 1) == -1) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to free semaphore resource"); /* perror("semop free resource id"); */ } if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); nss_die(); } /* Just return what we got. If we got this far and we don't have a * PIN then I/O is already shut down, so we can't do anything really * clever. */ pwdstr = strdup(buf); } /* If we got a password we're done */ if (pwdstr) return pwdstr; - + + /* It happens that stdin is not opened with O_RDONLY. Better make sure + * it is and re-open /dev/tty. + */ + close(infd); /* is 0 normally. open(2) will return first available. */ + tmpfd = open("/dev/tty", O_RDONLY); + if( tmpfd == -1) { + fprintf(output, "Cannot open /dev/tty for reading the passphrase.\n"); + nss_die(); + } + if(tmpfd != infd) { + if( dup2(tmpfd, infd) != infd) { + fprintf(output, "Problem duplicating /dev/tty file descriptor.\n"); + close(tmpfd); + nss_die(); + } + close(tmpfd); + } + for (;;) { /* Prompt for password */ if (isTTY) { if (parg->retryCount > 0) { fprintf(output, "Password incorrect. Please try again.\n"); } fprintf(output, "%s", prompt); echoOff(infd); } fgets((char*) phrase, sizeof(phrase), input); if (isTTY) { fprintf(output, "\n"); echoOn(infd); } /* stomp on newline */ phrase[strlen((char*)phrase)-1] = 0; /* Validate password */ if (!(*ok)(phrase)) { /* Not weird enough */ if (!isTTY) return 0; fprintf(output, "Password must be at least 8 characters long with one or more\n"); fprintf(output, "non-alphabetic characters\n"); continue; } if (PK11_IsFIPS() && strlen(phrase) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "The FIPS security policy requires that a password be set."); nss_die(); } else return (char*) PORT_Strdup((char*)phrase); } } /* * Turn the echoing off on a tty. */ static void echoOff(int fd) { if (isatty(fd)) { struct termios tio; tcgetattr(fd, &tio); tio.c_lflag &= ~ECHO; tcsetattr(fd, TCSAFLUSH, &tio); } } /* * Turn the echoing on on a tty. */ ++++++ mod_nss-cipherlist_update_for_tls12-doc.diff ++++++ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html --- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.000000000 +0100 +++ ./docs/mod_nss.html 2014-02-18 16:48:18.000000000 +0100 @@ -632,100 +632,121 @@ </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">fortezza_null<br> </td> <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">fips_des_sha<br> </td> <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">fips_3des_sha<br> </td> <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">rsa_des_56_sha</td> <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">rsa_rc4_56_sha</td> <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">rsa_aes_128_sha<br> </td> <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td style="vertical-align: top;">rsa_aes_256_sha<br> </td> <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br> </td> <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> + <tr> + <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br> + </td> + <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br> + </td> + <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> + <tr> + <td style="vertical-align: top;">rsa_camellia_128_sha<br> + </td> + <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br> + </td> + <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> + <tr> + <td style="vertical-align: top;">rsa_camellia_256_sha<br> + </td> + <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br> + </td> + <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> </tbody> </table> <br> Additionally there are a number of ECC ciphers:<br> <br> <table style="width: 70%;" border="1" cellpadding="2" cellspacing="2"> <tbody> <tr> <td style="vertical-align: top; font-weight: bold;">Cipher Name<br> </td> <td style="vertical-align: top; font-weight: bold;">NSS Cipher Definition<br> </td> <td style="vertical-align: top; font-weight: bold;">Protocol<br> </td> </tr> <tr> <td>ecdh_ecdsa_null_sha</td> <td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_ecdsa_rc4_128_sha</td> <td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_ecdsa_3des_sha</td> <td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_ecdsa_aes_128_sha</td> <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_ecdsa_aes_256_sha</td> <td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdhe_ecdsa_null_sha</td> <td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdhe_ecdsa_rc4_128_sha</td> <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> @@ -773,100 +794,120 @@ <tr> <td>echde_rsa_null</td> <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdhe_rsa_rc4_128_sha</td> <td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdhe_rsa_3des_sha</td> <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdhe_rsa_aes_128_sha</td> <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdhe_rsa_aes_256_sha</td> <td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_anon_null_sha</td> <td>TLS_ECDH_anon_WITH_NULL_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_anon_rc4_128sha</td> <td>TLS_ECDH_anon_WITH_RC4_128_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_anon_3des_sha</td> <td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_anon_aes_128_sha</td> <td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> <tr> <td>ecdh_anon_aes_256_sha</td> <td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td> <td>TLSv1.0/TLSv1.1/TLSv1.2</td> </tr> + <tr> + <td>ecdh_ecdsa_aes_128_gcm_sha</td> + <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td> + <td>TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> + <tr> + <td>ecdhe_ecdsa_aes_128_gcm_sha</td> + <td>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</td> + <td>TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> + <tr> + <td>ecdh_rsa_aes_128_gcm_sha</td> + <td>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256</td> + <td>TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> + <tr> + <td>ecdhe_rsa_aes_128_gcm_sha</td> + <td>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</td> + <td>TLSv1.0/TLSv1.1/TLSv1.2</td> + </tr> </tbody> </table> <br> <span style="font-weight: bold;">Example</span><br> <br> <code>NSSCipherSuite +rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,<br> -rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,<br> +fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha</code><br> <br> <big><big>NSSProtocol<br> </big></big><br> A comma-separated string that lists the basic protocols that the server can use (and clients may connect with). It doesn't enable a cipher specifically but allows ciphers for that protocol to be used at all.<br> <br> Options are:<br> <ul> <li><code>SSLv3</code></li> <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li> <li><code>TLSv1.0</code></li> <li><code>TLSv1.1</code></li> <li><code>TLSv1.2</code></li> <li><code>All</code></li> </ul> Note that this differs from mod_ssl in that you can't add or subtract protocols.<br> <br> If no NSSProtocol is specified, mod_nss will default to allowing the use of the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol allowed. <br> If values for NSSProtocol are specified, mod_nss will set both the minimum and the maximum allowed protocols based upon these entries allowing for the inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2 are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes protocol ranges to accept all protocols inclusively (TLS 1.2 ->TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols in the middle of a range (e. g. - TLS 1.0).<br> <br> Finally, NSS will always automatically negotiate the use of the strongest possible protocol that has been specified which is acceptable to both sides of a given connection.<br> <a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br> <br> <span style="font-weight: bold;">Example</span><br> <br> <code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br> <br> ++++++ mod_nss-cipherlist_update_for_tls12.diff ++++++ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h --- ../mod_nss-1.0.8-o/mod_nss.h 2014-02-18 16:30:19.000000000 +0100 +++ ./mod_nss.h 2014-02-18 16:30:51.000000000 +0100 @@ -318,103 +318,103 @@ /* * Define the mod_ssl per-directory configuration structure * (i.e. the local configuration for all <Directory> * and .htaccess contexts) */ typedef struct { BOOL bSSLRequired; apr_array_header_t *aRequirement; int nOptions; int nOptionsAdd; int nOptionsDel; const char *szCipherSuite; nss_verify_t nVerifyClient; const char *szUserName; } SSLDirConfigRec; /* * Cipher definitions */ typedef struct { const char *name; int num; int fortezza_only; PRInt32 version; /* protocol version valid for this cipher */ } cipher_properties; /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it * is the last version without this define. This is used for more than just * the below defines. It also determines which API is used. */ #ifndef AP_SERVER_MAJORVERSION_NUMBER #define AP_SERVER_MAJORVERSION_NUMBER 2 #define AP_SERVER_MINORVERSION_NUMBER 0 #define AP_SERVER_PATCHLEVEL_NUMBER 55 #endif #if AP_SERVER_MINORVERSION_NUMBER < 2 typedef struct regex_t ap_regex_t; #define AP_REG_EXTENDED REG_EXTENDED #define AP_REG_NOSUB REG_NOSUB #define AP_REG_ICASE REG_ICASE #endif enum sslversion { SSL2=1, SSL3=2, TLS=4}; /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 48 +#define ciphernum 55 #else -#define ciphernum 23 +#define ciphernum 26 #endif /* * function prototypes */ /* API glue structures */ extern module AP_MODULE_DECLARE_DATA nss_module; /* configuration handling */ SSLModConfigRec *nss_config_global_create(server_rec *); void *nss_config_perdir_create(apr_pool_t *p, char *dir); void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv); void *nss_config_server_create(apr_pool_t *p, server_rec *s); void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv); const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int); const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg); const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg); const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); #ifdef SSL_ENABLE_RENEGOTIATION const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); #endif #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); #endif const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int); const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *); const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg); const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c --- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.000000000 +0100 +++ ./nss_engine_init.c 2014-02-18 16:30:51.000000000 +0100 @@ -15,122 +15,130 @@ #include "mod_nss.h" #include "apr_thread_proc.h" #include "ap_mpm.h" #include "secmod.h" #include "sslerr.h" #include "pk11func.h" #include "ocsp.h" #include "keyhi.h" #include "cert.h" static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); /* * Global variables defined in this file. */ char* INTERNAL_TOKEN_NAME = "internal "; cipher_properties ciphers_def[ciphernum] = { /* SSL2 cipher suites */ {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, /* SSL3/TLS cipher suites */ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS}, {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS}, {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS}, {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, /* TLS 1.0: Exportable 56-bit Cipher Suites. */ {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, /* AES ciphers.*/ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, + {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, + {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, + {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, + #ifdef NSS_ENABLE_ECC /* ECC ciphers.*/ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 0, TLS}, {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdh_ecdsa_aes_128_gcm_sha", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0, TLS}, {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS}, {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdh_rsa_aes_128_gcm_sha", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, 0, TLS}, {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS}, {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS}, {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, 0, TLS}, {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0, TLS}, {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0, TLS}, {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0, TLS}, #endif }; static char *version_components[] = { "SSL_VERSION_PRODUCT", "SSL_VERSION_INTERFACE", "SSL_VERSION_LIBRARY", NULL }; static char *nss_add_version_component(apr_pool_t *p, server_rec *s, char *name) { char *val = nss_var_lookup(p, s, NULL, NULL, name); if (val && *val) { ap_add_version_component(p, val); } return val; } static void nss_add_version_components(apr_pool_t *p, server_rec *s) { char *vals[sizeof(version_components)/sizeof(char *)]; int i; for (i=0; version_components[i]; i++) { vals[i] = nss_add_version_component(p, s, version_components[i]); } ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Server: %s, Interface: %s, Library: %s", AP_SERVER_BASEVERSION, vals[1], /* SSL_VERSION_INTERFACE */ vals[2]); /* SSL_VERSION_LIBRARY */ } /* * Initialize SSL library * ++++++ mod_nss-clientauth.patch ++++++ The first fix is to retrieve the full certificate subject instead of just the CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL. The second always attempts to retrieve the client certificate in nss_hook_ReadReq(). https://bugzilla.redhat.com/show_bug.cgi?id=702437 --- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400 +++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400 @@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes status = SSL_AuthCertificate(arg, socket, checksig, isServer); - if (status == SECSuccess) { - conn_rec *c = filter_ctx->c; - SSLConnRec *sslconn = myConnConfig(c); - - sslconn->client_cert = SSL_PeerCertificate(socket); - sslconn->client_dn = NULL; - } + /* The certificate is copied to sslconn->client_cert in + * nss_hook_ReadReq() + */ return status; } --- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400 +++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400 @@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) nss_util_vhostid(r->pool, r->server)); } + if (sslconn->client_cert != NULL) + CERT_DestroyCertificate(sslconn->client_cert); + sslconn->client_cert = SSL_PeerCertificate(ssl); + sslconn->client_dn = NULL; + return DECLINED; } @@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) } if (!sslconn->client_dn) { - char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); - sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); + sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); PORT_Free(cp); } ++++++ mod_nss-compare_subject_CN_and_VS_hostname.patch ++++++

From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 From: standa Date: Wed, 22 Oct 2014 16:14:29 +0200 Subject: [PATCH] Compare subject CN and VS hostname during server start up

--- nss_engine_init.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/nss_engine_init.c b/nss_engine_init.c index d74f002..2569c8d 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, *KEAtype = NSS_FindCertKEAType(*servercert); + /* Subject/hostname check */ + secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); + if (secstatus != SECSuccess) { + char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Misconfiguration of certificate's CN and virtual name." + " The certificate CN has %s. We expected %s as virtual" + " name.", cert_dns, s->server_hostname); + PORT_Free(cert_dns); + } + /* - * Check for certs that are expired or not yet valid and WARN about it - * no need to refuse working - the client gets a warning, but can work - * with the server we could also verify if the certificate is made out - * for the correct hostname but that would require a reverse DNS lookup - * for every virtual server - too expensive? + * Check for certs that are expired or not yet valid and WARN about it. + * No need to refuse working - the client gets a warning. */ certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); -- 1.9.3 ++++++ mod_nss-gencert.patch ++++++ --- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400 +++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400 @@ -82,12 +82,11 @@ DEST=$1 -echo "httptest" > $DEST/pw.txt +echo -e "\n" > $DEST/pw.txt echo "" echo "#####################################################################" -echo "Generating new server certificate and key database. The password" -echo "is httptest" +echo "Generating new server certificate and key database." echo "#####################################################################" $CERTUTIL -N -d $DEST -f $DEST/pw.txt @@ -183,8 +182,4 @@ rm $DEST/pw.txt rm $DEST/noise -echo "" -echo "The database password is httptest" -echo "" - exit 0 ++++++ mod_nss-httpd24.patch ++++++ Index: mod_nss-1.0.8/mod_nss.c =================================================================== --- mod_nss-1.0.8.orig/mod_nss.c +++ mod_nss-1.0.8/mod_nss.c @@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld established " "(server %s, client %s)", c->id, sc->vhost_id, - c->remote_ip ? c->remote_ip : "unknown"); + c->client_ip ? c->client_ip : "unknown"); mctx = sslconn->is_proxy ? sc->proxy : sc->server; Index: mod_nss-1.0.8/mod_nss.h =================================================================== --- mod_nss-1.0.8.orig/mod_nss.h +++ mod_nss-1.0.8/mod_nss.h @@ -28,7 +28,6 @@ #include "mod_ssl.h" #include "util_script.h" #include "util_filter.h" -#include "mpm.h" #include "apr.h" #include "apr_strings.h" #define APR_WANT_STRFUNC @@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo SECStatus nss_Init_Tokens(server_rec *s); /* Logging */ -void nss_log_nss_error(const char *file, int line, int level, server_rec *s); +void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s); void nss_die(void); /* NSS callback */ Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c +++ mod_nss-1.0.8/nss_engine_init.c @@ -15,7 +15,7 @@ #include "mod_nss.h" #include "apr_thread_proc.h" -#include "ap_mpm.h" +#include "mpm_common.h" #include "secmod.h" #include "sslerr.h" #include "pk11func.h" Index: mod_nss-1.0.8/nss_engine_io.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_io.c +++ mod_nss-1.0.8/nss_engine_io.c @@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo PR_Close(ssl); /* log the fact that we've closed the connection */ - if (c->base_server->loglevel >= APLOG_INFO) { + if (c->base_server->log.level >= APLOG_INFO) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld closed " "(server %s, client %s)", c->id, nss_util_vhostid(c->pool, c->base_server), - c->remote_ip ? c->remote_ip : "unknown"); + c->client_ip ? c->client_ip : "unknown"); } /* deallocate the SSL connection */ @@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_ filter_ctx = (nss_filter_ctx_t *)(fd->secret); c = filter_ctx->c; - return PR_StringToNetAddr(c->remote_ip, addr); + return PR_StringToNetAddr(c->client_ip, addr); } /* Index: mod_nss-1.0.8/nss_engine_kernel.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_kernel.c +++ mod_nss-1.0.8/nss_engine_kernel.c @@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r) /* * Log information about incoming HTTPS requests */ - if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { + if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "%s HTTPS request received for child %ld (server %s)", (r->connection->keepalives <= 0 ? @@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r) ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Access to %s denied for %s " "(requirement expression not fulfilled)", - r->filename, r->connection->remote_ip); + r->filename, r->connection->client_ip); ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Failed expression: %s", req->cpExpr); Index: mod_nss-1.0.8/nss_engine_log.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_log.c +++ mod_nss-1.0.8/nss_engine_log.c @@ -321,7 +321,7 @@ void nss_die(void) exit(1); } -void nss_log_nss_error(const char *file, int line, int level, server_rec *s) +void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s) { const char *err; PRInt32 error; @@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file, err = "Unknown"; } - ap_log_error(file, line, level, 0, s, + ap_log_error(file, line, module_index, level, 0, s, "SSL Library Error: %d %s", error, err); } Index: mod_nss-1.0.8/nss_engine_vars.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_vars.c +++ mod_nss-1.0.8/nss_engine_vars.c @@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv && sslconn && sslconn->ssl) result = nss_var_lookup_ssl(p, c, var+4); else if (strcEQ(var, "REMOTE_ADDR")) - result = c->remote_ip; + result = c->client_ip; else if (strcEQ(var, "HTTPS")) { if (sslconn && sslconn->ssl) result = "on"; @@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) result = nss_var_lookup_nss_version(p, var+12); else if (strcEQ(var, "SERVER_SOFTWARE")) - result = (char *)ap_get_server_version(); + result = (char *)ap_get_server_banner(); else if (strcEQ(var, "API_VERSION")) { result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER); resdup = FALSE; ++++++ mod_nss-lockpcache.patch ++++++ diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c --- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500 +++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500 @@ -152,6 +152,8 @@ AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL, "SSLLogLevel directive is no longer supported - use LogLevel."), #endif + AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF, + "Apache user. Comes from httpd.conf."), AP_END_CMD }; diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h --- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500 +++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500 @@ -41,6 +41,9 @@ #include "apr_shm.h" #include "apr_global_mutex.h" #include "apr_optional.h" +#include +#include +#include #define MOD_NSS_VERSION AP_SERVER_BASEREVISION @@ -244,6 +247,9 @@ struct { void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; } rCtx; + + int semid; + const char *user; } SSLModConfigRec; typedef struct SSLSrvConfigRec SSLSrvConfigRec; @@ -412,6 +418,7 @@ const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); +const char *set_user(cmd_parms *cmd, void *dummy, const char *arg); /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c --- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500 +++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500 @@ -830,3 +830,12 @@ return NULL; } + +const char *set_user(cmd_parms *cmd, void *dummy, const char *arg) +{ + SSLModConfigRec *mc = myModConfig(cmd->server); + + mc->user = arg; + + return NULL; +} diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c --- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500 +++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500 @@ -312,6 +312,7 @@ int sslenabled = FALSE; int fipsenabled = FALSE; int threaded = 0; + struct semid_ds status; mc->nInitCount++; @@ -412,10 +413,26 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); + /* The first pass through this function will create the semaphore that + * will be used to lock the pipe. The user is still root at that point + * so for any later calls the semaphore ops will fail with permission + * errors. So switch the user to the Apache user. + */ + if (mc->semid) { + uid_t user_id; + + user_id = ap_uname2id(mc->user); + semctl(mc->semid, 0, IPC_STAT, &status); + status.sem_perm.uid = user_id; + semctl(mc->semid,0,IPC_SET,&status); + } + /* Do we need to fire up our password helper? */ if (mc->nInitCount == 1) { const char * child_argv[5]; apr_status_t rv; + struct sembuf sb; + char sembuf[32]; if (mc->pphrase_dialog_helper == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, @@ -423,11 +440,31 @@ nss_die(); } + mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); + if (mc->semid == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to obtain semaphore."); + nss_die(); + } + + /* Initialize the semaphore */ + sb.sem_num = 0; + sb.sem_op = 1; + sb.sem_flg = 0; + if ((semop(mc->semid, &sb, 1)) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to initialize semaphore."); + nss_die(); + } + + PR_snprintf(sembuf, 32, "%d", mc->semid); + child_argv[0] = mc->pphrase_dialog_helper; - child_argv[1] = fipsenabled ? "on" : "off"; - child_argv[2] = mc->pCertificateDatabase; - child_argv[3] = mc->pDBPrefix; - child_argv[4] = NULL; + child_argv[1] = sembuf; + child_argv[2] = fipsenabled ? "on" : "off"; + child_argv[3] = mc->pCertificateDatabase; + child_argv[4] = mc->pDBPrefix; + child_argv[5] = NULL; rv = apr_procattr_create(&mc->procattr, mc->pPool); diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c --- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400 +++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500 @@ -279,6 +279,16 @@ char buf[1024]; apr_status_t rv; apr_size_t nBytes = 1024; + struct sembuf sb; + + /* lock the pipe */ + sb.sem_num = 0; + sb.sem_op = -1; + sb.sem_flg = SEM_UNDO; + if (semop(parg->mc->semid, &sb, 1) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to reserve semaphore resource"); + } snprintf(buf, 1024, "RETR\t%s", token_name); rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); @@ -293,6 +303,13 @@ */ memset(buf, 0, sizeof(buf)); rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); + sb.sem_op = 1; + if (semop(parg->mc->semid, &sb, 1) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to free semaphore resource"); + /* perror("semop free resource id"); */ + } + if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c --- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500 +++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500 @@ -21,6 +21,9 @@ #include #include #include +#include +#include +#include #include "nss_pcache.h" static char * getstr(const char * cmd, int el); @@ -70,6 +73,13 @@ unsigned char *crypt; }; +union semun { + int val; + struct semid_ds *buf; + unsigned short *array; + struct seminfo *__buf; +}; + /* * Node - for maintaining link list of tokens with cached PINs */ @@ -304,15 +314,19 @@ char * tokenName; char * tokenpw; int fipsmode = 0; + int semid = 0; + union semun semarg; - if (argc < 3 || argc > 4) { - fprintf(stderr, "Usage: nss_pcache <directory> <prefix>\n"); + if (argc < 4 || argc > 5) { + fprintf(stderr, "Usage: nss_pcache <semid> <directory> <prefix>\n"); exit(1); } signal(SIGHUP, SIG_IGN); - if (!strcasecmp(argv[1], "on")) + semid = strtol(argv[1], NULL, 10); + + if (!strcasecmp(argv[2], "on")) fipsmode = 1; /* Initialize NSPR */ @@ -322,7 +336,7 @@ PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); /* Initialize NSS and open the certificate database read-only. */ - rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); + rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); if (rv != SECSuccess) { fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); @@ -437,6 +451,11 @@ } freeList(pinList); PR_Close(in); + /* Remove the semaphore used for locking here. This is because this + * program only goes away when Apache shuts down so we don't have to + * worry about reloads. + */ + semctl(semid, 0, IPC_RMID, semarg); return 0; } Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej ++++++ mod_nss-negotiate.patch ++++++ diff -up ./mod_nss.c.norego ./mod_nss.c --- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 @@ -97,6 +97,14 @@ static const command_rec nss_config_cmds SSL_CMD_SRV(Nickname, TAKE1, "SSL RSA Server Certificate nickname " "(`Server-Cert'") +#ifdef SSL_ENABLE_RENEGOTIATION + SSL_CMD_SRV(Renegotiation, FLAG, + "Enable SSL Renegotiation (default off) " + "(`on', `off')") + SSL_CMD_SRV(RequireSafeNegotiation, FLAG, + "If Rengotiation is allowed, require safe negotiation (default off) " + "(`on', `off')") +#endif #ifdef NSS_ENABLE_ECC SSL_CMD_SRV(ECCNickname, TAKE1, "SSL ECC Server Certificate nickname " diff -up ./mod_nss.h.norego ./mod_nss.h --- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 @@ -269,6 +269,10 @@ typedef struct { int tls; int tlsrollback; int enforce; +#ifdef SSL_ENABLE_RENEGOTIATION + int enablerenegotiation; + int requiresafenegotiation; +#endif const char *nickname; #ifdef NSS_ENABLE_ECC const char *eccnickname; @@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); +#ifdef SSL_ENABLE_RENEGOTIATION +const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); +const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); +#endif #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); #endif diff -up ./nss_engine_config.c.norego ./nss_engine_config.c --- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 @@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t mctx->tls = PR_FALSE; mctx->tlsrollback = PR_FALSE; +#ifdef SSL_ENABLE_RENEGOTIATION + mctx->enablerenegotiation = PR_FALSE; + mctx->requiresafenegotiation = PR_FALSE; +#endif mctx->enforce = PR_TRUE; mctx->nickname = NULL; #ifdef NSS_ENABLE_ECC @@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ cfgMerge(eccnickname, NULL); #endif cfgMerge(enforce, PR_TRUE); +#ifdef SSL_ENABLE_RENEGOTIATION + cfgMerge(enablerenegotiation, PR_FALSE); + cfgMerge(requiresafenegotiation, PR_FALSE); +#endif } static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, @@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm return NULL; } +#ifdef SSL_ENABLE_RENEGOTIATION +const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; + + return NULL; +} + +const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; + + return NULL; +} +#endif + #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, diff -up ./nss_engine_init.c.norego ./nss_engine_init.c --- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 @@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r nss_die(); } } +#ifdef SSL_ENABLE_RENEGOTIATION + if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, + mctx->enablerenegotiation ? + SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER + ) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Unable to set SSL renegotiation"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, + mctx->requiresafenegotiation) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Unable to set SSL safe negotiation"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } +#endif } static void nss_init_ctx_protocol(server_rec *s, diff -up ./nss_engine_log.c.norego ./nss_engine_log.c --- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 +++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 @@ -27,7 +27,7 @@ #define LIBSEC_ERROR_BASE (-8192) #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) #define LIBSSL_ERROR_BASE (-12288) -#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) +#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) typedef struct l_error_t { int errorNumber; @@ -296,7 +296,19 @@ { 99, "Server requires ciphers more secure than those supported by client" }, { 100, "Peer reports it experienced an internal error" }, { 101, "Peer user canceled handshake" }, - { 102, "Peer does not permit renegotiation of SSL security parameters" } + { 102, "Peer does not permit renegotiation of SSL security parameters" }, + { 103, "Server cache not configured" }, + { 104, "Unsupported extension" }, + { 105, "Certificate unobtainable" }, + { 106, "Unrecognized name" }, + { 107, "Bad certificate status" }, + { 108, "Bad certificate hash value" }, + { 109, "Unexpected new session ticket" }, + { 110, "Malformed new session ticket" }, + { 111, "Decompression failure" }, + { 112, "Renegotiation not allowed" }, + { 113, "Safe negotiation required but not provided by client" }, + { 114, "Unexpected uncompressed record" }, }; void nss_die(void) ++++++ mod_nss-no_shutdown_if_not_init_2.patch ++++++ diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800 +++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800 @@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da server_rec *s; int shutdown = 0; - /* Clear any client-side session cache data */ - SSL_ClearSessionCache(); - /* * Free the non-pool allocated structures * in the per-server configurations @@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da } if (shutdown) { + /* Clear any client-side session cache data */ + SSL_ClearSessionCache(); + if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()) != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++++++ mod_nss-overlapping_memcpy.patch ++++++ Bug 669118 memcpy of overlapping memory is no longer allowed by glibc. This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 --- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500 +++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500 @@ -123,13 +123,13 @@ if (buffer->length > inl) { /* we have have enough to fill the caller's buffer */ - memcpy(in, buffer->value, inl); + memmove(in, buffer->value, inl); buffer->value += inl; buffer->length -= inl; } else { /* swallow remainder of the buffer */ - memcpy(in, buffer->value, buffer->length); + memmove(in, buffer->value, buffer->length); inl = buffer->length; buffer->value = NULL; buffer->length = 0; ++++++ mod_nss-pcachesignal.h ++++++ diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c --- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400 +++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400 @@ -20,6 +20,7 @@ #include #include #include +#include #include "nss_pcache.h" static char * getstr(const char * cmd, int el); @@ -309,6 +310,8 @@ exit(1); } + signal(SIGHUP, SIG_IGN); + if (!strcasecmp(argv[1], "on")) fipsmode = 1; Only in mod_nss-1.0.8: nss_pcache.c.rej ++++++ mod_nss-proxyvariables.patch ++++++ diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700 +++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700 @@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server tls = 1; } else { if (mctx->auth.protocols == NULL) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "NSSProtocols not set; using: SSLv3 and TLSv1"); + /* + * Since this routine will be invoked individually for every + * thread associated with each 'server' object as well as for + * every thread associated with each 'proxy' object, issue a + * single per-thread 'warning' message for either a 'server' + * or a 'proxy' based upon the thread's object type. + */ + if (mctx == mctx->sc->server) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "NSSProtocol value not set; using: SSLv3 and TLSv1"); + } else if (mctx == mctx->sc->proxy) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); + } + ssl3 = tls = 1; } else { lprotocols = strdup(mctx->auth.protocols); @@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se * Configure SSL Cipher Suite */ if (!suite) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Required value NSSCipherSuite not set."); + /* + * Since this is a 'fatal' error, regardless of whether this + * particular invocation is from a 'server' object or a 'proxy' + * object, issue all error message(s) as appropriate. + */ + if ((mctx->sc->enabled == TRUE) && + (mctx->sc->server) && + (!mctx->sc->server->auth.cipher_suite)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSEngine on; required value NSSCipherSuite not set."); + } + + if ((mctx->sc->proxy_enabled == TRUE) && + (mctx->sc->proxy) && + (!mctx->sc->proxy->auth.cipher_suite)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSProxyEngine on; required value NSSProxyCipherSuite not set."); + } + nss_die(); } ciphers = strdup(suite); @@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server if (mctx->nickname == NULL) #endif { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "No certificate nickname provided."); + /* + * Since this is a 'fatal' error, regardless of whether this + * particular invocation is from a 'server' object or a 'proxy' + * object, issue all error message(s) as appropriate. + */ + if ((mctx->sc->enabled == TRUE) && + (mctx->sc->server) && + (mctx->sc->server->nickname == NULL)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSEngine on; no certificate nickname provided by NSSNickname."); + } + + if ((mctx->sc->proxy_enabled == TRUE) && + (mctx->sc->proxy) && + (mctx->sc->proxy->nickname == NULL)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname."); + } + nss_die(); } ++++++ mod_nss-reseterror.patch ++++++ --- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400 +++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400 @@ -348,6 +348,7 @@ break; } + PR_SetError(0, 0); rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); if (rc > 0) { ++++++ mod_nss-reverseproxy.patch ++++++ mod_proxy now sets the requested remote host name. Use this to compare to the CN value of the peer certificate and reject the request if they do not match (and we are have NSSProxyCheckPeerCN set to on). diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html --- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 +++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 @@ -1028,7 +1028,21 @@ <br> <span style="font-weight: bold;">Example</span><br> <br> -<code>NSSProxyNickname beta</code><br> +<code>NSSProxyNickname beta<br> +<br> +</code><big><big>NSSProxyCheckPeerCN</big></big><br> +<br> +Compare the CN value of the peer certificate with the hostname being +requested. If this is set to on, the default, then the request will +fail if they do not match. If this is set to off then this comparison +is not done. Note that this test is your only protection against a +man-in-the-middle attack so leaving this as on is strongly recommended.<br> +<br> +<span style="font-weight: bold;">Example</span><br> +<br> +<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code> +on<br> +</code><br> <h1><a name="Environment"></a>Environment Variables</h1> Quite a few environment variables (for CGI and SSI) may be set depending on the NSSOptions configuration. It can be expensive to set @@ -1435,42 +1449,9 @@ <h1><a name="FAQ"></a>Frequently Asked Questions</h1> Q. Does mod_nss support mod_proxy?<br> <br> -A. In order to use the mod_nss proxy support you will need to build -your own mod_proxy by applying a patch found in bug http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>. -The patch is needed so we can compare the hostname contained in the -remote certificate with the hostname you meant to visit. This prevents -man-in-the-middle attacks.<br> -<br> -You also have to change the SSL functions that mod_proxy looks to use. -You'll need to apply this patch:<br> -<br> -<code>1038,1039c1038,1039<br> -< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br> -< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br> ----<br> -> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br> -> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br> -1041,1042c1041,1042<br> -< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = -NULL;<br> -< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable -= NULL;<br> ----<br> -> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = -NULL;<br> -> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable -= NULL;<br> -1069,1070c1069,1070<br> -<     proxy_ssl_enable = -APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br> -<     proxy_ssl_disable = -APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br> ----<br> ->     proxy_ssl_enable = -APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br> ->     proxy_ssl_disable = -APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br> -</code><br> +A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy +provides a single interface for SSL providers and mod_nss defers to +mod_ssl +if it is loaded. </body> </html> diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c --- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 +++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 @@ -142,6 +142,8 @@ SSL_CMD_SRV(ProxyNickname, TAKE1, "SSL Proxy: client certificate Nickname to be for proxy connections " "(`nickname')") + SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, + "SSL Proxy: check the peers certificate CN") #ifdef IGNORE /* Deprecated directives. */ @@ -238,23 +240,30 @@ SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) { conn_rec *c = (conn_rec *)arg; + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); PRErrorCode err = PR_GetError(); SECStatus rv = SECFailure; CERTCertificate *peerCert = SSL_PeerCertificate(socket); + const char *hostname_note; switch (err) { case SSL_ERROR_BAD_CERT_DOMAIN: - if (c->remote_host != NULL) { - rv = CERT_VerifyCertName(peerCert, c->remote_host); - if (rv != SECSuccess) { - char *remote = CERT_GetCommonName(&peerCert->subject); + if (sc->proxy_ssl_check_peer_cn == TRUE) { + if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { + apr_table_unset(c->notes, "proxy-request-hostname"); + rv = CERT_VerifyCertName(peerCert, hostname_note); + if (rv != SECSuccess) { + char *remote = CERT_GetCommonName(&peerCert->subject); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); + PORT_Free(remote); + } + } else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); - PORT_Free(remote); + "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); } } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); + rv = SECSuccess; } break; default: diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h --- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 +++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 @@ -306,6 +306,7 @@ int vhost_id_len; modnss_ctx_t *server; modnss_ctx_t *proxy; + BOOL proxy_ssl_check_peer_cn; }; /* @@ -410,6 +411,7 @@ const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); +const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c --- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 +++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 @@ -140,6 +140,7 @@ sc->vhost_id_len = 0; /* set during module init */ sc->proxy = NULL; sc->server = NULL; + sc->proxy_ssl_check_peer_cn = TRUE; modnss_ctx_init_proxy(sc, p); @@ -214,6 +215,7 @@ cfgMergeBool(fips); cfgMergeBool(enabled); cfgMergeBool(proxy_enabled); + cfgMergeBool(proxy_ssl_check_peer_cn); modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); @@ -544,6 +546,15 @@ return NULL; } +const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; + + return NULL; +} + const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, void *dcfg, int flag) ++++++ mod_nss-sslmultiproxy.patch ++++++ Index: mod_nss-1.0.8/mod_nss.c =================================================================== --- mod_nss-1.0.8.orig/mod_nss.c +++ mod_nss-1.0.8/mod_nss.c @@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c return sslconn; } +static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; + int nss_proxy_enable(conn_rec *c) { SSLSrvConfigRec *sc = mySrvConfig(c->base_server); @@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c) SSLConnRec *sslconn = nss_init_connection_ctx(c); if (!sc->proxy_enabled) { + if (othermod_proxy_enable) { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, + "mod_nss proxy not configured, passing through to mod_ssl module"); + return othermod_proxy_enable(c); + } + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, "SSL Proxy requested for %s but not enabled " "[Hint: NSSProxyEngine]", sc->vhost_id); @@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c) return 1; } -int ssl_proxy_enable(conn_rec *c) { +static int ssl_proxy_enable(conn_rec *c) { return nss_proxy_enable(c); } @@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c) SSLConnRec *sslconn; + if (othermod_engine_disable) { + othermod_engine_disable(c); + } + if (sc->enabled == FALSE) { return 0; } @@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c) return 1; } -int ssl_engine_disable(conn_rec *c) { +static int ssl_engine_disable(conn_rec *c) { return nss_engine_disable(c); } @@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_ nss_var_register(); + /* Always register these mod_nss optional functions */ APR_REGISTER_OPTIONAL_FN(nss_proxy_enable); APR_REGISTER_OPTIONAL_FN(nss_engine_disable); - /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */ - if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); - if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + /* Save the state of any previously registered mod_ssl functions */ + othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); + othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); + + /* Always register these local mod_ssl optional functions */ + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); } module AP_MODULE_DECLARE_DATA nss_module = { Index: mod_nss-1.0.8/mod_nss.h =================================================================== --- mod_nss-1.0.8.orig/mod_nss.h +++ mod_nss-1.0.8/mod_nss.h @@ -13,8 +13,8 @@ * limitations under the License. */ -#ifndef __MOD_SSL_H__ -#define __MOD_SSL_H__ +#ifndef __MOD_NSS_H__ +#define __MOD_NSS_H__ /* Apache headers */ #include "httpd.h" @@ -25,6 +25,7 @@ #include "http_connection.h" #include "http_request.h" #include "http_protocol.h" +#include "mod_ssl.h" #include "util_script.h" #include "util_filter.h" #include "mpm.h" @@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r); /* Variables */ void nss_var_register(void); char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); -char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); void nss_var_log_config_register(apr_pool_t *p); APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup, (apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *)); -APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, - (apr_pool_t *, server_rec *, - conn_rec *, request_rec *, - char *)); /* An optional function which returns non-zero if the given connection * is using SSL/TLS. */ APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); /* Proxy Support */ int nss_proxy_enable(conn_rec *c); int nss_engine_disable(conn_rec *c); -int ssl_proxy_enable(conn_rec *c); -int ssl_engine_disable(conn_rec *c); APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); /* I/O */ PRFileDesc * nss_io_new_fd(); @@ -495,4 +486,4 @@ void nss_die(void); /* NSS callback */ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); -#endif /* __MOD_SSL_H__ */ +#endif /* __MOD_NSS_H__ */ Index: mod_nss-1.0.8/nss_engine_vars.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_vars.c +++ mod_nss-1.0.8/nss_engine_vars.c @@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var); static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var); static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c); +static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); + +static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; +static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; static int nss_is_https(conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); - return sslconn && sslconn->ssl; + + return (sslconn && sslconn->ssl) + || (othermod_is_https && othermod_is_https(c)); } static int ssl_is_https(conn_rec *c) { @@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) { void nss_var_register(void) { + /* Always register these mod_nss optional functions */ APR_REGISTER_OPTIONAL_FN(nss_is_https); APR_REGISTER_OPTIONAL_FN(nss_var_lookup); - /* These can only be registered if mod_ssl is not loaded */ - if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_is_https); - if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + /* Save the state of any previously registered mod_ssl functions */ + othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); + othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); + + /* Always register these local mod_ssl optional functions */ + APR_REGISTER_OPTIONAL_FN(ssl_is_https); + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); return; } @@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv */ if (result == NULL && c != NULL) { SSLConnRec *sslconn = myConnConfig(c); + + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { + /* If mod_ssl is registered for this connection, + * pass any SSL_* variable through to the mod_ssl module + */ + return othermod_var_lookup(p, s, c, r, var); + } + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) && sslconn && sslconn->ssl) result = nss_var_lookup_ssl(p, c, var+4); @@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv return result; } -char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { +static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { return nss_var_lookup(p, s, c, r, var); } ++++++ mod_nss-tlsv1_1.patch ++++++ ++++ 745 lines (skipped) ++++++ mod_nss-wouldblock.patch ++++++ --- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400 +++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500 @@ -259,7 +259,8 @@ */ if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { - return 0; + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return -1; } if (inctx->rc != APR_SUCCESS) { ++++++ mod_nss.conf.in ++++++ # This is /etc/apache2/conf.d/mod_nss.conf # # Configuration for mod_nss starts in this file. # # Contents: # 1) generic information about mod_nss and its relation to mod_ssl # 2) initialization and loading of the apache module in the SUSE framework # 3) hints on specifics for the configuration. #.............................................................................. # # 1) generic information about mod_nss and its relation to mod_ssl # # Concurrency of apache crypto modules: # # mod_nss implements SSL/TLS protocol support for the apache webserver and # is an alternative to mod_ssl. Both modules can be initialized at the same # time, but, obviously, the protocol handlers ("SSLEngine on" for mod_ssl # and "NSSEngine on" for mod_nss) cannot be active simultaneously, at a # global scope, or in the context of a VirtualHost configuration directive # block. # # If for a port that apache listens on, only one VirtualHost section # has the directive "NSSEngine" set to "on", it will have precedence over # all other VirtualHost declarations (that may have SSLEngine set to on # in their context). A simultaneaous operation of both modules for different # VirtualHosts on the same IP Address and port is not possible. # # Reason: # The brwoser/client connects to the web server's port 443 and initializes # an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the # client to specify the host that it wants to connect to, unless the crypto # has been fully initialized already. Similarly, the server cannot present # the correct certificate to the browser that matches the requested hostname. # As a consequence, if endpoints are limited to SSLv3, only one web server and # no virtual servers can be bound to one address. Each additional web server # would need a new IP address. # Starting with TLSv1.0, the protocol comes with the Server Name Indication # (SNI) extension that allows the client to specify the requested hostname # before the cryptographical part of the protocol is initialized. However, # this type of hostname distinction is handled by the crypto library in # combination with mod_ssl or mod_nss, not by apache's core. # This means that in a dual mod_ssl and mod_nss configuration that is not # selective on IP addresses, and even if you use TLSv1.0 and newer only, # only one out of mod_ssl or mod_nss will be active. # Consequences: # a) If you need support for encrypted connections using _both_ mod_nss and # mod_ssl, you should consider using more than one IP addresses, and # configure the server's crypto engine/module bound to the IP address. # b) If you do NOT need both mod_nss and mod_ssl simultaneaously in apache, # it is recommended to decide for one and deactivate the other. # # Certificates: # The directory /etc/apache/mod_nss.d contains everything that mod_nss # needs: keys, certificates. The default configuration has reference # to .db files in /etc/apache/mod_nss.d that shall illustrate how the # configuration should/could look like. # # In addition to providing a central location to store keys and certificates, # /etc/apache/mod_nss.d may also contain configuration files that are # included directly after this documentation text. Note that only files # named *.conf are included! # # #.............................................................................. # 2) initialization and loading of the apache module in the SUSE framework # # To get SSL/TLS support activated in apache, two things have to be done: # a) configure and initialize the crypto module that provides the SSL/TLS # protocol support in apache # b) tell apache to listen on the port where browsers typically connect to # if they want to talk SSL/TLS. Normally TCP port 443. # # about a): # The apache module (a shared object file) is loaded by the framework if # the config variable APACHE_MODULES set in /etc/sysconfig/apache2 # contains the module name ("nss", without the preceding "mod_"). # Either you edit /etc/sysconfig/apache2 manually and add the module name # nss to the other modules in APACHE_MODULES, or you let the command # # a2enmod nss # # do this for you. "a2enmod -d nss" reverses that change and disables mod_nss # again. # All of the configuration directives set in the default config files are # conditional for the loading of the module, which is evident when looking at # the "<IfModule mod_ssl.c>" that shows up further below. # # about b) # The Listen directive in /etc/apache2/listen_nss.conf is conditional on # the server-flag "SSL". Add the word SSL to the variable # APACHE_SERVER_FLAGS in the file /etc/sysconfig/apache2 . # # Please note that /etc/apache2/listen.conf is read/included from the apache # main configuration file /etc/apache2/httpd.conf; # /etc/apache2/listen_nss.conf is read from this file, just below. # # Additional information can also be found in # /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt # # Roman Drahtmueller # <IfDefine SSL> <IfModule mod_nss.c> Include /etc/apache2/listen_nss.conf Include /etc/apache2/mod_nss.d/*.conf ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## ## Please note that _this_ file used to contain a VirtualHost ## section in previous versions/releases. It is now part of the ## /etc/apache2/vhosts.d/vhost-nss.template file, and is not ## activated by default. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. NSSPassPhraseDialog builtin # Pass Phrase Helper: # This helper program stores the token password pins between # restarts of Apache. NSSPassPhraseHelper @apache_bin@/nss_pcache # Configure the SSL Session Cache. # NSSSessionCacheSize is the number of entries in the cache. # NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 # # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. Those platforms usually also provide a non-blocking # device, /dev/urandom, which may be used instead. # As a rule of thumb, /dev/urandom should only be used for short-term # secrets (eg. keys, session keys, credentials), while longer-living # secrets such as key pair for a certificate should receive its # randomness from /dev/random . # # This does not support seeding the RNG with each connection. NSSRandomSeed startup builtin #NSSRandomSeed startup file:/dev/random 512 #NSSRandomSeed startup file:/dev/urandom 512 # # TLS Negotiation configuration under RFC 5746 # # Only renegotiate if the peer's hello bears the TLS renegotiation_info # extension. Default off. NSSRenegotiation off # Peer must send Signaling Cipher Suite Value (SCSV) or # Renegotiation Info (RI) extension in ALL handshakes. Default: off NSSRequireSafeNegotiation off # main switch: You may want to turn this on in the context of a VirtualHost # definition, not here globally. # NSSEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. # SSL 3 ciphers. SSL 2 is disabled #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha # The following ciphers are available in SUSE's package after June 2014; # The GCM mode aes ciphers are of particular interest. # You may want to add them if so desired: # # rsa_aes_128_gcm_sha # ecdh_ecdsa_aes_128_gcm_sha # ecdhe_ecdsa_aes_128_gcm_sha # ecdh_rsa_aes_128_gcm_sha # ecdhe_rsa_aes_128_gcm_sha # SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. # # Comment out the NSSCipherSuite line above and use the one below if you have # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha # The following is taken as default with the apache2-mod_nss package, as # provided with the August 2014 update (which features the GCM mode ciphers # along with server side SNI support). # Ideas: # * cipher mode may be more important than key length # (AES-GCM is 128 bit, vs AES256 on a different mode) # * no rc4, no 3des, no des # * ephemeral is what you want (PFS). # * EC has precedence over RSA NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha # SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the # middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2" # is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2". # Here, we disable SSLv3, but allow TLSv1.0 through TLSv1.2 : NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. # # This is commented out, as it belongs to a VirtualHost definition. # If there are no VirtualHost statements in your configuration, then # here is the right spot: #NSSNickname Server-Cert # SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc # Server Certificate Database: # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. # Provide the directory that these files exist. #NSSCertificateDatabase @apache_conf@/mod_nss.d # Database Prefix: # In order to be able to store multiple NSS databases in one directory # they need unique names. This option sets the database prefix used for # cert8.db and key3.db. #NSSDBPrefix my-prefix- # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. #NSSVerifyClient none # # Online Certificate Status Protocol (OCSP). # Verify that certificates have not been revoked before accepting them. #NSSOCSP off # # Use a default OCSP responder. If enabled this will be used regardless # of whether one is included in a client certificate. Note that the # server certificate is verified during startup. # # NSSOCSPDefaultURL defines the service URL of the OCSP responder # NSSOCSPDefaultName is the nickname of the certificate to trust to # sign the OCSP responses. #NSSOCSPDefaultResponder on #NSSOCSPDefaultURL http://example.com/ocsp/status #NSSOCSPDefaultName ocsp-nickname # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_nss documentation # for more details. #<Location /> #NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "NSSRequireSSL" or "NSSRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire NSSOptions +StdEnvVars </Files> NSSOptions +StdEnvVars </Directory> </IfModule> </IfDefine> </IfDefine> ++++++ mod_nss_migrate.pl ++++++ #!/usr/bin/perl # # Migrate configuration from OpenSSL to NSS use Cwd; use Getopt::Std; BEGIN { # $NSSDir = cwd(); $NSSDir = "/etc/apache2/mod_nss.d"; $SSLCACertificatePath = ""; $SSLCACertificateFile = ""; $SSLCertificateFile = ""; $SSLCARevocationPath = ""; $SSLCARevocationFile = ""; $SSLCertificateKeyFile = ""; $passphrase = 0; } %skip = ( "SSLRandomSeed" => "", "SSLSessionCache" => "", "SSLMutex" => "", "SSLCertificateChainFile" => "", "SSLVerifyDepth" => "" , "SSLCryptoDevice" => "" , "LoadModule" => "" , ); %insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); getopts('chr:w:' , \%opt ); sub usage() { print STDERR "Usage: mod_nss_migrate.pl [-c] -r -w \n"; print STDERR "\t-c converts the certificates\n"; print STDERR "This conversion script is not aware of apache's configuration blocks\n"; print STDERR "and nestable conditional directives. Please check the output of the\n"; print STDERR "conversion and adjust manually if necessary!\n"; exit(); } usage() if ( $opt{h} || !$opt{r} || !$opt{w} ) ; print STDERR "input: $opt{r} output: $opt{w}\n"; open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n"; open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n"; print NSS "## This is a conversion of mod_ssl specific options by /usr/sbin/mod_nss_migrate.pl\n"; print NSS "## Most of the comments in the original .conf file have been omitted here, as\n"; print NSS "## the comments may not be valid for mod_nss, too.\n"; print NSS "## \n"; print NSS "## Please read through this configuration and verify the individual options!\n\n"; while (<SSL>) { my $comment = 0; # write through even if in comment before comments are stripped below. if(/(ServerName|ServerAlias)/) { print NSS $_; next; } # skip blank lines and comments if (/^#/ || /^\s*#/ || /^\s*$/) { # do not copy them; they may not be useful anyway. # print NSS $_; next; } s/mod_ssl\.c/mod_nss.c/; # write through nestable apache configuration block directives: if (/^ ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:", "rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:", "rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:", "rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:", "des" => ":ALL:SSLv2:RSA:EXP:EXPORT56:MD5:DES:LOW:", "desede3" => ":ALL:SSLv2:RSA:MD5:3DES:HIGH:", "rsa_rc4_128_md5" => ":ALL:SSLv3:TLSv1:RSA:MD5:RC4:MEDIUM:", "rsa_rc4_128_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:RC4:MEDIUM:", "rsa_3des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:3DES:HIGH:", "rsa_des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:DES:LOW:", "rsa_rc4_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC4:", "rsa_rc2_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC2:", "rsa_null_md5" => ":SSLv3:TLSv1:RSA:MD5:NULL:", "rsa_null_sha" => ":SSLv3:TLSv1:RSA:SHA:NULL:", "rsa_des_56_sha" => ":ALL:SSLv3:TLSv1:RSA:DES:SHA:EXP:EXPORT56:", "rsa_rc4_56_sha" => ":ALL:SSLv3:TLSv1:RSA:RC4:SHA:EXP:EXPORT56:", ); $NUM_CIPHERS = 16; for ($i = 0; $i < $NUM_CIPHERS; $i++) { $selected[$i] = 0; } # Don't need to worry about the ordering properties of "+" because # NSS always chooses the "best" cipher anyway. You can't specify # preferred order. # -1: this cipher is completely out # 0: this cipher is currently unselected, but maybe added later # 1: this cipher is selected @s = split(/:/, $str); for ($i = 0; $i <= $#s; $i++) { $j = 0; $val = 1; # ! means this cipher is disabled forever if ($s[$i] =~ /^!/) { $val = -1; ($s[$i] =~ s/^!//); } elsif ($s[$i] =~ /^-/) { $val = 0; ($s[$i] =~ s/^-//); } elsif ($s[$i] =~ /^+/) { ($s[$i] =~ s/^+//); } for $cipher (sort keys %cipher_list) { $match = 0; # For embedded + we do an AND for all options if ($s[$i] =~ m/(\w+\+)+/) { @sub = split(/^\+/, $s[$i]); $match = 1; for ($k = 0; $k <=$#sub; $k++) { if ($cipher_list{$cipher} !=~ m/:$sub[$k]:/) { $match = 0; } } } else { # straightforward match if ($cipher_list{$cipher} =~ m/:$s[$i]:/) { $match = 1; } } if ($match && $selected[$j] != -1) { $selected[$j] = $val; } $j++; } } # NSS doesn't honor the order of a cipher list, it uses the "strongest" # cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and # the NSS ciphers not available in OpenSSL. $str = "SSLv2:SSLv3"; @s = split(/:/, $str); $ciphersuite = ""; for ($i = 0; $i <= $#s; $i++) { $j = 0; for $cipher (sort keys %cipher_list) { if ($cipher_list{$cipher} =~ m/:$s[$i]:/) { if ($selected[$j]) { $ciphersuite .= "+"; } else { $ciphersuite .= "-"; } $ciphersuite .= $cipher . ","; } $j++; } } $ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha"; return $ciphersuite; } # Given the filename of a PEM file, use openssl to fetch the certificate # subject sub get_cert_subject { my $file = shift; my $subject = ""; return "" if ! -T $file; $subject = `openssl x509 -subject < $file | head -1`; $subject =~ s/subject= \///; # Remove leading subject= \ $subject =~ s/\//,/g; # Replace / with , as separator $subject =~ s/Email=.*(,){0,1}//; # Remove Email attribute $subject =~ s/,$//; # Remove any trailing commas chomp($subject); return $subject; } # # Wrapper around the system() command sub run_command { my @args = shift; my $status = 0; $status = 0xffff & system(@args); return if ($status == 0); print STDERR "Command '@args' failed: $!\n"; exit; } ++++++ vhost-nss.template ++++++ ## ## SSL Virtual Host Context ## ## The idea is that certificate specific options belong to a VirtualHost ## directive block, while the cipher and protocol configuration is a global ## setting that comes from /etc/apache2/conf.d/mod_nss.conf . ## The system-wide mod_nss.conf does not have any certificate-specific ## options set, so you would need to set them in your own config. ## ## Please place this file into /etc/apache2/vhosts.d with a name that ends ## in .conf . Files not named *.conf are ignored by the configuration ## framework. <VirtualHost _default_:443> # General setup for the virtual host #DocumentRoot "@apache_prefix@/htdocs" #ServerName www.example.com:443 #ServerAdmin you@example.com # mod_nss can log to separate log files, you can choose to do that if you'd like # LogLevel is not inherited from httpd.conf. #ErrorLog /var/log/apache2/error_log #TransferLog /var/log/apache2/access_log LogLevel warn # SSL Engine Switch: # Enable/Disable SSL for this virtual host. NSSEngine on # SSL Cipher Suite: # # The NSSCipherSuite directive is present in the NSS-specific system-wide # configuration file /etc/apache2/conf.d/mod_nss.conf . # You may set the cipher suite on a virtual host basis here, too. # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. NSSNickname Server-Cert # SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc # Server Certificate Database: # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. # Provide the directory that these files exist. NSSCertificateDatabase /etc/apache2/mod_nss.d # Database Prefix: # In order to be able to store multiple NSS databases in one directory # they need unique names. This option sets the database prefix used for # cert8.db and key3.db. #NSSDBPrefix my-prefix- # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. #NSSVerifyClient none # # Online Certificate Status Protocol (OCSP). # Verify that certificates have not been revoked before accepting them. #NSSOCSP off # # Use a default OCSP responder. If enabled this will be used regardless # of whether one is included in a client certificate. Note that the # server certificate is verified during startup. # # NSSOCSPDefaultURL defines the service URL of the OCSP responder # NSSOCSPDefaultName is the nickname of the certificate to trust to # sign the OCSP responses. #NSSOCSPDefaultResponder on #NSSOCSPDefaultURL http://example.com/ocsp/status #NSSOCSPDefaultName ocsp-nickname # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_nss documentation # for more details. #<Location /> #NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "NSSRequireSSL" or "NSSRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire NSSOptions +StdEnvVars </Files> NSSOptions +StdEnvVars </Directory> # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. #CustomLog /var/log/apache2/ssl_request_log \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org