|
 |
90ca4f |
diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
|
|
|
90ca4f |
--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800
|
|
|
90ca4f |
+++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800
|
|
|
90ca4f |
@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
|
|
|
90ca4f |
/* module initialization */
|
|
|
90ca4f |
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
|
|
|
90ca4f |
void nss_init_Child(apr_pool_t *, server_rec *);
|
|
|
90ca4f |
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
|
|
|
90ca4f |
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
|
|
|
90ca4f |
apr_status_t nss_init_ModuleKill(void *data);
|
|
|
90ca4f |
apr_status_t nss_init_ChildKill(void *data);
|
|
|
90ca4f |
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
|
|
|
90ca4f |
diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
|
|
|
90ca4f |
--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800
|
|
|
90ca4f |
+++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800
|
|
|
90ca4f |
@@ -26,7 +26,7 @@
|
|
|
90ca4f |
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
|
|
90ca4f |
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
|
|
90ca4f |
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
|
|
|
90ca4f |
-static CERTCertificate* FindServerCertFromNickname(const char* name);
|
|
|
90ca4f |
+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
|
|
|
90ca4f |
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
|
|
|
90ca4f |
|
|
|
90ca4f |
/*
|
|
|
90ca4f |
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
|
|
90ca4f |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
|
|
|
90ca4f |
"Init: Initializing (virtual) servers for SSL");
|
|
|
90ca4f |
|
|
|
90ca4f |
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
|
|
|
90ca4f |
+
|
|
|
90ca4f |
for (s = base_server; s; s = s->next) {
|
|
|
90ca4f |
sc = mySrvConfig(s);
|
|
|
90ca4f |
/*
|
|
|
90ca4f |
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
|
|
|
90ca4f |
/*
|
|
|
90ca4f |
* Read the server certificate and key
|
|
|
90ca4f |
*/
|
|
|
90ca4f |
- nss_init_ConfigureServer(s, p, ptemp, sc);
|
|
|
90ca4f |
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+ if (clist) {
|
|
|
90ca4f |
+ CERT_DestroyCertList(clist);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
|
|
|
90ca4f |
SECKEYPrivateKey **serverkey,
|
|
|
90ca4f |
SSLKEAType *KEAtype,
|
|
|
90ca4f |
PRFileDesc *model,
|
|
|
90ca4f |
- int enforce)
|
|
|
90ca4f |
+ int enforce,
|
|
|
90ca4f |
+ const CERTCertList* clist)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
SECCertTimeValidity certtimestatus;
|
|
|
90ca4f |
SECStatus secstatus;
|
|
|
90ca4f |
@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
|
|
|
90ca4f |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
|
|
90ca4f |
"Using nickname %s.", nickname);
|
|
|
90ca4f |
|
|
|
90ca4f |
- *servercert = FindServerCertFromNickname(nickname);
|
|
|
90ca4f |
+ *servercert = FindServerCertFromNickname(nickname, clist);
|
|
|
90ca4f |
|
|
|
90ca4f |
/* Verify the certificate chain. */
|
|
|
90ca4f |
if (*servercert != NULL) {
|
|
|
90ca4f |
SECCertificateUsage usage = certificateUsageSSLServer;
|
|
|
90ca4f |
|
|
|
90ca4f |
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
|
|
|
90ca4f |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
- "Certificate not verified: '%s'", nickname);
|
|
|
90ca4f |
+ if (enforce) {
|
|
|
90ca4f |
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
|
|
|
90ca4f |
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
|
|
|
90ca4f |
- if (enforce) {
|
|
|
90ca4f |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
"Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
|
|
|
90ca4f |
nss_die();
|
|
|
90ca4f |
@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
|
|
|
90ca4f |
static void nss_init_server_certs(server_rec *s,
|
|
|
90ca4f |
apr_pool_t *p,
|
|
|
90ca4f |
apr_pool_t *ptemp,
|
|
|
90ca4f |
- modnss_ctx_t *mctx)
|
|
|
90ca4f |
+ modnss_ctx_t *mctx,
|
|
|
90ca4f |
+ const CERTCertList* clist)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
SECStatus secstatus;
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
|
|
|
90ca4f |
|
|
|
90ca4f |
nss_init_certificate(s, mctx->nickname, &mctx->servercert,
|
|
|
90ca4f |
&mctx->serverkey, &mctx->serverKEAType,
|
|
|
90ca4f |
- mctx->model, mctx->enforce);
|
|
|
90ca4f |
+ mctx->model, mctx->enforce, clist);
|
|
|
90ca4f |
#ifdef NSS_ENABLE_ECC
|
|
|
90ca4f |
nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
|
|
|
90ca4f |
&mctx->eccserverkey, &mctx->eccserverKEAType,
|
|
|
90ca4f |
- mctx->model, mctx->enforce);
|
|
|
90ca4f |
+ mctx->model, mctx->enforce, clist);
|
|
|
90ca4f |
#endif
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
|
|
|
90ca4f |
static void nss_init_proxy_ctx(server_rec *s,
|
|
|
90ca4f |
apr_pool_t *p,
|
|
|
90ca4f |
apr_pool_t *ptemp,
|
|
|
90ca4f |
- SSLSrvConfigRec *sc)
|
|
|
90ca4f |
+ SSLSrvConfigRec *sc,
|
|
|
90ca4f |
+ const CERTCertList* clist)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
nss_init_ctx(s, p, ptemp, sc->proxy);
|
|
|
90ca4f |
|
|
|
90ca4f |
- nss_init_server_certs(s, p, ptemp, sc->proxy);
|
|
|
90ca4f |
+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
static void nss_init_server_ctx(server_rec *s,
|
|
|
90ca4f |
apr_pool_t *p,
|
|
|
90ca4f |
apr_pool_t *ptemp,
|
|
|
90ca4f |
- SSLSrvConfigRec *sc)
|
|
|
90ca4f |
+ SSLSrvConfigRec *sc,
|
|
|
90ca4f |
+ const CERTCertList* clist)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
nss_init_server_check(s, p, ptemp, sc->server);
|
|
|
90ca4f |
|
|
|
90ca4f |
nss_init_ctx(s, p, ptemp, sc->server);
|
|
|
90ca4f |
|
|
|
90ca4f |
- nss_init_server_certs(s, p, ptemp, sc->server);
|
|
|
90ca4f |
+ nss_init_server_certs(s, p, ptemp, sc->server, clist);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
/*
|
|
|
90ca4f |
@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
|
|
|
90ca4f |
void nss_init_ConfigureServer(server_rec *s,
|
|
|
90ca4f |
apr_pool_t *p,
|
|
|
90ca4f |
apr_pool_t *ptemp,
|
|
|
90ca4f |
- SSLSrvConfigRec *sc)
|
|
|
90ca4f |
+ SSLSrvConfigRec *sc,
|
|
|
90ca4f |
+ const CERTCertList* clist)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
if (sc->enabled == TRUE) {
|
|
|
90ca4f |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
|
|
90ca4f |
"Configuring server for SSL protocol");
|
|
|
90ca4f |
- nss_init_server_ctx(s, p, ptemp, sc);
|
|
|
90ca4f |
+ nss_init_server_ctx(s, p, ptemp, sc, clist);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
if (sc->proxy_enabled == TRUE) {
|
|
|
90ca4f |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
|
|
90ca4f |
"Enabling proxy.");
|
|
|
90ca4f |
- nss_init_proxy_ctx(s, p, ptemp, sc);
|
|
|
90ca4f |
+ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
|
|
|
90ca4f |
nss_init_SSLLibrary(base_server);
|
|
|
90ca4f |
|
|
|
90ca4f |
/* Configure all virtual servers */
|
|
|
90ca4f |
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
|
|
|
90ca4f |
for (s = base_server; s; s = s->next) {
|
|
|
90ca4f |
sc = mySrvConfig(s);
|
|
|
90ca4f |
if (sc->server->servercert == NULL && NSS_IsInitialized())
|
|
|
90ca4f |
- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
|
|
|
90ca4f |
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+ if (clist) {
|
|
|
90ca4f |
+ CERT_DestroyCertList(clist);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
/*
|
|
|
90ca4f |
@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
|
|
|
90ca4f |
* newest, valid server certificate.
|
|
|
90ca4f |
*/
|
|
|
90ca4f |
static CERTCertificate*
|
|
|
90ca4f |
-FindServerCertFromNickname(const char* name)
|
|
|
90ca4f |
+FindServerCertFromNickname(const char* name, const CERTCertList* clist)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
- CERTCertList* clist;
|
|
|
90ca4f |
CERTCertificate* bestcert = NULL;
|
|
|
90ca4f |
|
|
|
90ca4f |
CERTCertListNode *cln;
|
|
|
90ca4f |
@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
|
|
|
90ca4f |
if (name == NULL)
|
|
|
90ca4f |
return NULL;
|
|
|
90ca4f |
|
|
|
90ca4f |
- clist = PK11_ListCerts(PK11CertListUser, NULL);
|
|
|
90ca4f |
-
|
|
|
90ca4f |
for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
|
|
|
90ca4f |
cln = CERT_LIST_NEXT(cln)) {
|
|
|
90ca4f |
CERTCertificate* cert = cln->cert;
|
|
|
90ca4f |
@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
|
|
|
90ca4f |
if (bestcert) {
|
|
|
90ca4f |
bestcert = CERT_DupCertificate(bestcert);
|
|
|
90ca4f |
}
|
|
|
90ca4f |
- if (clist) {
|
|
|
90ca4f |
- CERT_DestroyCertList(clist);
|
|
|
90ca4f |
- }
|
|
|
90ca4f |
return bestcert;
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
|