|
 |
90ca4f |
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
|
|
|
90ca4f |
+++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
|
|
|
90ca4f |
@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
|
|
|
90ca4f |
tls = 1;
|
|
|
90ca4f |
} else {
|
|
|
90ca4f |
if (mctx->auth.protocols == NULL) {
|
|
|
90ca4f |
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
|
|
90ca4f |
- "NSSProtocols not set; using: SSLv3 and TLSv1");
|
|
|
90ca4f |
+ /*
|
|
|
90ca4f |
+ * Since this routine will be invoked individually for every
|
|
|
90ca4f |
+ * thread associated with each 'server' object as well as for
|
|
|
90ca4f |
+ * every thread associated with each 'proxy' object, issue a
|
|
|
90ca4f |
+ * single per-thread 'warning' message for either a 'server'
|
|
|
90ca4f |
+ * or a 'proxy' based upon the thread's object type.
|
|
|
90ca4f |
+ */
|
|
|
90ca4f |
+ if (mctx == mctx->sc->server) {
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
|
|
90ca4f |
+ "NSSProtocol value not set; using: SSLv3 and TLSv1");
|
|
|
90ca4f |
+ } else if (mctx == mctx->sc->proxy) {
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
|
|
90ca4f |
+ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+
|
|
|
90ca4f |
ssl3 = tls = 1;
|
|
|
90ca4f |
} else {
|
|
|
90ca4f |
lprotocols = strdup(mctx->auth.protocols);
|
|
|
90ca4f |
@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
|
|
|
90ca4f |
* Configure SSL Cipher Suite
|
|
|
90ca4f |
*/
|
|
|
90ca4f |
if (!suite) {
|
|
|
90ca4f |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
- "Required value NSSCipherSuite not set.");
|
|
|
90ca4f |
+ /*
|
|
|
90ca4f |
+ * Since this is a 'fatal' error, regardless of whether this
|
|
|
90ca4f |
+ * particular invocation is from a 'server' object or a 'proxy'
|
|
|
90ca4f |
+ * object, issue all error message(s) as appropriate.
|
|
|
90ca4f |
+ */
|
|
|
90ca4f |
+ if ((mctx->sc->enabled == TRUE) &&
|
|
|
90ca4f |
+ (mctx->sc->server) &&
|
|
|
90ca4f |
+ (!mctx->sc->server->auth.cipher_suite)) {
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
+ "NSSEngine on; required value NSSCipherSuite not set.");
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+ if ((mctx->sc->proxy_enabled == TRUE) &&
|
|
|
90ca4f |
+ (mctx->sc->proxy) &&
|
|
|
90ca4f |
+ (!mctx->sc->proxy->auth.cipher_suite)) {
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
+ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+
|
|
|
90ca4f |
nss_die();
|
|
|
90ca4f |
}
|
|
|
90ca4f |
ciphers = strdup(suite);
|
|
|
90ca4f |
@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
|
|
|
90ca4f |
if (mctx->nickname == NULL)
|
|
|
90ca4f |
#endif
|
|
|
90ca4f |
{
|
|
|
90ca4f |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
- "No certificate nickname provided.");
|
|
|
90ca4f |
+ /*
|
|
|
90ca4f |
+ * Since this is a 'fatal' error, regardless of whether this
|
|
|
90ca4f |
+ * particular invocation is from a 'server' object or a 'proxy'
|
|
|
90ca4f |
+ * object, issue all error message(s) as appropriate.
|
|
|
90ca4f |
+ */
|
|
|
90ca4f |
+ if ((mctx->sc->enabled == TRUE) &&
|
|
|
90ca4f |
+ (mctx->sc->server) &&
|
|
|
90ca4f |
+ (mctx->sc->server->nickname == NULL)) {
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
+ "NSSEngine on; no certificate nickname provided by NSSNickname.");
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+ if ((mctx->sc->proxy_enabled == TRUE) &&
|
|
|
90ca4f |
+ (mctx->sc->proxy) &&
|
|
|
90ca4f |
+ (mctx->sc->proxy->nickname == NULL)) {
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
90ca4f |
+ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+
|
|
|
90ca4f |
nss_die();
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|