|
|
90ca4f |
mod_proxy now sets the requested remote host name. Use this to compare
|
|
|
90ca4f |
to the CN value of the peer certificate and reject the request if they
|
|
|
90ca4f |
do not match (and we are have NSSProxyCheckPeerCN set to on).
|
|
|
90ca4f |
|
|
|
90ca4f |
diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
|
|
|
90ca4f |
+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
|
|
|
90ca4f |
@@ -1028,7 +1028,21 @@
|
|
|
90ca4f |
|
|
|
90ca4f |
Example
|
|
|
90ca4f |
|
|
|
90ca4f |
-NSSProxyNickname beta
|
|
|
90ca4f |
+NSSProxyNickname beta
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+<big><big>NSSProxyCheckPeerCN</big></big>
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+Compare the CN value of the peer certificate with the hostname being
|
|
|
90ca4f |
+requested. If this is set to on, the default, then the request will
|
|
|
90ca4f |
+fail if they do not match. If this is set to off then this comparison
|
|
|
90ca4f |
+is not done. Note that this test is your only protection against a
|
|
|
90ca4f |
+man-in-the-middle attack so leaving this as on is strongly recommended.
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+Example
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+NSSProcyCheckPeerCN
|
|
|
90ca4f |
+on
|
|
|
90ca4f |
+
|
|
|
90ca4f |
Environment Variables
|
|
|
90ca4f |
Quite a few environment variables (for CGI and SSI) may be set
|
|
|
90ca4f |
depending on the NSSOptions configuration. It can be expensive to set
|
|
|
90ca4f |
@@ -1435,42 +1449,9 @@
|
|
|
90ca4f |
Frequently Asked Questions
|
|
|
90ca4f |
Q. Does mod_nss support mod_proxy?
|
|
|
90ca4f |
|
|
|
90ca4f |
-A. In order to use the mod_nss proxy support you will need to build
|
|
|
90ca4f |
-your own mod_proxy by applying a patch found in bug
|
|
|
90ca4f |
- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468.
|
|
|
90ca4f |
-The patch is needed so we can compare the hostname contained in the
|
|
|
90ca4f |
-remote certificate with the hostname you meant to visit. This prevents
|
|
|
90ca4f |
-man-in-the-middle attacks.
|
|
|
90ca4f |
-
|
|
|
90ca4f |
-You also have to change the SSL functions that mod_proxy looks to use.
|
|
|
90ca4f |
-You'll need to apply this patch:
|
|
|
90ca4f |
-
|
|
|
90ca4f |
-1038,1039c1038,1039
|
|
|
90ca4f |
-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
|
|
|
90ca4f |
-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
|
|
|
90ca4f |
----
|
|
|
90ca4f |
-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
|
|
|
90ca4f |
-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
|
|
|
90ca4f |
-1041,1042c1041,1042
|
|
|
90ca4f |
-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
|
|
|
90ca4f |
-NULL;
|
|
|
90ca4f |
-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
|
|
|
90ca4f |
-= NULL;
|
|
|
90ca4f |
----
|
|
|
90ca4f |
-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
|
|
|
90ca4f |
-NULL;
|
|
|
90ca4f |
-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
|
|
|
90ca4f |
-= NULL;
|
|
|
90ca4f |
-1069,1070c1069,1070
|
|
|
90ca4f |
-< proxy_ssl_enable =
|
|
|
90ca4f |
-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
|
|
|
90ca4f |
-< proxy_ssl_disable =
|
|
|
90ca4f |
-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
|
|
|
90ca4f |
----
|
|
|
90ca4f |
-> proxy_ssl_enable =
|
|
|
90ca4f |
-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
|
|
|
90ca4f |
-> proxy_ssl_disable =
|
|
|
90ca4f |
-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);
|
|
|
90ca4f |
-
|
|
|
90ca4f |
+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
|
|
|
90ca4f |
+provides a single interface for SSL providers and mod_nss defers to
|
|
|
90ca4f |
+mod_ssl
|
|
|
90ca4f |
+if it is loaded.
|
|
|
90ca4f |
</body>
|
|
|
90ca4f |
</html>
|
|
|
90ca4f |
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
|
|
|
90ca4f |
+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
|
|
|
90ca4f |
@@ -142,6 +142,8 @@
|
|
|
90ca4f |
SSL_CMD_SRV(ProxyNickname, TAKE1,
|
|
|
90ca4f |
"SSL Proxy: client certificate Nickname to be for proxy connections "
|
|
|
90ca4f |
"(`nickname')")
|
|
|
90ca4f |
+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
|
|
|
90ca4f |
+ "SSL Proxy: check the peers certificate CN")
|
|
|
90ca4f |
|
|
|
90ca4f |
#ifdef IGNORE
|
|
|
90ca4f |
/* Deprecated directives. */
|
|
|
90ca4f |
@@ -238,23 +240,30 @@
|
|
|
90ca4f |
SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
|
|
|
90ca4f |
{
|
|
|
90ca4f |
conn_rec *c = (conn_rec *)arg;
|
|
|
90ca4f |
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
|
|
|
90ca4f |
PRErrorCode err = PR_GetError();
|
|
|
90ca4f |
SECStatus rv = SECFailure;
|
|
|
90ca4f |
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
|
|
|
90ca4f |
+ const char *hostname_note;
|
|
|
90ca4f |
|
|
|
90ca4f |
switch (err) {
|
|
|
90ca4f |
case SSL_ERROR_BAD_CERT_DOMAIN:
|
|
|
90ca4f |
- if (c->remote_host != NULL) {
|
|
|
90ca4f |
- rv = CERT_VerifyCertName(peerCert, c->remote_host);
|
|
|
90ca4f |
- if (rv != SECSuccess) {
|
|
|
90ca4f |
- char *remote = CERT_GetCommonName(&peerCert->subject);
|
|
|
90ca4f |
+ if (sc->proxy_ssl_check_peer_cn == TRUE) {
|
|
|
90ca4f |
+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
|
|
|
90ca4f |
+ apr_table_unset(c->notes, "proxy-request-hostname");
|
|
|
90ca4f |
+ rv = CERT_VerifyCertName(peerCert, hostname_note);
|
|
|
90ca4f |
+ if (rv != SECSuccess) {
|
|
|
90ca4f |
+ char *remote = CERT_GetCommonName(&peerCert->subject);
|
|
|
90ca4f |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
90ca4f |
+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
|
|
|
90ca4f |
+ PORT_Free(remote);
|
|
|
90ca4f |
+ }
|
|
|
90ca4f |
+ } else {
|
|
|
90ca4f |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
90ca4f |
- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
|
|
|
90ca4f |
- PORT_Free(remote);
|
|
|
90ca4f |
+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
|
|
|
90ca4f |
}
|
|
|
90ca4f |
} else {
|
|
|
90ca4f |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
90ca4f |
- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
|
|
|
90ca4f |
+ rv = SECSuccess;
|
|
|
90ca4f |
}
|
|
|
90ca4f |
break;
|
|
|
90ca4f |
default:
|
|
|
90ca4f |
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
|
|
|
90ca4f |
+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
|
|
|
90ca4f |
@@ -306,6 +306,7 @@
|
|
|
90ca4f |
int vhost_id_len;
|
|
|
90ca4f |
modnss_ctx_t *server;
|
|
|
90ca4f |
modnss_ctx_t *proxy;
|
|
|
90ca4f |
+ BOOL proxy_ssl_check_peer_cn;
|
|
|
90ca4f |
};
|
|
|
90ca4f |
|
|
|
90ca4f |
/*
|
|
|
90ca4f |
@@ -410,6 +411,7 @@
|
|
|
90ca4f |
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
|
|
|
90ca4f |
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
|
|
|
90ca4f |
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
|
|
|
90ca4f |
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
|
|
|
90ca4f |
|
|
|
90ca4f |
/* module initialization */
|
|
|
90ca4f |
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
|
|
|
90ca4f |
diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
|
|
|
90ca4f |
+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
|
|
|
90ca4f |
@@ -140,6 +140,7 @@
|
|
|
90ca4f |
sc->vhost_id_len = 0; /* set during module init */
|
|
|
90ca4f |
sc->proxy = NULL;
|
|
|
90ca4f |
sc->server = NULL;
|
|
|
90ca4f |
+ sc->proxy_ssl_check_peer_cn = TRUE;
|
|
|
90ca4f |
|
|
|
90ca4f |
modnss_ctx_init_proxy(sc, p);
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -214,6 +215,7 @@
|
|
|
90ca4f |
cfgMergeBool(fips);
|
|
|
90ca4f |
cfgMergeBool(enabled);
|
|
|
90ca4f |
cfgMergeBool(proxy_enabled);
|
|
|
90ca4f |
+ cfgMergeBool(proxy_ssl_check_peer_cn);
|
|
|
90ca4f |
|
|
|
90ca4f |
modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -544,6 +546,15 @@
|
|
|
90ca4f |
return NULL;
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
|
|
|
90ca4f |
+{
|
|
|
90ca4f |
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
|
|
|
90ca4f |
+
|
|
|
90ca4f |
+ return NULL;
|
|
|
90ca4f |
+}
|
|
|
90ca4f |
+
|
|
|
90ca4f |
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
|
|
|
90ca4f |
void *dcfg,
|
|
|
90ca4f |
int flag)
|