diff -rupN mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html

--- mod_nss-1.0.8.orig/docs/mod_nss.html	2012-10-15 13:53:48.889995000 -0700

+++ mod_nss-1.0.8/docs/mod_nss.html	2012-10-16 11:37:30.983783000 -0700

@@ -466,7 +466,7 @@ Example

 Enables or disables FIPS 140 mode. This replaces the standard

 internal PKCS#11 module with a FIPS-enabled one. It also forces the

-enabled protocols to TLSv1 and disables all ciphers but the

+enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the

 FIPS ones. You may still select which ciphers you would like

 limited to those that are FIPS-certified. Any non-FIPS that are

 included in the NSSCipherSuite entry are automatically disabled.

@@ -570,7 +570,7 @@ definition

       SSL_RSA_WITH_3DES_EDE_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

@@ -578,106 +578,106 @@ definition

       SSL_RSA_WITH_DES_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_null_md5

       SSL_RSA_WITH_NULL_MD5

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_null_sha

       SSL_RSA_WITH_NULL_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_rc2_40_md5

       SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_rc4_128_md5

       SSL_RSA_WITH_RC4_128_MD5

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_rc4_128_sha

       SSL_RSA_WITH_RC4_128_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_rc4_40_md5

       SSL_RSA_EXPORT_WITH_RC4_40_MD5

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       fortezza

       SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       fortezza_rc4_128_sha

       SSL_FORTEZZA_DMS_WITH_RC4_128_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       fortezza_null

       SSL_FORTEZZA_DMS_WITH_NULL_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       fips_des_sha

       SSL_RSA_FIPS_WITH_DES_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       fips_3des_sha

       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_des_56_sha

       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

-      SSL3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_rc4_56_sha

       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_aes_128_sha

       TLS_RSA_WITH_AES_128_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

       rsa_aes_256_sha

       TLS_RSA_WITH_AES_256_CBC_SHA

-      SSLv3/TLSv1

+      SSLv3/TLSv1.0/TLSv1.1

@@ -698,127 +698,127 @@ Definition

       ecdh_ecdsa_null_sha

       TLS_ECDH_ECDSA_WITH_NULL_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_ecdsa_rc4_128_sha

       TLS_ECDH_ECDSA_WITH_RC4_128_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_ecdsa_3des_sha

       TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_ecdsa_aes_128_sha

       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_ecdsa_aes_256_sha

       TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_ecdsa_null_sha

       TLS_ECDHE_ECDSA_WITH_NULL_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_ecdsa_rc4_128_sha

       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_ecdsa_3des_sha

       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_ecdsa_aes_128_sha

       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_ecdsa_aes_256_sha

       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_rsa_null_sha

       TLS_ECDH_RSA_WITH_NULL_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_rsa_128_sha

       TLS_ECDH_RSA_WITH_RC4_128_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_rsa_3des_sha

       TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_rsa_aes_128_sha

       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_rsa_aes_256_sha

       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       echde_rsa_null

       TLS_ECDHE_RSA_WITH_NULL_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_rsa_rc4_128_sha

       TLS_ECDHE_RSA_WITH_RC4_128_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_rsa_3des_sha

       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_rsa_aes_128_sha

       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdhe_rsa_aes_256_sha

       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_anon_null_sha

       TLS_ECDH_anon_WITH_NULL_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_anon_rc4_128sha

       TLS_ECDH_anon_WITH_RC4_128_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_anon_3des_sha

       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_anon_aes_128_sha

       TLS_ECDH_anon_WITH_AES_128_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

       ecdh_anon_aes_256_sha

       TLS_ECDH_anon_WITH_AES_256_CBC_SHA

-      TLSv1

+      TLSv1.0/TLSv1.1

@@ -839,16 +839,35 @@ specifically but allows ciphers for that

 Options are:

   
SSLv3

-  
TLSv1

+  
TLSv1 (legacy only; replaced by TLSv1.0)

+  
TLSv1.0

+  
TLSv1.1

   
All

 Note that this differs from mod_ssl in that you can't add or subtract

 protocols.

+

+If no NSSProtocol is specified, mod_nss will default to allowing the use of

+the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the

+minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol

+allowed.

+

+If values for NSSProtocol are specified, mod_nss will set both the minimum

+and the maximum allowed protocols based upon these entries allowing for the

+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1

+are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes

+protocol ranges to accept all protocols inclusively

+(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols

+in the middle of a range (e. g. - TLS 1.0).

+

+Finally, NSS will always automatically negotiate the use of the strongest

+possible protocol that has been specified which is acceptable to both sides of

+a given connection.

 SSLv2 is not supported by default at this time.

 Example

-NSSProtocol SSLv3,TLSv1

+NSSProtocol SSLv3,TLSv1.0,TLSv1.1

 <big><big>NSSNickname

 </big></big>

@@ -1101,7 +1120,7 @@ was compiled against.

       SSL_PROTOCOL

-      SSLv2, SSLv3 or TLSv1

+      SSLv2, SSLv3, TLSv1.0, or TLSv1.1

@@ -1443,7 +1462,7 @@ Opera, and

 Safari) support SSL 3 and TLS so there is no need for a web server to

 support

 SSL 2. There are some known attacks against SSL 2 that are handled by

-SSL 3/TLS. SSL2 also doesn't support useful features like client

+SSL 3/TLS. SSLv2 also doesn't support useful features like client

 authentication.

 
Frequently Asked Questions

diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c

--- mod_nss-1.0.8.orig/mod_nss.c	2012-10-15 13:53:48.971995000 -0700

+++ mod_nss-1.0.8/mod_nss.c	2012-10-17 09:46:18.838689000 -0700

@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds

                 "(`[+-]XXX,...,[+-]XXX' - see manual)")

     SSL_CMD_SRV(Protocol, RAW_ARGS,

                 "Enable the various SSL protocols"

-                "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")

+                "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)")

     SSL_CMD_ALL(VerifyClient, TAKE1,

                 "SSL Client Authentication "

                 "(`none', `optional', `require'")

@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds

                 "(`on', `off')")

     SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,

                "SSL Proxy: enable or disable SSL protocol flavors "

-               "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")

+               "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)")

     SSL_CMD_SRV(ProxyCipherSuite, TAKE1,

                "SSL Proxy: colon-delimited list of permitted SSL ciphers "

                "(`XXX:...:XXX' - see manual)")

diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in

--- mod_nss-1.0.8.orig/nss.conf.in	2012-10-15 13:53:48.856995000 -0700

+++ mod_nss-1.0.8/nss.conf.in	2012-10-19 18:06:59.101468000 -0700

@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4

 # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography

 #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha

-NSSProtocol SSLv3,TLSv1

+#   SSL Protocol:

+#   Cryptographic protocols that provide communication security.

+#   NSS handles the specified protocols as "ranges", and automatically

+#   negotiates the use of the strongest protocol for a connection starting

+#   with the maximum specified protocol and downgrading as necessary to the

+#   minimum specified protocol that can be used between two processes.

+#   Since all protocol ranges are completely inclusive, and no protocol in the

+#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"

+#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".

+NSSProtocol SSLv3,TLSv1.0,TLSv1.1

 #   SSL Certificate Nickname:

 #   The nickname of the RSA server certificate you are going to use.

diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c

--- mod_nss-1.0.8.orig/nss_engine_init.c	2012-10-15 13:53:49.165998000 -0700

+++ mod_nss-1.0.8/nss_engine_init.c	2012-10-19 17:44:04.973592000 -0700

@@ -616,62 +616,98 @@ static void nss_init_ctx_protocol(server

                                   apr_pool_t *ptemp,

                                   modnss_ctx_t *mctx)

 {

-    int ssl2, ssl3, tls;

+    int ssl2, ssl3, tls, tls1_1;

+    char *protocol_marker = NULL;

     char *lprotocols = NULL;

     SECStatus stat;

+    SSLVersionRange enabledVersions;

-    ssl2 = ssl3 = tls = 0;

+    ssl2 = ssl3 = tls = tls1_1 = 0;

+

+    /*

+     * Since this routine will be invoked individually for every thread

+     * associated with each 'server' object as well as for every thread

+     * associated with each 'proxy' object, identify the protocol marker

+     * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')

+     * via each thread's object type and apply this useful information to

+     * all log messages.

+     */

+    if (mctx == mctx->sc->server) {

+        protocol_marker = "NSSProtocol";

+    } else if (mctx == mctx->sc->proxy) {

+        protocol_marker = "NSSProxyProtocol";

+    }

     if (mctx->sc->fips) {

         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

-            "In FIPS mode, enabling TLSv1");

-        tls = 1;

+            "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1",

+            protocol_marker);

+        tls = tls1_1 = 1;

     } else {

         if (mctx->auth.protocols == NULL) {

-            /*

-             * Since this routine will be invoked individually for every

-             * thread associated with each 'server' object as well as for

-             * every thread associated with each 'proxy' object, issue a

-             * single per-thread 'warning' message for either a 'server'

-             * or a 'proxy' based upon the thread's object type.

-             */

-            if (mctx == mctx->sc->server) {

-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

-                    "NSSProtocol value not set; using: SSLv3 and TLSv1");

-            } else if (mctx == mctx->sc->proxy) {

-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

-                    "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");

-            }

+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

+                         "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",

+                         protocol_marker);

-            ssl3 = tls = 1;

+            ssl3 = tls = tls1_1 = 1;

         } else {

             lprotocols = strdup(mctx->auth.protocols);

             ap_str_tolower(lprotocols);

             if (strstr(lprotocols, "all") != NULL) {

 #ifdef WANT_SSL2

-                ssl2 = ssl3 = tls = 1;

+                ssl2 = ssl3 = tls = tls1_1= 1;

 #else

-                ssl3 = tls = 1;

+                ssl3 = tls = tls1_1 = 1;

 #endif

             } else {

-                if (strstr(lprotocols, "sslv2") != NULL) {

+                char *protocol_list = NULL;

+                char *saveptr = NULL;

+                char *token = NULL;

+

+                for (protocol_list = lprotocols; ; protocol_list = NULL) {

+                    token = strtok_r(protocol_list, ",", &saveptr);

+                    if (token == NULL) {

+                        break;

+                    } else if (strcmp(token, "sslv2") == 0) {

 #ifdef WANT_SSL2

-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");

-                    ssl2 = 1;

+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                                     "%s:  Enabling SSL2",

+                                     protocol_marker);

+                        ssl2 = 1;

 #else

-                    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");

+                        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

+                                     "%s:  SSL2 is not supported",

+                                     protocol_marker);

 #endif

-                }

-

-                if (strstr(lprotocols, "sslv3") != NULL) {

-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");

-                    ssl3 = 1;

-                }

-

-                if (strstr(lprotocols, "tlsv1") != NULL) {

-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");

-                    tls = 1;

+                    } else if (strcmp(token, "sslv3") == 0) {

+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                                     "%s:  Enabling SSL3",

+                                     protocol_marker);

+                        ssl3 = 1;

+                    } else if (strcmp(token, "tlsv1") == 0) {

+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                                     "%s:  Enabling TLSv1.0 via TLSv1",

+                                     protocol_marker);

+                        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

+                                     "%s:  The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",

+                                     protocol_marker);

+                        tls = 1;

+                    } else if (strcmp(token, "tlsv1.0") == 0) {

+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                                     "%s:  Enabling TLSv1.0",

+                                     protocol_marker);

+                        tls = 1;

+                    } else if (strcmp(token, "tlsv1.1") == 0) {

+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                                     "%s:  Enabling TLSv1.1",

+                                     protocol_marker);

+                        tls1_1 = 1;

+                    } else {

+                        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

+                                     "%s:  Unknown protocol '%s' not supported",

+                                     protocol_marker, token);

+                    }

                 }

             }

             free(lprotocols);

@@ -686,31 +722,98 @@ static void nss_init_ctx_protocol(server

         stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);

     }

+    /* Set protocol version ranges:

+     *

+     *     (1) Set the minimum protocol accepted

+     *     (2) Set the maximum protocol accepted

+     *     (3) Protocol ranges extend from maximum down to minimum protocol

+     *     (4) All protocol ranges are completely inclusive;

+     *         no protocol in the middle of a range may be excluded

+     *     (5) NSS automatically negotiates the use of the strongest protocol

+     *         for a connection starting with the maximum specified protocol

+     *         and downgrading as necessary to the minimum specified protocol

+     *

+     * For example, if SSL 3.0 is chosen as the minimum protocol, and

+     * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and

+     * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and

+     * cannot be excluded from this range. NSS will automatically negotiate

+     * to utilize the strongest acceptable protocol for a connection starting

+     * with the maximum specified protocol and downgrading as necessary to the

+     * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).

+     */

     if (stat == SECSuccess) {

+        /* Set minimum protocol version (lowest -> highest)

+         *

+         *     SSL 3.0 -> TLS 1.0 -> TLS 1.1

+         */

         if (ssl3 == 1) {

-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);

+            enabledVersions.min = SSL_LIBRARY_VERSION_3_0;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [SSL 3.0] (minimum)",

+                         protocol_marker);

+        } else if (tls == 1) {

+            enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [TLS 1.0] (minimum)",

+                         protocol_marker);

+        } else if (tls1_1 == 1) {

+            enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [TLS 1.1] (minimum)",

+                         protocol_marker);

         } else {

-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);

+            /* Set default minimum protocol version to SSL 3.0 */

+            enabledVersions.min = SSL_LIBRARY_VERSION_3_0;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [SSL 3.0] (default minimum)",

+                         protocol_marker);

         }

-    }

-    if (stat == SECSuccess) {

-        if (tls == 1) {

-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);

+

+        /* Set maximum protocol version (highest -> lowest)

+         *

+         *     TLS 1.1 -> TLS 1.0 -> SSL 3.0

+         */

+        if (tls1_1 == 1) {

+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [TLS 1.1] (maximum)",

+                         protocol_marker);

+        } else if (tls == 1) {

+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [TLS 1.0] (maximum)",

+                         protocol_marker);

+        } else if (ssl3 == 1) {

+            enabledVersions.max = SSL_LIBRARY_VERSION_3_0;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [SSL 3.0] (maximum)",

+                         protocol_marker);

         } else {

-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);

+            /* Set default maximum protocol version to TLS 1.1 */

+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;

+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

+                         "%s:  [TLS 1.1] (default maximum)",

+                         protocol_marker);

         }

+

+        stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);

     }

     if (stat != SECSuccess) {

         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

-                "SSL protocol initialization failed.");

+                "%s:  SSL/TLS protocol initialization failed.",

+                protocol_marker);

         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);

         nss_die();

     }

     mctx->ssl2 = ssl2;

     mctx->ssl3 = ssl3;

-    mctx->tls = tls;

+    if (tls1_1 == 1) {

+        mctx->tls = tls1_1;

+    } else {

+        mctx->tls = tls;

+    }

 }

 static void nss_init_ctx_session_cache(server_rec *s,

@@ -791,6 +894,8 @@ static void nss_init_ctx_cipher_suite(se

     PRBool cipher_state[ciphernum];

     PRBool fips_state[ciphernum];

     const char *suite = mctx->auth.cipher_suite; 

+    char * object_type = NULL;

+    char * cipher_suite_marker = NULL;

     char * ciphers;

     char * fipsciphers = NULL;

     int i;

@@ -820,6 +925,23 @@ static void nss_init_ctx_cipher_suite(se

         nss_die();

     }

+

+    /*

+     * Since this routine will be invoked individually for every thread

+     * associated with each 'server' object as well as for every thread

+     * associated with each 'proxy' object, identify the cipher suite markers

+     * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')

+     * via each thread's object type and apply this useful information to

+     * all log messages.

+     */

+    if (mctx == mctx->sc->server) {

+        object_type = "server";

+        cipher_suite_marker = "NSSCipherSuite";

+    } else if (mctx == mctx->sc->proxy) {

+        object_type = "proxy";

+        cipher_suite_marker = "NSSProxyCipherSuite";

+    }

+

     ciphers = strdup(suite);

 #define CIPHERSIZE 2048

@@ -854,13 +976,13 @@ static void nss_init_ctx_cipher_suite(se

         }

         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

-                 "FIPS mode enabled, permitted SSL ciphers are: [%s]",

-                 fipsciphers);

+            "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",

+            object_type, fipsciphers);

     }

     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

-                "Configuring permitted SSL ciphers [%s]",

-                 suite);

+                "%s:  Configuring permitted SSL ciphers [%s]",

+                 cipher_suite_marker, suite);

     /* Disable all NSS supported cipher suites. This is to prevent any new

      * NSS cipher suites from getting automatically and unintentionally

@@ -899,7 +1021,7 @@ static void nss_init_ctx_cipher_suite(se

         for (i=0; i

             if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {

                 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

-                    "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);

+                    "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);

                 cipher_state[i] = PR_FALSE;

             }

         }

@@ -908,19 +1030,22 @@ static void nss_init_ctx_cipher_suite(se

     /* See if any ciphers have been enabled for a given protocol */

     if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {

         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

-            "SSL2 is enabled but no SSL2 ciphers are enabled.");

+            "%s:  SSL2 is enabled but no SSL2 ciphers are enabled.",

+            cipher_suite_marker);

         nss_die();

     }

     if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {

         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

-            "SSL3 is enabled but no SSL3 ciphers are enabled.");