diff --git a/SOURCES/mod_nss-SSLEngine-off.patch b/SOURCES/mod_nss-SSLEngine-off.patch
new file mode 100644
index 0000000..950fcc9
--- /dev/null
+++ b/SOURCES/mod_nss-SSLEngine-off.patch
@@ -0,0 +1,13 @@
+diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8.patched/nss.conf.in
+--- mod_nss-1.0.8.orig/nss.conf.in 2013-11-12 14:07:54.000000000 -0800
++++ mod_nss-1.0.8.patched/nss.conf.in 2013-11-12 14:31:28.000000000 -0800
+@@ -99,6 +99,9 @@ LogLevel warn
+
+ # SSL Engine Switch:
+ # Enable/Disable SSL for this virtual host.
++
++ SSLEngine off
++
+ NSSEngine on
+
+ # SSL Cipher Suite:
diff --git a/SOURCES/mod_nss-nssverifyclient.patch b/SOURCES/mod_nss-nssverifyclient.patch
new file mode 100644
index 0000000..d9858c3
--- /dev/null
+++ b/SOURCES/mod_nss-nssverifyclient.patch
@@ -0,0 +1,12 @@
+diff -rupN mod_nss-1.0.8.patched/nss_engine_kernel.c mod_nss-1.0.8.989724/nss_engine_kernel.c
+--- mod_nss-1.0.8.patched/nss_engine_kernel.c 2007-05-31 14:36:03.000000000 -0700
++++ mod_nss-1.0.8.989724/nss_engine_kernel.c 2013-10-25 13:32:47.000000000 -0700
+@@ -275,7 +275,7 @@ int nss_hook_Access(request_rec *r)
+
+ if (verify == SSL_CVERIFY_REQUIRE) {
+ SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
++ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
+ } else if (verify == SSL_CVERIFY_OPTIONAL) {
+ SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
diff --git a/SOURCES/mod_nss-unused-filter_ctx.patch b/SOURCES/mod_nss-unused-filter_ctx.patch
new file mode 100644
index 0000000..2def292
--- /dev/null
+++ b/SOURCES/mod_nss-unused-filter_ctx.patch
@@ -0,0 +1,18 @@
+diff -rupN mod_nss-1.0.8.orig/nss_engine_io.c mod_nss-1.0.8.patched/nss_engine_io.c
+--- mod_nss-1.0.8.orig/nss_engine_io.c 2013-11-12 13:46:32.000000000 -0800
++++ mod_nss-1.0.8.patched/nss_engine_io.c 2013-11-12 14:01:15.000000000 -0800
+@@ -1354,14 +1354,11 @@ nss_AuthCertificate(void *arg, PRFileDes
+ PRBool checksig, PRBool isServer)
+ {
+ SECStatus status;
+- nss_filter_ctx_t *filter_ctx;
+
+ if (!arg || !socket) {
+ return SECFailure;
+ }
+
+- filter_ctx = (nss_filter_ctx_t *)(socket->lower->secret);
+-
+ status = SSL_AuthCertificate(arg, socket, checksig, isServer);
+
+ /* The certificate is copied to sslconn->client_cert in
diff --git a/SOURCES/mod_nss-usecases.patch b/SOURCES/mod_nss-usecases.patch
new file mode 100644
index 0000000..8427fe6
--- /dev/null
+++ b/SOURCES/mod_nss-usecases.patch
@@ -0,0 +1,322 @@
+diff -rupN mod_nss-1.0.8.srpm/docs/mod_nss.html mod_nss-1.0.8.patched/docs/mod_nss.html
+--- mod_nss-1.0.8.srpm/docs/mod_nss.html 2013-11-27 12:03:05.000000000 -0800
++++ mod_nss-1.0.8.patched/docs/mod_nss.html 2013-11-27 17:27:08.000000000 -0800
+@@ -33,6 +33,7 @@
+ Database Management
+ Why is SSLv2 disabled?
+ Frequently Asked Questions
++Sample Use Cases
+
+
Introduction
+ The mod_ssl package was
+@@ -1056,7 +1057,7 @@ man-in-the-middle attack so leaving this
+
+ Example
+
+-NSSProcyCheckPeerCN on
++NSSProxyCheckPeerCN on
+
+
+ Environment Variables
+@@ -1467,6 +1468,300 @@ Q. Does mod_nss support mod_proxy?
+
+ A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
+ provides a single interface for SSL providers and mod_nss defers to
+-mod_ssl if it is loaded.
++mod_ssl if it is loaded.
++
++Sample Use Cases
++I. Restart Apache using the NSS Internal Software Token
++
++1. Become the root user.
++
++2. Install mod_nss.
++
++3. This use case will utilize the NSS security databases created during installation of mod_nss:
++
++
++
++# certutil -L -d /etc/httpd/alias
++
++Certificate Nickname Trust Attributes
++ SSL,S/MIME,JAR/XPI
++
++cacert CTu,Cu,Cu
++Server-Cert u,u,u
++alpha u,pu,u
++
++
++
++
++NOTE: |
++For actual deployments, the administrator should setup their own NSS security databases (e. g. - replace the default mod_nss NSS security databases located in /etc/httpd/alias ), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the /etc/httpd/conf.d/nss.conf file such that mod_nss uses these NSS security databases. |
++
++
++
++
++4. Use certutil
to apply a password to the NSS security databases configured in step 3 above:
++
++
++
++# certutil -W -d /etc/httpd/alias
++Enter Password or Pin for "NSS Certificate DB":
++Enter a password which will be used to encrypt your keys.
++The password should be at least 8 characters long,
++and should contain at least one non-alphabetic character.
++
++Enter new password:
++Re-enter password:
++Password changed successfully.
++
++
++
++5. Configure mod_nss to use the NSS internal software token:
++
++
++Edit /etc/httpd/conf.d/nss.conf
:
++
++
++Replace:
++
++NSSPassPhraseDialog builtin
++
++with:
++
++NSSPassPhraseDialog file:/etc/httpd/password.conf
++
++
++
++
++
++NOTE: |
++Whenever httpd is invoked as a service/systemd process, the NSSPassPhraseDialog builtin parameter must be changed to point to a file URL in order to allow mod_nss to work with the Apache web server. This is because the mod_nss test for issuing the password prompt Please enter password for "internal" token: on the command line is only displayed when the command isatty(fileno(stdin)) is set to 'true', and when the command is entered from this type of invocation the value is 'false'. In order to see the prompt, one can set the NSSPassPhraseDialog builtin parameter and invoke httpd -D FOREGROUND from the command line. |
++
++
++
++
++If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the NSSNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
++
++NSSNickname Server-Cert
++
++
++If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the NSSECCNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
++
++NSSECCNickname Server-Cert
++
++
++Make certain that the NSSCertificateDatabase
parameter is uncommented and points to the NSS security databases directory configured in step 3 above:
++
++NSSCertificateDatabase /etc/httpd/alias
++
++
++
++Create the /etc/httpd/password.conf
file:
++
++
++Add:
++
++Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.
++
++
++Apply the appropriate ownership and permissions to the /etc/httpd/password.conf
file:
++
++
++# chgrp apache /etc/httpd/password.conf
++
++# chmod 640 /etc/httpd/password.conf
++
++
++# ls -l /etc/httpd/password.conf
++-rw-r-----. 1 root apache 18 Nov 27 14:05 /etc/httpd/password.conf
++
++
++
++
++6. Restart the Apache server:
++
++
++
++# service httpd restart
++Redirecting to /bin/systemctl restart httpd.service
++
++
++
++# service httpd status
++Redirecting to /bin/systemctl status httpd.service
++httpd.service - The Apache HTTP Server
++ Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
++ Active: active (running) since Wed 2013-11-27 15:25:48 PST; 1min 11s ago
++ Process: 20804 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
++ Main PID: 20807 (httpd)
++ Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
++ CGroup: name=systemd:/system/httpd.service
++ |_____20807 /usr/sbin/httpd -DFOREGROUND
++ |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
++ |_____20809 /usr/sbin/httpd -DFOREGROUND
++ |_____20810 /usr/sbin/httpd -DFOREGROUND
++ |_____20811 /usr/sbin/httpd -DFOREGROUND
++ |_____20812 /usr/sbin/httpd -DFOREGROUND
++ |_____20813 /usr/sbin/httpd -DFOREGROUND
++
++Nov 27 15:25:48 server.example.com systemd[1]: Started The Apache HTTP Server.
++
++
++
++
++II. Restart Apache using the NSS FIPS Software Token
++
++1. Become the root user.
++
++2. Install mod_nss.
++
++3. This use case will utilize the NSS security databases created during installation of mod_nss:
++
++
++
++# certutil -L -d /etc/httpd/alias
++
++Certificate Nickname Trust Attributes
++ SSL,S/MIME,JAR/XPI
++
++cacert CTu,Cu,Cu
++Server-Cert u,u,u
++alpha u,pu,u
++
++
++
++
++NOTE: |
++For actual deployments, the administrator should setup their own NSS security databases (e. g. - replace the default mod_nss NSS security databases located in /etc/httpd/alias ), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the /etc/httpd/conf.d/nss.conf file such that mod_nss uses these NSS security databases. |
++
++
++
++
++4. Use certutil
to apply a password to the NSS security databases configured in step 3 above:
++
++
++
++# certutil -W -d /etc/httpd/alias
++Enter Password or Pin for "NSS Certificate DB":
++Enter a password which will be used to encrypt your keys.
++The password should be at least 8 characters long,
++and should contain at least one non-alphabetic character.
++
++Enter new password:
++Re-enter password:
++Password changed successfully.
++
++
++
++5. Configure mod_nss to use the NSS FIPS software token:
++
++
++Edit /etc/httpd/conf.d/nss.conf
:
++
++
++Replace:
++
++NSSPassPhraseDialog builtin
++
++with:
++
++NSSPassPhraseDialog file:/etc/httpd/password.conf
++
++
++
++
++
++NOTE: |
++Whenever httpd is invoked as a service/systemd process, the NSSPassPhraseDialog builtin parameter must be changed to point to a file URL in order to allow mod_nss to work with the Apache web server. This is because the mod_nss test for issuing the password prompt Please enter password for "NSS FIPS 140-2 Certificate DB" token: on the command line is only displayed when the command isatty(fileno(stdin)) is set to 'true', and when the command is entered from this type of invocation the value is 'false'. In order to see the prompt, one can set the NSSPassPhraseDialog builtin parameter and invoke httpd -D FOREGROUND from the command line. |
++
++
++
++
++To enable FIPS mode for mod_nss, add the following parameter:
++
++after the line marked:
++
++
++If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the NSSNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
++
++NSSNickname Server-Cert
++
++
++If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the NSSECCNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
++
++NSSECCNickname Server-Cert
++
++
++Make certain that the NSSCertificateDatabase
parameter is uncommented and points to the NSS security databases directory configured in step 3 above:
++
++NSSCertificateDatabase /etc/httpd/alias
++
++
++
++Create the /etc/httpd/password.conf
file:
++
++
++Add:
++
++NSS FIPS 140-2 Certificate DB:<password>
++
++Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.
++
++
++
++IMPORTANT: |
++Notice that since the NSS FIPS software token is being used, the contents of the /etc/httpd/password.conf file references the password for the NSS FIPS software token (NSS FIPS 140-2 Certificate DB:<password> ) rather than the NSS internal software token (internal:<password> ). |
++
++
++
++
++Apply the appropriate ownership and permissions to the /etc/httpd/password.conf
file:
++
++
++# chgrp apache /etc/httpd/password.conf
++
++# chmod 640 /etc/httpd/password.conf
++
++
++# ls -l /etc/httpd/password.conf
++-rw-r-----. 1 root apache 39 Nov 27 15:48 /etc/httpd/password.conf
++
++
++
++
++6. Restart the Apache server:
++
++
++
++# service httpd restart
++Redirecting to /bin/systemctl restart httpd.service
++
++
++
++# service httpd status
++Redirecting to /bin/systemctl status httpd.service
++httpd.service - The Apache HTTP Server
++ Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
++ Active: active (running) since Wed 2013-11-27 16:26:07 PST; 4s ago
++ Process: 21296 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
++ Main PID: 21299 (httpd)
++ Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
++ CGroup: name=systemd:/system/httpd.service
++ |_____21299 /usr/sbin/httpd -DFOREGROUND
++ |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
++ |_____21340 /usr/sbin/httpd -DFOREGROUND
++ |_____21341 /usr/sbin/httpd -DFOREGROUND
++ |_____21342 /usr/sbin/httpd -DFOREGROUND
++
++Nov 27 16:26:07 server.example.com systemd[1]: Started The Apache HTTP Server.
++
++
++
++
+