diff --git a/.mod_nss.metadata b/.mod_nss.metadata new file mode 100644 index 0000000..09b0c0a --- /dev/null +++ b/.mod_nss.metadata @@ -0,0 +1 @@ +69a4b51eaee2087ee6ea85e1b19fb0c7ccd7ab2e SOURCES/mod_nss-1.0.8.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/mod_nss-PK11_ListCerts_2.patch b/SOURCES/mod_nss-PK11_ListCerts_2.patch new file mode 100644 index 0000000..0ef492c --- /dev/null +++ b/SOURCES/mod_nss-PK11_ListCerts_2.patch @@ -0,0 +1,201 @@ +diff -pu mod_nss.h mod_nss.h.PK11_ListCerts +--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800 ++++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800 +@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); + void nss_init_Child(apr_pool_t *, server_rec *); +-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); ++void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); + apr_status_t nss_init_ModuleKill(void *data); + apr_status_t nss_init_ChildKill(void *data); + int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); +diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts +--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800 ++++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800 +@@ -26,7 +26,7 @@ + static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); + static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); + static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); +-static CERTCertificate* FindServerCertFromNickname(const char* name); ++static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); + + /* +@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "Init: Initializing (virtual) servers for SSL"); + ++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); ++ + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); + /* +@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p + /* + * Read the server certificate and key + */ +- nss_init_ConfigureServer(s, p, ptemp, sc); ++ nss_init_ConfigureServer(s, p, ptemp, sc, clist); ++ } ++ ++ if (clist) { ++ CERT_DestroyCertList(clist); + } + } + +@@ -880,7 +886,8 @@ static void nss_init_certificate(server_ + SECKEYPrivateKey **serverkey, + SSLKEAType *KEAtype, + PRFileDesc *model, +- int enforce) ++ int enforce, ++ const CERTCertList* clist) + { + SECCertTimeValidity certtimestatus; + SECStatus secstatus; +@@ -894,17 +901,15 @@ static void nss_init_certificate(server_ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Using nickname %s.", nickname); + +- *servercert = FindServerCertFromNickname(nickname); ++ *servercert = FindServerCertFromNickname(nickname, clist); + + /* Verify the certificate chain. */ + if (*servercert != NULL) { + SECCertificateUsage usage = certificateUsageSSLServer; + +- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "Certificate not verified: '%s'", nickname); ++ if (enforce) { ++ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); +- if (enforce) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); + nss_die(); +@@ -994,7 +999,8 @@ static void nss_init_certificate(server_ + static void nss_init_server_certs(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- modnss_ctx_t *mctx) ++ modnss_ctx_t *mctx, ++ const CERTCertList* clist) + { + SECStatus secstatus; + +@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server + + nss_init_certificate(s, mctx->nickname, &mctx->servercert, + &mctx->serverkey, &mctx->serverKEAType, +- mctx->model, mctx->enforce); ++ mctx->model, mctx->enforce, clist); + #ifdef NSS_ENABLE_ECC + nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, + &mctx->eccserverkey, &mctx->eccserverKEAType, +- mctx->model, mctx->enforce); ++ mctx->model, mctx->enforce, clist); + #endif + } + +@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server + static void nss_init_proxy_ctx(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- SSLSrvConfigRec *sc) ++ SSLSrvConfigRec *sc, ++ const CERTCertList* clist) + { + nss_init_ctx(s, p, ptemp, sc->proxy); + +- nss_init_server_certs(s, p, ptemp, sc->proxy); ++ nss_init_server_certs(s, p, ptemp, sc->proxy, clist); + } + + static void nss_init_server_ctx(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- SSLSrvConfigRec *sc) ++ SSLSrvConfigRec *sc, ++ const CERTCertList* clist) + { + nss_init_server_check(s, p, ptemp, sc->server); + + nss_init_ctx(s, p, ptemp, sc->server); + +- nss_init_server_certs(s, p, ptemp, sc->server); ++ nss_init_server_certs(s, p, ptemp, sc->server, clist); + } + + /* +@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r + void nss_init_ConfigureServer(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +- SSLSrvConfigRec *sc) ++ SSLSrvConfigRec *sc, ++ const CERTCertList* clist) + { + if (sc->enabled == TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Configuring server for SSL protocol"); +- nss_init_server_ctx(s, p, ptemp, sc); ++ nss_init_server_ctx(s, p, ptemp, sc, clist); + } + + if (sc->proxy_enabled == TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Enabling proxy."); +- nss_init_proxy_ctx(s, p, ptemp, sc); ++ nss_init_proxy_ctx(s, p, ptemp, sc, clist); + } + } + +@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve + nss_init_SSLLibrary(base_server); + + /* Configure all virtual servers */ ++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); + if (sc->server->servercert == NULL && NSS_IsInitialized()) +- nss_init_ConfigureServer(s, p, mc->ptemp, sc); ++ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); ++ } ++ if (clist) { ++ CERT_DestroyCertList(clist); + } + + /* +@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER + * newest, valid server certificate. + */ + static CERTCertificate* +-FindServerCertFromNickname(const char* name) ++FindServerCertFromNickname(const char* name, const CERTCertList* clist) + { +- CERTCertList* clist; + CERTCertificate* bestcert = NULL; + + CERTCertListNode *cln; +@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n + if (name == NULL) + return NULL; + +- clist = PK11_ListCerts(PK11CertListUser, NULL); +- + for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist); + cln = CERT_LIST_NEXT(cln)) { + CERTCertificate* cert = cln->cert; +@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n + if (bestcert) { + bestcert = CERT_DupCertificate(bestcert); + } +- if (clist) { +- CERT_DestroyCertList(clist); +- } + return bestcert; + } + + diff --git a/SOURCES/mod_nss-array_overrun.patch b/SOURCES/mod_nss-array_overrun.patch new file mode 100644 index 0000000..67d841d --- /dev/null +++ b/SOURCES/mod_nss-array_overrun.patch @@ -0,0 +1,16 @@ +mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array +"child_argv", with 5 elements, at position 5 with index variable "5". + +https://bugzilla.redhat.com/show_bug.cgi?id=714154 +diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400 +@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p + + /* Do we need to fire up our password helper? */ + if (mc->nInitCount == 1) { +- const char * child_argv[5]; ++ const char * child_argv[6]; + apr_status_t rv; + struct sembuf sb; + char sembuf[32]; diff --git a/SOURCES/mod_nss-clientauth.patch b/SOURCES/mod_nss-clientauth.patch new file mode 100644 index 0000000..44f3c97 --- /dev/null +++ b/SOURCES/mod_nss-clientauth.patch @@ -0,0 +1,50 @@ +The first fix is to retrieve the full certificate subject instead of just the +CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL. + +The second always attempts to retrieve the client certificate in +nss_hook_ReadReq(). + +https://bugzilla.redhat.com/show_bug.cgi?id=702437 +--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400 ++++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400 +@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes + + status = SSL_AuthCertificate(arg, socket, checksig, isServer); + +- if (status == SECSuccess) { +- conn_rec *c = filter_ctx->c; +- SSLConnRec *sslconn = myConnConfig(c); +- +- sslconn->client_cert = SSL_PeerCertificate(socket); +- sslconn->client_dn = NULL; +- } ++ /* The certificate is copied to sslconn->client_cert in ++ * nss_hook_ReadReq() ++ */ + + return status; + } +--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400 ++++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400 +@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) + nss_util_vhostid(r->pool, r->server)); + } + ++ if (sslconn->client_cert != NULL) ++ CERT_DestroyCertificate(sslconn->client_cert); ++ sslconn->client_cert = SSL_PeerCertificate(ssl); ++ sslconn->client_dn = NULL; ++ + return DECLINED; + } + +@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) + } + + if (!sslconn->client_dn) { +- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); +- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); ++ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); ++ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); + PORT_Free(cp); + } diff --git a/SOURCES/mod_nss-conf.patch b/SOURCES/mod_nss-conf.patch new file mode 100644 index 0000000..1a3e5fa --- /dev/null +++ b/SOURCES/mod_nss-conf.patch @@ -0,0 +1,70 @@ +--- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400 ++++ mod_nss-1.0.6/nss.conf.in 2006-10-23 15:27:22.000000000 -0400 +@@ -8,14 +8,16 @@ + # consult the online docs. You have been warned. + # + ++LoadModule nss_module modules/libmodnss.so ++ + # + # When we also provide SSL we have to listen to the + # standard HTTP port (see above) and to the HTTPS port + # + # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" ++# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" + # +-Listen 443 ++Listen 8443 + + ## + ## SSL Global Context +@@ -40,7 +42,7 @@ + # Pass Phrase Helper: + # This helper program stores the token password pins between + # restarts of Apache. +-NSSPassPhraseHelper @apache_bin@/nss_pcache ++NSSPassPhraseHelper /usr/sbin/nss_pcache + + # Configure the SSL Session Cache. + # NSSSessionCacheSize is the number of entries in the cache. +@@ -68,17 +70,17 @@ + ## SSL Virtual Host Context + ## + +- ++ + + # General setup for the virtual host + #DocumentRoot "@apache_prefix@/htdocs" +-#ServerName www.example.com:443 ++#ServerName www.example.com:8443 + #ServerAdmin you@example.com + + # mod_nss can log to separate log files, you can choose to do that if you'd like + # LogLevel is not inherited from httpd.conf. +-#ErrorLog @apache_prefix@/logs/error_log +-#TransferLog @apache_prefix@/logs/access_log ++ErrorLog @apache_prefix@/logs/error_log ++TransferLog @apache_prefix@/logs/access_log + LogLevel warn + + # SSL Engine Switch: +@@ -113,7 +115,7 @@ + # The NSS security database directory that holds the certificates and + # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. + # Provide the directory that these files exist. +-NSSCertificateDatabase @apache_conf@ ++NSSCertificateDatabase /etc/httpd/alias + + # Database Prefix: + # In order to be able to store multiple NSS databases in one directory +@@ -189,7 +191,7 @@ + + NSSOptions +StdEnvVars + +- ++ + NSSOptions +StdEnvVars + + diff --git a/SOURCES/mod_nss-docs-fix.patch b/SOURCES/mod_nss-docs-fix.patch new file mode 100644 index 0000000..a250049 --- /dev/null +++ b/SOURCES/mod_nss-docs-fix.patch @@ -0,0 +1,505 @@ +@@ -, +, @@ + Documentation formatting fixes + + - correct few cases of used on text that should use normal font + - strip some redundant html tags + - use
 for larger command output blocks
+    - correct few typos
+--- a/docs/mod_nss.html	
++++ a/docs/mod_nss.html	
+@@ -15,10 +15,10 @@ 
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+ -->
+-  
++  
+   mod_nss
+ 
++
+ 
+ 

mod_nss

+

Table of Contents

+@@ -33,6 +33,7 @@ + Database Management
+ Why is SSLv2 disabled?
+ Frequently Asked Questions
++ +

Introduction

+ The mod_ssl package was + created in April 1998 by Ralf S. +@@ -44,9 +45,10 @@ the .
+
+
mod_nss is based directly on the mod_ssl package from Apache +-2.0.54.  It is a conversion from using OpenSSL calls to using
NSS ++2.0.54. It is a conversion from using OpenSSL calls to using ++NSS + calls instead.
++ +

Building

+ Refer to the README file included with the distribution.
+
+@@ -173,13 +175,14 @@ module with something like:
+  This will create a sample configuration file nss.conf. + By default + this is installed during the installation process.
++ +

Installation

+ The make install target uses apxs to install the module into Apache. + This automatically copies the mod_nss shared library to the appropriate + location and updates Apache's httpd.conf so that the module will be + loaded during the next restart.
+
+-It also tries to rename ssl.conf to ssl.conf.old.  ++It also tries to rename ssl.conf to ssl.conf.old. + The assumption is that mod_nss is replacing mod_ssl. They can co-exist + as long as they are listening on separate ports.
+
+@@ -196,6 +199,7 @@ following line to httpd.conf (location relative to httpd.conf):
+ This has Apache load the mod_nss configuration file, nss.conf. + It is here that you will setup your VirtualServer entries to and + configure your SSL servers.
++ +

Certificate Generation

+ A ksh script, gencert, is included to automatically + generate a self-signed CA plus one server certificate. This is fine for +@@ -212,30 +216,31 @@ bother with the details.
+ The certificate database password is httptest.
+
+ A sample run is:
+-
+-# mkdir /etc/httpd/nss
+-# ./gencert /etc/httpd/nss
+-
+-#####################################################################
+-Generating new server certificate and key database. The password
+-is httptest
+-#####################################################################
+-
+-#####################################################################
+-Generating self-signed client CA certificate
+-#####################################################################
+-
+-Generating key.  This may take a few moments...
+-
+-[ Lots of output removed ]

+-
++
++# mkdir /etc/httpd/nss
++# ./gencert /etc/httpd/nss
++
++#####################################################################
++Generating new server certificate and key database. The password
++is httptest
++#####################################################################
++
++#####################################################################
++Generating self-signed client CA certificate
++#####################################################################
++
++Generating key.  This may take a few moments...
++
++[ Lots of output removed ]
++
+ You should now have the following files:
+-
+-/etc/httpd/nss/cert8.db
+-/etc/httpd/nss/key3db
+-/etc/httpd/nss/secmod.db

+-
++
++/etc/httpd/nss/cert8.db
++/etc/httpd/nss/key3db
++/etc/httpd/nss/secmod.db
++
+ These 3 files make up an NSS certificate database.
++ +

Server Startup

+ Starting a mod_nss server is no different than starting a mod_ssl + server. You will need to authenticate yourself to the security token +@@ -253,23 +258,21 @@ token password.
+
+ All other output will be written to the Apache log files.
+
+-To avoid  being prompted for a startup password you can either:
++To avoid being prompted for a startup password you can either:
+
    +-
  • Use a password file that contains your token passwords. See NSSPassPhraseDialog for details.
  • +-
  • Change the internal +-token password to a blank with:
    +-
  • ++
  • Use a password file that contains your token passwords. See ++NSSPassPhraseDialog for details.
  • ++
  • Change the internal token password to a blank with:
  • +
+-
% +-modutil -dbdir /path/to/database/directory -changepw "NSS Certificate +-DB"
++
++% modutil -dbdir /path/to/database/directory -changepw "NSS Certificate DB"
+
+ Enter the old password then press Enter twice for the new password to + blank it out.
+-
++
++ +

Migration

+-A perl script, migrate,pl, is included to help migrate an ++A perl script, migrate.pl, is included to help migrate an + existing mod_ssl configuration to work with mod_nss. There is one + optional argument, -c, that will try to convert your existing server + and CA certificates plus any certificate revocation lists (CRLs) into +@@ -282,6 +285,7 @@ possible to migrate httpd.conf to use mod_nss. Simply copy httpd.conf + to ssl.conf, run the update, then copy nss.conf to httpd.conf (after + making a backup, of couse). This multi-step process gives you a chance + to verify that the migration was successful.
++ +

Configuration Directives

+ The following mod_ssl Directives are not applicable to mod_nss:
+
    +@@ -297,10 +301,10 @@ The following mod_ssl Directives are not applicable to mod_nss:
    +
    + Authentication is required in order to use the private key in an NSS + certificate database. The method of this authentication is specified +-with the NSSPassPhraseDialog directive.  This directive takes one ++with the NSSPassPhraseDialog directive. This directive takes one + argument specifying the method of authentication:
    +
      +-
    • builtin
    • ++
    • builtin
    • +
    +
    The user will be prompted to enter the + token password for each cryptographic device. This works seemlessly +@@ -308,20 +312,20 @@ with any hardware tokens used. The default "device" is the internal + token provided by the NSS Certificate database itself.
    +
    +
      +-
    • file:/path/to/file
    • ++
    • file:/path/to/file
    • +
    +
    The token password(s) may be stored in + an ASCII text file which is read during startup so the server can start + without user intervention. The format of this file is:
    +
    +-
    token:password
    ++
    token:password
    +
    +
    +
    +
    An example for the internal token is:
    +
    +
    +-
    internal:secret12
    ++
    internal:secret12
    +
    +
    + Example
    +@@ -359,7 +363,7 @@ Specifies the location of the NSS certificate database to be used. An + NSS certificate database consists of 3 files: cert8.db, key3.db and + secmod.db. cert8.db stores certificates and Certificate Revocation + Lists (CRLs), key3.db stores keys and secmod.db stores information +-about available pkcs#11 modules.
    ++about available PKCS#11 modules.
    +
    + This directive specifies a path, not a filename.
    +
    +@@ -376,13 +380,13 @@ in one directory.
    +
    + Example
    +
    +-NSSDBPrefix my-prefix-
    ++NSSDBPrefix my-prefix-
    +
    + You would then need: my-prefix-cert8.db, my-prefix-key3.db and secmod.db
    +
    + In order to work with files with a prefix using the NSS command-line + tools use the -P flag.
    +-

    ++
    + NSSSessionCacheSize
    +
    + Specifies the number of SSL sessions that can be cached.
    +@@ -404,8 +408,7 @@ is silently constrained.
    +
    + The default value is 100.
    +
    +-Example
    ++Example
    +
    + NSSSessionCacheTimeout 100
    +
    +@@ -413,7 +416,7 @@ The default value is 100.
    +
    + Specifies the number of seconds SSL 3 sessions are cached.
    +
    +-The valid range is 5 - 86400 seconds.  A setting outside the valid ++The valid range is 5 - 86400 seconds. A setting outside the valid + range is silently constrained.
    +
    + The default value is 86400 (24 hours).
    +@@ -425,24 +428,24 @@ The default value is 86400 (24 hours).
    + NSSRandomSeed
    +
    + Configures sources to seed the NSS Random Number Generator (RNG) at +-startup.  Currently this only supports seeding the RNG at startup. ++startup. Currently this only supports seeding the RNG at startup. +
    +
    + The following sources are available:
    +
      +-
    • builtin: Combines the current system time, the ++
    • builtin: Combines the current system time, the + current process id + and a randomly choosen 128-byte extract of the process stack. This is + not a particularly strong source of entropy.
    • +-
    • file:/path/to/source: Reads from the specified file. ++
    • file:/path/to/source: Reads from the specified file. + If the number of bytes to read is specified it just reads that amount. + Be aware that some operating systems block on /dev/random if not enough + entropy is available. This means that the server will wait until that +-/data is available to continue startup. These systems generally offer a ++data is available to continue startup. These systems generally offer a + non-blocking device as well, /dev/urandom.
    • +-
    • exec:/path/to/program: Executes the given program and takes +-the stdout of it as the entryop. If the bytes argument is included it +-reads that many bytes, otherwise it reads until the program exits.
      ++
    • exec:/path/to/program: Executes the given program and takes ++the stdout of it as the entropy. If the bytes argument is included it ++reads that many bytes, otherwise it reads until the program exits.
      +
    • +
    + Example
    +@@ -455,10 +458,10 @@ NSSRandomSeed startup /usr/bin/makerandom

    +
    + Enables or disables the SSL protocol. This is usually used within a + VirtualHost tag to enable SSL for a particular virtual host.
    +-
    +-
    SSL is disabled by default.
    +-
    +-Example

    ++
    ++SSL is disabled by default.
    ++
    ++Example
    +
    + NSSEngine on
    +
    +@@ -479,10 +482,10 @@ The allowable ciphers are:
    +
  • rsa_des_56_sha
  • +
  • fortezza
  • +
+-
+-
FIPS is disabled by default.
+-
+-Example

++
++FIPS is disabled by default.
++
++Example
+
+ NSSFIPS on
+
+@@ -493,10 +496,9 @@ Enables or disables +
+-OCSP is disabled by default.
+-
+-Example

++OCSP is disabled by default.
++
++Example
+
+ NSSOCSP on
+
+@@ -517,8 +519,7 @@ Available ciphers are:
+ + Cipher Name
+ +- NSS Cipher +-definition
++ NSS Cipher definition
+ + Protocol
+ +@@ -689,8 +690,7 @@ Additionally there are a number of ECC ciphers:
+ + Cipher Name
+ +- NSS Cipher +-Definition
++ NSS Cipher Definition
+ + Protocol
+ +@@ -856,20 +856,19 @@ Specify the nickname to be used for this the server certificate. + Certificates stored in an NSS database are referred to using nicknames + which makes accessing a specific certificate much easier. It is also + possible to specify the certificate DN but it is easier to use a +-nickname.  If the nickname includes spaces then the value needs to ++nickname. If the nickname includes spaces then the value needs to + be enclosed in double quotes.
+
+-Example
++Example
+
+ NSSNickname Server-Cert
+-NSSNickname "This contains a space"
++NSSNickname "This contains a space"
+
+ NOTE: There is nothing magical about the string "Server-Cert." A + nickname can be anything. Historically this was Server-Cert in the + Netscape server products that used NSS.
+
+-
NSSECCNickname
++NSSECCNickname
+
+ Similar to NSSNickname but designed for use with ECC certificates. This + allows you to have both an RSA certificate and an ECC certificate +@@ -909,7 +908,7 @@ Available options are:
+
  • none: no client certificate + is required or requested
    +
  • +-
  • code>optional: a client ++
  • optional: a client + certificate is requested but if one is not available, the connection + may continue.
    +
  • +@@ -935,8 +934,7 @@ also be set for this to work.
    +
    + Example
    +
    +-NSSUserName SSL_CLIENT_S_DN_UID
    ++NSSUserName SSL_CLIENT_S_DN_UID
    +
    + NSSOptions

    +
    +@@ -959,7 +957,7 @@ plus every CA certificate in the client certificate. +
  • StrictRequire: Absolutely forces the connection to be forbidden + when NSSRequireSSL or NSSRequire aren't met.
  • +
  • OptRenegotiate: Allows the SSL connection to be renegotiated +-using a different contiguration. This is designed for a per-directory ++using a different configuration. This is designed for a per-directory + and is relatively expensive to do. For example, it can be used to force + very strong ciphers in particular directories.
    +
  • +@@ -967,20 +965,19 @@ very strong ciphers in particular directories.
    + All options are disabled by default.
    +
    + Example:
    +-
    +-NSSOptions +FakeBasicAuth
    +-<Files ~ "\.(cgi|shtml)$">
    +-NSSOptions +StdEnvVars
    ++
    ++NSSOptions +FakeBasicAuth
    ++<Files ~ "\.(cgi|shtml)$">
    ++NSSOptions +StdEnvVars
    + <Files>
    +-
    ++
    +
    + NSSRequireSSL
    +
    + The request is forbidden unless the connection is using SSL. Only + available in a per-directory context. This takes no arguments.
    +
    +-Example
    ++Example
    +
    + NSSRequireSSL
    +
    +@@ -1040,9 +1037,9 @@ man-in-the-middle attack so leaving this as on is strongly recommended.
    +
    + Example
    +
    +-NSSProcyCheckPeerCN +-on
    +-

    ++NSSProcyCheckPeerCN on
    ++
    ++ +

    Environment Variables

    + Quite a few environment variables (for CGI and SSI) may be set + depending on the NSSOptions configuration. It can be expensive to set +@@ -1163,7 +1160,7 @@ certificate is valid
    + SSL_CLIENT_M_VERSION
    +
    + X.509 version of the client +-certificiate
    ++certificate
    + + + +@@ -1181,7 +1178,7 @@ certificate
    + + SSL_CLIENT_A_SIG + Algorithm used for the signature +-of  the client key ++of the client key + + + SSL_CLIENT_S_DN +@@ -1228,7 +1225,7 @@ certificate. Only those that exist in the certificate are created + SSL_SERVER_M_VERSION
    +
    + X.509 version of the server +-certificiate ++certificate + + + SSL_SERVER_M_SERIAL
    +@@ -1257,7 +1254,7 @@ time + SSL_SERVER_A_SIG
    +
    + Algorithm used for the signature +-of  the server key ++of the server key + + + SSL_SESSION_ID
    +@@ -1304,6 +1301,7 @@ itself).
    + + +
    ++ +

    Database Management

    + NSS stores it's certificates and keys in a set of files referred to as + the "certificate database." The files by default (with NSS 3.x) are +@@ -1437,21 +1435,19 @@ have NSS validate it:
    +
    + % certutil -V -n Server-Cert -u V -d .
    + certutil: certificate is valid

    ++ +

    Why is SSLv2 disabled?

    +-All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, +-Opera, and +-Safari) support SSL 3 and TLS so there is no need for a web server to +-support +-SSL 2. There are some known attacks against SSL 2 that are handled by +-SSL 3/TLS. SSLv2 also doesn't support useful features like client +-authentication. ++All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and ++Safari) support SSL 3 and TLS so there is no need for a web server to support ++SSL 2. There are some known attacks against SSL 2 that are handled by SSL ++3/TLS. SSLv2 also doesn't support useful features like client authentication. +
    ++ +

    Frequently Asked Questions

    + Q. Does mod_nss support mod_proxy?
    +
    + A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy + provides a single interface for SSL providers and mod_nss defers to +-mod_ssl +-if it is loaded. ++mod_ssl if it is loaded. + + diff --git a/SOURCES/mod_nss-gencert.patch b/SOURCES/mod_nss-gencert.patch new file mode 100644 index 0000000..b328032 --- /dev/null +++ b/SOURCES/mod_nss-gencert.patch @@ -0,0 +1,26 @@ +--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400 ++++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400 +@@ -82,12 +82,11 @@ + + DEST=$1 + +-echo "httptest" > $DEST/pw.txt ++echo -e "\n" > $DEST/pw.txt + + echo "" + echo "#####################################################################" +-echo "Generating new server certificate and key database. The password" +-echo "is httptest" ++echo "Generating new server certificate and key database." + echo "#####################################################################" + $CERTUTIL -N -d $DEST -f $DEST/pw.txt + +@@ -183,8 +182,4 @@ + rm $DEST/pw.txt + rm $DEST/noise + +-echo "" +-echo "The database password is httptest" +-echo "" +- + exit 0 diff --git a/SOURCES/mod_nss-httpd24.patch b/SOURCES/mod_nss-httpd24.patch new file mode 100644 index 0000000..4863140 --- /dev/null +++ b/SOURCES/mod_nss-httpd24.patch @@ -0,0 +1,135 @@ +diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700 ++++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700 +@@ -349,7 +349,7 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Connection to child %ld established " + "(server %s, client %s)", c->id, sc->vhost_id, +- c->remote_ip ? c->remote_ip : "unknown"); ++ c->client_ip ? c->client_ip : "unknown"); + + mctx = sslconn->is_proxy ? sc->proxy : sc->server; + +diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700 ++++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700 +@@ -27,7 +27,6 @@ + #include "http_protocol.h" + #include "util_script.h" + #include "util_filter.h" +-#include "mpm.h" + #include "apr.h" + #include "apr_strings.h" + #define APR_WANT_STRFUNC +@@ -490,7 +489,7 @@ + SECStatus nss_Init_Tokens(server_rec *s); + + /* Logging */ +-void nss_log_nss_error(const char *file, int line, int level, server_rec *s); ++void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s); + void nss_die(void); + + /* NSS callback */ +diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700 ++++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700 +@@ -15,7 +15,7 @@ + + #include "mod_nss.h" + #include "apr_thread_proc.h" +-#include "ap_mpm.h" ++#include "mpm_common.h" + #include "secmod.h" + #include "sslerr.h" + #include "pk11func.h" +diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c +--- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700 ++++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700 +@@ -621,13 +621,13 @@ + PR_Close(ssl); + + /* log the fact that we've closed the connection */ +- if (c->base_server->loglevel >= APLOG_INFO) { ++ if (c->base_server->log.level >= APLOG_INFO) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Connection to child %ld closed " + "(server %s, client %s)", + c->id, + nss_util_vhostid(c->pool, c->base_server), +- c->remote_ip ? c->remote_ip : "unknown"); ++ c->client_ip ? c->client_ip : "unknown"); + } + + /* deallocate the SSL connection */ +@@ -1165,7 +1165,7 @@ + filter_ctx = (nss_filter_ctx_t *)(fd->secret); + c = filter_ctx->c; + +- return PR_StringToNetAddr(c->remote_ip, addr); ++ return PR_StringToNetAddr(c->client_ip, addr); + } + + /* +diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c +--- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700 ++++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700 +@@ -73,7 +73,7 @@ + /* + * Log information about incoming HTTPS requests + */ +- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { ++ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "%s HTTPS request received for child %ld (server %s)", + (r->connection->keepalives <= 0 ? +@@ -530,7 +530,7 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "Access to %s denied for %s " + "(requirement expression not fulfilled)", +- r->filename, r->connection->remote_ip); ++ r->filename, r->connection->client_ip); + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, + "Failed expression: %s", req->cpExpr); +diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c +--- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700 ++++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700 +@@ -321,7 +321,7 @@ + exit(1); + } + +-void nss_log_nss_error(const char *file, int line, int level, server_rec *s) ++void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s) + { + const char *err; + PRInt32 error; +@@ -340,7 +340,7 @@ + err = "Unknown"; + } + +- ap_log_error(file, line, level, 0, s, ++ ap_log_error(file, line, module_index, level, 0, s, + "SSL Library Error: %d %s", + error, err); + } +diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c +--- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700 ++++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700 +@@ -178,7 +178,7 @@ + && sslconn && sslconn->ssl) + result = nss_var_lookup_ssl(p, c, var+4); + else if (strcEQ(var, "REMOTE_ADDR")) +- result = c->remote_ip; ++ result = c->client_ip; + else if (strcEQ(var, "HTTPS")) { + if (sslconn && sslconn->ssl) + result = "on"; +@@ -194,7 +194,7 @@ + if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) + result = nss_var_lookup_nss_version(p, var+12); + else if (strcEQ(var, "SERVER_SOFTWARE")) +- result = (char *)ap_get_server_version(); ++ result = (char *)ap_get_server_banner(); + else if (strcEQ(var, "API_VERSION")) { + result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER); + resdup = FALSE; diff --git a/SOURCES/mod_nss-lockpcache.patch b/SOURCES/mod_nss-lockpcache.patch new file mode 100644 index 0000000..e14265b --- /dev/null +++ b/SOURCES/mod_nss-lockpcache.patch @@ -0,0 +1,240 @@ +diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c +--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500 +@@ -152,6 +152,8 @@ + AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL, + "SSLLogLevel directive is no longer supported - use LogLevel."), + #endif ++ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF, ++ "Apache user. Comes from httpd.conf."), + + AP_END_CMD + }; +diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h +--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500 +@@ -41,6 +41,9 @@ + #include "apr_shm.h" + #include "apr_global_mutex.h" + #include "apr_optional.h" ++#include ++#include ++#include + + #define MOD_NSS_VERSION AP_SERVER_BASEREVISION + +@@ -244,6 +247,9 @@ + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; ++ ++ int semid; ++ const char *user; + } SSLModConfigRec; + + typedef struct SSLSrvConfigRec SSLSrvConfigRec; +@@ -412,6 +418,7 @@ + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); ++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c +--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500 +@@ -830,3 +830,12 @@ + + return NULL; + } ++ ++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ SSLModConfigRec *mc = myModConfig(cmd->server); ++ ++ mc->user = arg; ++ ++ return NULL; ++} +diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c +--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500 +@@ -312,6 +312,7 @@ + int sslenabled = FALSE; + int fipsenabled = FALSE; + int threaded = 0; ++ struct semid_ds status; + + mc->nInitCount++; + +@@ -412,10 +413,26 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); + ++ /* The first pass through this function will create the semaphore that ++ * will be used to lock the pipe. The user is still root at that point ++ * so for any later calls the semaphore ops will fail with permission ++ * errors. So switch the user to the Apache user. ++ */ ++ if (mc->semid) { ++ uid_t user_id; ++ ++ user_id = ap_uname2id(mc->user); ++ semctl(mc->semid, 0, IPC_STAT, &status); ++ status.sem_perm.uid = user_id; ++ semctl(mc->semid,0,IPC_SET,&status); ++ } ++ + /* Do we need to fire up our password helper? */ + if (mc->nInitCount == 1) { + const char * child_argv[5]; + apr_status_t rv; ++ struct sembuf sb; ++ char sembuf[32]; + + if (mc->pphrase_dialog_helper == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +@@ -423,11 +440,31 @@ + nss_die(); + } + ++ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); ++ if (mc->semid == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to obtain semaphore."); ++ nss_die(); ++ } ++ ++ /* Initialize the semaphore */ ++ sb.sem_num = 0; ++ sb.sem_op = 1; ++ sb.sem_flg = 0; ++ if ((semop(mc->semid, &sb, 1)) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to initialize semaphore."); ++ nss_die(); ++ } ++ ++ PR_snprintf(sembuf, 32, "%d", mc->semid); ++ + child_argv[0] = mc->pphrase_dialog_helper; +- child_argv[1] = fipsenabled ? "on" : "off"; +- child_argv[2] = mc->pCertificateDatabase; +- child_argv[3] = mc->pDBPrefix; +- child_argv[4] = NULL; ++ child_argv[1] = sembuf; ++ child_argv[2] = fipsenabled ? "on" : "off"; ++ child_argv[3] = mc->pCertificateDatabase; ++ child_argv[4] = mc->pDBPrefix; ++ child_argv[5] = NULL; + + rv = apr_procattr_create(&mc->procattr, mc->pPool); + +diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c +--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400 ++++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500 +@@ -279,6 +279,16 @@ + char buf[1024]; + apr_status_t rv; + apr_size_t nBytes = 1024; ++ struct sembuf sb; ++ ++ /* lock the pipe */ ++ sb.sem_num = 0; ++ sb.sem_op = -1; ++ sb.sem_flg = SEM_UNDO; ++ if (semop(parg->mc->semid, &sb, 1) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "Unable to reserve semaphore resource"); ++ } + + snprintf(buf, 1024, "RETR\t%s", token_name); + rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); +@@ -293,6 +303,13 @@ + */ + memset(buf, 0, sizeof(buf)); + rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); ++ sb.sem_op = 1; ++ if (semop(parg->mc->semid, &sb, 1) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "Unable to free semaphore resource"); ++ /* perror("semop free resource id"); */ ++ } ++ + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); +diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c +--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500 +@@ -21,6 +21,9 @@ + #include + #include + #include ++#include ++#include ++#include + #include "nss_pcache.h" + + static char * getstr(const char * cmd, int el); +@@ -70,6 +73,13 @@ + unsigned char *crypt; + }; + ++union semun { ++ int val; ++ struct semid_ds *buf; ++ unsigned short *array; ++ struct seminfo *__buf; ++}; ++ + /* + * Node - for maintaining link list of tokens with cached PINs + */ +@@ -304,15 +314,19 @@ + char * tokenName; + char * tokenpw; + int fipsmode = 0; ++ int semid = 0; ++ union semun semarg; + +- if (argc < 3 || argc > 4) { +- fprintf(stderr, "Usage: nss_pcache \n"); ++ if (argc < 4 || argc > 5) { ++ fprintf(stderr, "Usage: nss_pcache \n"); + exit(1); + } + + signal(SIGHUP, SIG_IGN); + +- if (!strcasecmp(argv[1], "on")) ++ semid = strtol(argv[1], NULL, 10); ++ ++ if (!strcasecmp(argv[2], "on")) + fipsmode = 1; + + /* Initialize NSPR */ +@@ -322,7 +336,7 @@ + PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); + + /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); +@@ -437,6 +451,11 @@ + } + freeList(pinList); + PR_Close(in); ++ /* Remove the semaphore used for locking here. This is because this ++ * program only goes away when Apache shuts down so we don't have to ++ * worry about reloads. ++ */ ++ semctl(semid, 0, IPC_RMID, semarg); + return 0; + } + +Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig +Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej diff --git a/SOURCES/mod_nss-man.patch b/SOURCES/mod_nss-man.patch new file mode 100644 index 0000000..3c13069 --- /dev/null +++ b/SOURCES/mod_nss-man.patch @@ -0,0 +1,229 @@ +diff -rupN mod_nss-1.0.8.orig/Makefile.am mod_nss-1.0.8/Makefile.am +--- mod_nss-1.0.8.orig/Makefile.am 2008-05-16 08:18:07.000000000 -0700 ++++ mod_nss-1.0.8/Makefile.am 2013-06-27 19:13:30.000000000 -0700 +@@ -5,6 +5,14 @@ bin_PROGRAMS = nss_pcache + + nss_pcache_SOURCES = nss_pcache.c + ++man8_MANS = \ ++ gencert.8 \ ++ nss_pcache.8 \ ++ $(NULL) ++ ++install-data-hook: ++ @for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done ++ + ## Define the source file for the module + libmodnss_la_SOURCES = mod_nss.c nss_engine_config.c nss_engine_init.c nss_engine_io.c nss_engine_kernel.c nss_engine_log.c nss_engine_pphrase.c nss_engine_vars.c nss_expr.c nss_expr_eval.c nss_expr_parse.y nss_expr_scan.l nss_util.c nss_engine_rand.c + libmodnss_la_LDFLAGS = -module -avoid-version +diff -rupN mod_nss-1.0.8.orig/gencert.8 mod_nss-1.0.8/gencert.8 +--- mod_nss-1.0.8.orig/gencert.8 1969-12-31 16:00:00.000000000 -0800 ++++ mod_nss-1.0.8/gencert.8 2013-07-01 09:56:37.000000000 -0700 +@@ -0,0 +1,59 @@ ++.\" A man page for gencert ++.\" ++.\" Licensed under the Apache License, Version 2.0 (the "License"); ++.\" you may not use this file except in compliance with the License. ++.\" You may obtain a copy of the License at ++.\" ++.\" http://www.apache.org/licenses/LICENSE-2.0 ++.\" ++.\" Unless required by applicable law or agreed to in writing, software ++.\" distributed under the License is distributed on an "AS IS" BASIS, ++.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++.\" See the License for the specific language governing permissions and ++.\" limitations under the License. ++.\" ++.\" Author: Rob Crittenden ++.\" ++.TH "gencert" "8" "Jul 1 2013" "Rob Crittenden" "" ++.SH "NAME" ++gencert \- Generate a test NSS database for mod_nss ++ ++.SH "SYNOPSIS" ++gencert ++ ++.SH "DESCRIPTION" ++A tool used to generate a self\-signed CA as well as server and user certificates for mod_nss testing. ++.PP ++This is used to generate a default NSS database for the mod_nss Apache module. It does not test to see if an existing database already exists, so use with care. ++.PP ++\fBgencert\fP will generate a new NSS database and set an empty database password. ++.PP ++It generates a self\-signed CA with the subject "CN=Certificate Shack, O=example.com, C=US" ++.PP ++It also generates a certificate suitable for servers with the subject "CN=, O=example.com, C=US", and a user certificate with the subject "E=alpha@, CN=Frank Alpha, UID=alpha, OU=People, O=example.com, C=US". ++.PP ++The nicknames it uses are: ++.IP ++.TS ++tab(;); ++ll,ll. ++CA:;cacert ++Server certificate:;Server\-Cert ++User cert:;alpha ++.TE ++ ++.SH OPTIONS ++.TP ++.B ++Specifies the destination directory where the NSS databases will be created. ++ ++.SH BUGS ++Report bugs to http://bugzilla.redhat.com. ++ ++.SH AUTHORS ++Rob Crittenden . ++ ++.SH COPYRIGHT ++Copyright (c) 2011 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0. ++.PP ++Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. +diff -rupN mod_nss-1.0.8.orig/migrate.pl mod_nss-1.0.8/migrate.pl +--- mod_nss-1.0.8.orig/migrate.pl 2005-05-31 07:32:42.000000000 -0700 ++++ mod_nss-1.0.8/migrate.pl 2013-07-03 14:23:12.000000000 -0700 +@@ -115,7 +115,8 @@ while () { + } + + if ($passphrase == 0) { +- print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; ++ # NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'. ++ print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n"; + } + + close(NSS); +diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in +--- mod_nss-1.0.8.orig/nss.conf.in 2013-06-25 17:14:22.000000000 -0700 ++++ mod_nss-1.0.8/nss.conf.in 2013-07-03 14:23:48.000000000 -0700 +@@ -42,7 +42,10 @@ NSSPassPhraseDialog builtin + # Pass Phrase Helper: + # This helper program stores the token password pins between + # restarts of Apache. +-NSSPassPhraseHelper /usr/sbin/nss_pcache ++# ++# NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'. ++# ++NSSPassPhraseHelper /usr/libexec/nss_pcache + + # Configure the SSL Session Cache. + # NSSSessionCacheSize is the number of entries in the cache. +diff -rupN mod_nss-1.0.8.orig/nss_pcache.8 mod_nss-1.0.8/nss_pcache.8 +--- mod_nss-1.0.8.orig/nss_pcache.8 1969-12-31 16:00:00.000000000 -0800 ++++ mod_nss-1.0.8/nss_pcache.8 2013-07-03 15:35:39.000000000 -0700 +@@ -0,0 +1,95 @@ ++.\" A man page for nss_pcache ++.\" ++.\" Licensed under the Apache License, Version 2.0 (the "License"); ++.\" you may not use this file except in compliance with the License. ++.\" You may obtain a copy of the License at ++.\" ++.\" http://www.apache.org/licenses/LICENSE-2.0 ++.\" ++.\" Unless required by applicable law or agreed to in writing, software ++.\" distributed under the License is distributed on an "AS IS" BASIS, ++.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++.\" See the License for the specific language governing permissions and ++.\" limitations under the License. ++.\" ++.\" Author: Rob Crittenden ++.\" ++.TH "nss_pcache" "8" "Jul 1 2013" "Rob Crittenden" "" ++.SH "NAME" ++nss_pcache \- Helper program used to store token password pins ++ ++.SH "SYNOPSIS" ++nss_pcache [prefix] ++ ++.SH "DESCRIPTION" ++A helper program used by the Apache \fBhttpd\fP mod_nss plug-in to store the NSS PKCS #11 token password pins between restarts of Apache. ++.PP ++Whenever an Apache \fBhttpd\fP process configured to use the mod_nss plug-in is started, this program will be automatically invoked via reference to the mod_nss configuration file stored under \fB/etc/httpd/conf.d/nss.conf\fP which contains the following default entry: ++.IP ++# Pass Phrase Helper: ++.br ++# This helper program stores the token password pins between ++.br ++# restarts of Apache. ++.br ++# ++.br ++# NOTE: Located at '/usr/sbin/nss_pcache' prior ++.br ++# to 'mod_nss-1.0.8-22'. ++.br ++# ++.br ++NSSPassPhraseHelper /usr/libexec/nss_pcache ++ ++.SH OPTIONS ++.TP ++.B ++The semaphore which corresponds to the mod_nss plug-in registered with the Apache \fBhttpd\fP process during startup. ++.TP ++.B ++Specifies whether FIPS mode should be enabled, \fBon\fP, or disabled, \fBoff\fP. By default, FIPS mode is disabled, and no variable is specified in \fB/etc/httpd/conf.d/nss.conf\fP. To enable FIPS mode, establish password access for the specified NSS security databases, and specify the following variable in \fB/etc/httpd/conf.d/nss.conf\fP: ++.IP ++.TS ++tab(;); ++ll,ll. ++;NSSFIPS on ++.TE ++.TP ++.B ++Specifies the destination directory of the NSS databases that will be associated with this executable specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP: ++.IP ++.TS ++tab(;); ++ll,ll. ++;# Server Certificate Database: ++;# The NSS security database directory that holds the ++;# certificates and keys. The database consists ++;# of 3 files: cert8.db, key3.db and secmod.db. ++;# Provide the directory that these files exist. ++;NSSCertificateDatabase /etc/httpd/alias ++.TE ++.TP ++.B [prefix] ++Optional prefix to attach prior to the names of the NSS certificate and key databases contained in the directory referenced by the previous argument and specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP (must be uncommented in order to be utilized): ++.IP ++.TS ++tab(;); ++ll,ll. ++;# Database Prefix: ++;# In order to be able to store multiple NSS databases ++;# in one directory they need unique names. This option ++;# sets the database prefix used for cert8.db and key3.db. ++;#NSSDBPrefix my-prefix- ++.TE ++ ++.SH BUGS ++Report bugs to http://bugzilla.redhat.com. ++ ++.SH AUTHORS ++Rob Crittenden . ++ ++.SH COPYRIGHT ++Copyright (c) 2013 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0. ++.PP ++Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. +diff -rupN mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c +--- mod_nss-1.0.8.orig/nss_pcache.c 2013-06-25 17:14:22.000000000 -0700 ++++ mod_nss-1.0.8/nss_pcache.c 2013-06-26 18:44:42.000000000 -0700 +@@ -318,7 +318,7 @@ int main(int argc, char ** argv) + union semun semarg; + + if (argc < 4 || argc > 5) { +- fprintf(stderr, "Usage: nss_pcache \n"); ++ fprintf(stderr, "Usage: nss_pcache [prefix]\n"); + exit(1); + } + +@@ -336,7 +336,7 @@ int main(int argc, char ** argv) + PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); + + /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); diff --git a/SOURCES/mod_nss-negotiate.patch b/SOURCES/mod_nss-negotiate.patch new file mode 100644 index 0000000..c385cfb --- /dev/null +++ b/SOURCES/mod_nss-negotiate.patch @@ -0,0 +1,180 @@ + +diff -up ./mod_nss.c.norego ./mod_nss.c +--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 +@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds + SSL_CMD_SRV(Nickname, TAKE1, + "SSL RSA Server Certificate nickname " + "(`Server-Cert'") ++#ifdef SSL_ENABLE_RENEGOTIATION ++ SSL_CMD_SRV(Renegotiation, FLAG, ++ "Enable SSL Renegotiation (default off) " ++ "(`on', `off')") ++ SSL_CMD_SRV(RequireSafeNegotiation, FLAG, ++ "If Rengotiation is allowed, require safe negotiation (default off) " ++ "(`on', `off')") ++#endif + #ifdef NSS_ENABLE_ECC + SSL_CMD_SRV(ECCNickname, TAKE1, + "SSL ECC Server Certificate nickname " +diff -up ./mod_nss.h.norego ./mod_nss.h +--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 +@@ -269,6 +269,10 @@ typedef struct { + int tls; + int tlsrollback; + int enforce; ++#ifdef SSL_ENABLE_RENEGOTIATION ++ int enablerenegotiation; ++ int requiresafenegotiation; ++#endif + const char *nickname; + #ifdef NSS_ENABLE_ECC + const char *eccnickname; +@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p + const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); ++#endif + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); + #endif +diff -up ./nss_engine_config.c.norego ./nss_engine_config.c +--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 +@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t + mctx->tls = PR_FALSE; + mctx->tlsrollback = PR_FALSE; + ++#ifdef SSL_ENABLE_RENEGOTIATION ++ mctx->enablerenegotiation = PR_FALSE; ++ mctx->requiresafenegotiation = PR_FALSE; ++#endif + mctx->enforce = PR_TRUE; + mctx->nickname = NULL; + #ifdef NSS_ENABLE_ECC +@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ + cfgMerge(eccnickname, NULL); + #endif + cfgMerge(enforce, PR_TRUE); ++#ifdef SSL_ENABLE_RENEGOTIATION ++ cfgMerge(enablerenegotiation, PR_FALSE); ++ cfgMerge(requiresafenegotiation, PR_FALSE); ++#endif + } + + static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, +@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm + return NULL; + } + ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++#endif ++ + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, + void *dcfg, +diff -up ./nss_engine_init.c.norego ./nss_engine_init.c +--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 +@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r + nss_die(); + } + } ++#ifdef SSL_ENABLE_RENEGOTIATION ++ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, ++ mctx->enablerenegotiation ? ++ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER ++ ) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL renegotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, ++ mctx->requiresafenegotiation) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL safe negotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++#endif + } + + static void nss_init_ctx_protocol(server_rec *s, + +diff -up ./nss.conf.in.norego ./nss.conf.in +--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000 ++++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000 +@@ -64,6 +64,17 @@ + #NSSRandomSeed startup file:/dev/random 512 + #NSSRandomSeed startup file:/dev/urandom 512 + ++# ++# TLS Negotiation configuration under RFC 5746 ++# ++# Only renegotiate if the peer's hello bears the TLS renegotiation_info ++# extension. Default off. ++NSSRenegotiation off ++ ++# Peer must send Signaling Cipher Suite Value (SCSV) or ++# Renegotiation Info (RI) extension in ALL handshakes. Default: off ++NSSRequireSafeNegotiation off ++ + ## + ## SSL Virtual Host Context + ## + +diff -up ./nss_engine_log.c.norego ./nss_engine_log.c +--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 ++++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 +@@ -27,7 +27,7 @@ + #define LIBSEC_ERROR_BASE (-8192) + #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) + #define LIBSSL_ERROR_BASE (-12288) +-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) ++#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) + + typedef struct l_error_t { + int errorNumber; +@@ -296,7 +296,19 @@ + { 99, "Server requires ciphers more secure than those supported by client" }, + { 100, "Peer reports it experienced an internal error" }, + { 101, "Peer user canceled handshake" }, +- { 102, "Peer does not permit renegotiation of SSL security parameters" } ++ { 102, "Peer does not permit renegotiation of SSL security parameters" }, ++ { 103, "Server cache not configured" }, ++ { 104, "Unsupported extension" }, ++ { 105, "Certificate unobtainable" }, ++ { 106, "Unrecognized name" }, ++ { 107, "Bad certificate status" }, ++ { 108, "Bad certificate hash value" }, ++ { 109, "Unexpected new session ticket" }, ++ { 110, "Malformed new session ticket" }, ++ { 111, "Decompression failure" }, ++ { 112, "Renegotiation not allowed" }, ++ { 113, "Safe negotiation required but not provided by client" }, ++ { 114, "Unexpected uncompressed record" }, + }; + + void nss_die(void) diff --git a/SOURCES/mod_nss-no_shutdown_if_not_init_2.patch b/SOURCES/mod_nss-no_shutdown_if_not_init_2.patch new file mode 100644 index 0000000..13eddeb --- /dev/null +++ b/SOURCES/mod_nss-no_shutdown_if_not_init_2.patch @@ -0,0 +1,23 @@ +diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800 ++++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800 +@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da + server_rec *s; + int shutdown = 0; + +- /* Clear any client-side session cache data */ +- SSL_ClearSessionCache(); +- + /* + * Free the non-pool allocated structures + * in the per-server configurations +@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da + } + + if (shutdown) { ++ /* Clear any client-side session cache data */ ++ SSL_ClearSessionCache(); ++ + if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()) + != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, diff --git a/SOURCES/mod_nss-overlapping_memcpy.patch b/SOURCES/mod_nss-overlapping_memcpy.patch new file mode 100644 index 0000000..c60e435 --- /dev/null +++ b/SOURCES/mod_nss-overlapping_memcpy.patch @@ -0,0 +1,24 @@ +Bug 669118 + +memcpy of overlapping memory is no longer allowed by glibc. + +This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 + +--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500 ++++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500 +@@ -123,13 +123,13 @@ + + if (buffer->length > inl) { + /* we have have enough to fill the caller's buffer */ +- memcpy(in, buffer->value, inl); ++ memmove(in, buffer->value, inl); + buffer->value += inl; + buffer->length -= inl; + } + else { + /* swallow remainder of the buffer */ +- memcpy(in, buffer->value, buffer->length); ++ memmove(in, buffer->value, buffer->length); + inl = buffer->length; + buffer->value = NULL; + buffer->length = 0; diff --git a/SOURCES/mod_nss-pcachesignal.h b/SOURCES/mod_nss-pcachesignal.h new file mode 100644 index 0000000..cb2e135 --- /dev/null +++ b/SOURCES/mod_nss-pcachesignal.h @@ -0,0 +1,21 @@ +diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c +--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400 ++++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "nss_pcache.h" + + static char * getstr(const char * cmd, int el); +@@ -309,6 +310,8 @@ + exit(1); + } + ++ signal(SIGHUP, SIG_IGN); ++ + if (!strcasecmp(argv[1], "on")) + fipsmode = 1; + +Only in mod_nss-1.0.8: nss_pcache.c.rej diff --git a/SOURCES/mod_nss-proxyvariables.patch b/SOURCES/mod_nss-proxyvariables.patch new file mode 100644 index 0000000..5506093 --- /dev/null +++ b/SOURCES/mod_nss-proxyvariables.patch @@ -0,0 +1,83 @@ +diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700 ++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700 +@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server + tls = 1; + } else { + if (mctx->auth.protocols == NULL) { +- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, +- "NSSProtocols not set; using: SSLv3 and TLSv1"); ++ /* ++ * Since this routine will be invoked individually for every ++ * thread associated with each 'server' object as well as for ++ * every thread associated with each 'proxy' object, issue a ++ * single per-thread 'warning' message for either a 'server' ++ * or a 'proxy' based upon the thread's object type. ++ */ ++ if (mctx == mctx->sc->server) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, ++ "NSSProtocol value not set; using: SSLv3 and TLSv1"); ++ } else if (mctx == mctx->sc->proxy) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, ++ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); ++ } ++ + ssl3 = tls = 1; + } else { + lprotocols = strdup(mctx->auth.protocols); +@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se + * Configure SSL Cipher Suite + */ + if (!suite) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "Required value NSSCipherSuite not set."); ++ /* ++ * Since this is a 'fatal' error, regardless of whether this ++ * particular invocation is from a 'server' object or a 'proxy' ++ * object, issue all error message(s) as appropriate. ++ */ ++ if ((mctx->sc->enabled == TRUE) && ++ (mctx->sc->server) && ++ (!mctx->sc->server->auth.cipher_suite)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "NSSEngine on; required value NSSCipherSuite not set."); ++ } ++ ++ if ((mctx->sc->proxy_enabled == TRUE) && ++ (mctx->sc->proxy) && ++ (!mctx->sc->proxy->auth.cipher_suite)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "NSSProxyEngine on; required value NSSProxyCipherSuite not set."); ++ } ++ + nss_die(); + } + ciphers = strdup(suite); +@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server + if (mctx->nickname == NULL) + #endif + { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "No certificate nickname provided."); ++ /* ++ * Since this is a 'fatal' error, regardless of whether this ++ * particular invocation is from a 'server' object or a 'proxy' ++ * object, issue all error message(s) as appropriate. ++ */ ++ if ((mctx->sc->enabled == TRUE) && ++ (mctx->sc->server) && ++ (mctx->sc->server->nickname == NULL)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "NSSEngine on; no certificate nickname provided by NSSNickname."); ++ } ++ ++ if ((mctx->sc->proxy_enabled == TRUE) && ++ (mctx->sc->proxy) && ++ (mctx->sc->proxy->nickname == NULL)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname."); ++ } ++ + nss_die(); + } + diff --git a/SOURCES/mod_nss-reseterror.patch b/SOURCES/mod_nss-reseterror.patch new file mode 100644 index 0000000..73ac3e4 --- /dev/null +++ b/SOURCES/mod_nss-reseterror.patch @@ -0,0 +1,10 @@ +--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400 +@@ -348,6 +348,7 @@ + break; + } + ++ PR_SetError(0, 0); + rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); + + if (rc > 0) { diff --git a/SOURCES/mod_nss-reverseproxy.patch b/SOURCES/mod_nss-reverseproxy.patch new file mode 100644 index 0000000..928c92f --- /dev/null +++ b/SOURCES/mod_nss-reverseproxy.patch @@ -0,0 +1,182 @@ +mod_proxy now sets the requested remote host name. Use this to compare +to the CN value of the peer certificate and reject the request if they +do not match (and we are have NSSProxyCheckPeerCN set to on). + +diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html +--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 ++++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 +@@ -1028,7 +1028,21 @@ +
    + Example
    +
    +-NSSProxyNickname beta
    ++NSSProxyNickname beta
    ++
    ++
    NSSProxyCheckPeerCN
    ++
    ++Compare the CN value of the peer certificate with the hostname being ++requested. If this is set to on, the default, then the request will ++fail if they do not match. If this is set to off then this comparison ++is not done. Note that this test is your only protection against a ++man-in-the-middle attack so leaving this as on is strongly recommended.
    ++
    ++Example
    ++
    ++NSSProcyCheckPeerCN ++on
    ++

    +

    Environment Variables

    + Quite a few environment variables (for CGI and SSI) may be set + depending on the NSSOptions configuration. It can be expensive to set +@@ -1435,42 +1449,9 @@ +

    Frequently Asked Questions

    + Q. Does mod_nss support mod_proxy?
    +
    +-A. In order to use the mod_nss proxy support you will need to build +-your own mod_proxy by applying a patch found in bug 36468. +-The patch is needed so we can compare the hostname contained in the +-remote certificate with the hostname you meant to visit. This prevents +-man-in-the-middle attacks.
    +-
    +-You also have to change the SSL functions that mod_proxy looks to use. +-You'll need to apply this patch:
    +-
    +-1038,1039c1038,1039
    +-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
    +-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
    +----
    +-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
    +-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
    +-1041,1042c1041,1042
    +-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = +-NULL;
    +-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable +-= NULL;
    +----
    +-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = +-NULL;
    +-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable +-= NULL;
    +-1069,1070c1069,1070
    +-<     proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
    +-<     proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
    +----
    +->     proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
    +->     proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);
    +-

    ++A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy ++provides a single interface for SSL providers and mod_nss defers to ++mod_ssl ++if it is loaded. + + +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 +@@ -142,6 +142,8 @@ + SSL_CMD_SRV(ProxyNickname, TAKE1, + "SSL Proxy: client certificate Nickname to be for proxy connections " + "(`nickname')") ++ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, ++ "SSL Proxy: check the peers certificate CN") + + #ifdef IGNORE + /* Deprecated directives. */ +@@ -238,23 +240,30 @@ + SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) + { + conn_rec *c = (conn_rec *)arg; ++ SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + PRErrorCode err = PR_GetError(); + SECStatus rv = SECFailure; + CERTCertificate *peerCert = SSL_PeerCertificate(socket); ++ const char *hostname_note; + + switch (err) { + case SSL_ERROR_BAD_CERT_DOMAIN: +- if (c->remote_host != NULL) { +- rv = CERT_VerifyCertName(peerCert, c->remote_host); +- if (rv != SECSuccess) { +- char *remote = CERT_GetCommonName(&peerCert->subject); ++ if (sc->proxy_ssl_check_peer_cn == TRUE) { ++ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { ++ apr_table_unset(c->notes, "proxy-request-hostname"); ++ rv = CERT_VerifyCertName(peerCert, hostname_note); ++ if (rv != SECSuccess) { ++ char *remote = CERT_GetCommonName(&peerCert->subject); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); ++ PORT_Free(remote); ++ } ++ } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); +- PORT_Free(remote); ++ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); + } + } else { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); ++ rv = SECSuccess; + } + break; + default: +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 +@@ -306,6 +306,7 @@ + int vhost_id_len; + modnss_ctx_t *server; + modnss_ctx_t *proxy; ++ BOOL proxy_ssl_check_peer_cn; + }; + + /* +@@ -410,6 +411,7 @@ + const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c +--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 +@@ -140,6 +140,7 @@ + sc->vhost_id_len = 0; /* set during module init */ + sc->proxy = NULL; + sc->server = NULL; ++ sc->proxy_ssl_check_peer_cn = TRUE; + + modnss_ctx_init_proxy(sc, p); + +@@ -214,6 +215,7 @@ + cfgMergeBool(fips); + cfgMergeBool(enabled); + cfgMergeBool(proxy_enabled); ++ cfgMergeBool(proxy_ssl_check_peer_cn); + + modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + +@@ -544,6 +546,15 @@ + return NULL; + } + ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; ++ ++ return NULL; ++} ++ + const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, + void *dcfg, + int flag) diff --git a/SOURCES/mod_nss-sslmultiproxy.patch b/SOURCES/mod_nss-sslmultiproxy.patch new file mode 100644 index 0000000..c667653 --- /dev/null +++ b/SOURCES/mod_nss-sslmultiproxy.patch @@ -0,0 +1,211 @@ +diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2012-11-09 16:13:26.967022000 -0800 ++++ mod_nss-1.0.8/mod_nss.c 2012-11-09 20:18:39.936927000 -0800 +@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c + return sslconn; + } + ++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; ++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; ++ + int nss_proxy_enable(conn_rec *c) + { + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); +@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c) + SSLConnRec *sslconn = nss_init_connection_ctx(c); + + if (!sc->proxy_enabled) { ++ if (othermod_proxy_enable) { ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ "mod_nss proxy not configured, passing through to mod_ssl module"); ++ return othermod_proxy_enable(c); ++ } ++ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, + "SSL Proxy requested for %s but not enabled " + "[Hint: NSSProxyEngine]", sc->vhost_id); +@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c) + return 1; + } + +-int ssl_proxy_enable(conn_rec *c) { ++static int ssl_proxy_enable(conn_rec *c) { + return nss_proxy_enable(c); + } + +@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c) + + SSLConnRec *sslconn; + ++ if (othermod_engine_disable) { ++ othermod_engine_disable(c); ++ } ++ + if (sc->enabled == FALSE) { + return 0; + } +@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c) + return 1; + } + +-int ssl_engine_disable(conn_rec *c) { ++static int ssl_engine_disable(conn_rec *c) { + return nss_engine_disable(c); + } + +@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_ + + nss_var_register(); + ++ /* Always register these mod_nss optional functions */ + APR_REGISTER_OPTIONAL_FN(nss_proxy_enable); + APR_REGISTER_OPTIONAL_FN(nss_engine_disable); + +- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */ +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); ++ /* Save the state of any previously registered mod_ssl functions */ ++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); ++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); ++ ++ /* Always register these local mod_ssl optional functions */ ++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); ++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + } + + module AP_MODULE_DECLARE_DATA nss_module = { +diff -rupN mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss-1.0.8.orig/mod_nss.h 2012-11-09 16:13:26.799022000 -0800 ++++ mod_nss-1.0.8/mod_nss.h 2012-11-09 17:14:18.660077000 -0800 +@@ -13,8 +13,8 @@ + * limitations under the License. + */ + +-#ifndef __MOD_SSL_H__ +-#define __MOD_SSL_H__ ++#ifndef __MOD_NSS_H__ ++#define __MOD_NSS_H__ + + /* Apache headers */ + #include "httpd.h" +@@ -25,6 +25,7 @@ + #include "http_connection.h" + #include "http_request.h" + #include "http_protocol.h" ++#include "mod_ssl.h" + #include "util_script.h" + #include "util_filter.h" + #include "mpm.h" +@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r); + /* Variables */ + void nss_var_register(void); + char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); +-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); + void nss_var_log_config_register(apr_pool_t *p); + + APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup, + (apr_pool_t *, server_rec *, + conn_rec *, request_rec *, + char *)); +-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, +- (apr_pool_t *, server_rec *, +- conn_rec *, request_rec *, +- char *)); + + /* An optional function which returns non-zero if the given connection + * is using SSL/TLS. */ + APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); + + /* Proxy Support */ + int nss_proxy_enable(conn_rec *c); + int nss_engine_disable(conn_rec *c); +-int ssl_proxy_enable(conn_rec *c); +-int ssl_engine_disable(conn_rec *c); + + APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); + + APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + + /* I/O */ + PRFileDesc * nss_io_new_fd(); +@@ -495,4 +486,4 @@ void nss_die(void); + + /* NSS callback */ + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); +-#endif /* __MOD_SSL_H__ */ ++#endif /* __MOD_NSS_H__ */ +diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c +--- mod_nss-1.0.8.orig/nss_engine_vars.c 2012-11-09 16:13:26.997024000 -0800 ++++ mod_nss-1.0.8/nss_engine_vars.c 2012-11-09 20:15:32.948488000 -0800 +@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver + static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var); + static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var); + static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c); ++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); ++ ++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; ++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; + + static int nss_is_https(conn_rec *c) + { + SSLConnRec *sslconn = myConnConfig(c); +- return sslconn && sslconn->ssl; ++ ++ return (sslconn && sslconn->ssl) ++ || (othermod_is_https && othermod_is_https(c)); + } + + static int ssl_is_https(conn_rec *c) { +@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) { + + void nss_var_register(void) + { ++ /* Always register these mod_nss optional functions */ + APR_REGISTER_OPTIONAL_FN(nss_is_https); + APR_REGISTER_OPTIONAL_FN(nss_var_lookup); + +- /* These can only be registered if mod_ssl is not loaded */ +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_is_https); +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); ++ /* Save the state of any previously registered mod_ssl functions */ ++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); ++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); ++ ++ /* Always register these local mod_ssl optional functions */ ++ APR_REGISTER_OPTIONAL_FN(ssl_is_https); ++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + + return; + } +@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv + */ + if (result == NULL && c != NULL) { + SSLConnRec *sslconn = myConnConfig(c); ++ ++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) ++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { ++ /* If mod_ssl is registered for this connection, ++ * pass any SSL_* variable through to the mod_ssl module ++ */ ++ return othermod_var_lookup(p, s, c, r, var); ++ } ++ + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) + result = nss_var_lookup_ssl(p, c, var+4); +@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv + return result; + } + +-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { ++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { + return nss_var_lookup(p, s, c, r, var); + } + diff --git a/SOURCES/mod_nss-sslmultiproxy_2.patch b/SOURCES/mod_nss-sslmultiproxy_2.patch new file mode 100644 index 0000000..5d97f2e --- /dev/null +++ b/SOURCES/mod_nss-sslmultiproxy_2.patch @@ -0,0 +1,211 @@ +diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2013-10-21 15:01:49.000000000 -0700 ++++ mod_nss-1.0.8/mod_nss.c 2013-10-21 15:20:57.000000000 -0700 +@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c + return sslconn; + } + ++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; ++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; ++ + int nss_proxy_enable(conn_rec *c) + { + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); +@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c) + SSLConnRec *sslconn = nss_init_connection_ctx(c); + + if (!sc->proxy_enabled) { ++ if (othermod_proxy_enable) { ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ "mod_nss proxy not configured, passing through to mod_ssl module"); ++ return othermod_proxy_enable(c); ++ } ++ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, + "SSL Proxy requested for %s but not enabled " + "[Hint: NSSProxyEngine]", sc->vhost_id); +@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c) + return 1; + } + +-int ssl_proxy_enable(conn_rec *c) { ++static int ssl_proxy_enable(conn_rec *c) { + return nss_proxy_enable(c); + } + +@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c) + + SSLConnRec *sslconn; + ++ if (othermod_engine_disable) { ++ othermod_engine_disable(c); ++ } ++ + if (sc->enabled == FALSE) { + return 0; + } +@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c) + return 1; + } + +-int ssl_engine_disable(conn_rec *c) { ++static int ssl_engine_disable(conn_rec *c) { + return nss_engine_disable(c); + } + +@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_ + + nss_var_register(); + ++ /* Always register these mod_nss optional functions */ + APR_REGISTER_OPTIONAL_FN(nss_proxy_enable); + APR_REGISTER_OPTIONAL_FN(nss_engine_disable); + +- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */ +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); ++ /* Save the state of any previously registered mod_ssl functions */ ++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); ++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); ++ ++ /* Always register these local mod_ssl optional functions */ ++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); ++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + } + + module AP_MODULE_DECLARE_DATA nss_module = { +diff -rupN mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss-1.0.8.orig/mod_nss.h 2013-10-21 15:01:49.000000000 -0700 ++++ mod_nss-1.0.8/mod_nss.h 2013-10-21 15:24:06.000000000 -0700 +@@ -13,8 +13,8 @@ + * limitations under the License. + */ + +-#ifndef __MOD_SSL_H__ +-#define __MOD_SSL_H__ ++#ifndef __MOD_NSS_H__ ++#define __MOD_NSS_H__ + + /* Apache headers */ + #include "httpd.h" +@@ -25,6 +25,7 @@ + #include "http_connection.h" + #include "http_request.h" + #include "http_protocol.h" ++#include "mod_ssl.h" + #include "util_script.h" + #include "util_filter.h" + #include "apr.h" +@@ -437,34 +438,24 @@ int nss_hook_ReadReq(request_rec *r); + /* Variables */ + void nss_var_register(void); + char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); +-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); + void nss_var_log_config_register(apr_pool_t *p); + + APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup, + (apr_pool_t *, server_rec *, + conn_rec *, request_rec *, + char *)); +-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, +- (apr_pool_t *, server_rec *, +- conn_rec *, request_rec *, +- char *)); + + /* An optional function which returns non-zero if the given connection + * is using SSL/TLS. */ + APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); + + /* Proxy Support */ + int nss_proxy_enable(conn_rec *c); + int nss_engine_disable(conn_rec *c); +-int ssl_proxy_enable(conn_rec *c); +-int ssl_engine_disable(conn_rec *c); + + APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); + + APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); +-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + + /* I/O */ + PRFileDesc * nss_io_new_fd(); +@@ -494,4 +485,4 @@ void nss_die(void); + + /* NSS callback */ + SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); +-#endif /* __MOD_SSL_H__ */ ++#endif /* __MOD_NSS_H__ */ +diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c +--- mod_nss-1.0.8.orig/nss_engine_vars.c 2013-10-21 15:01:50.000000000 -0700 ++++ mod_nss-1.0.8/nss_engine_vars.c 2013-10-21 15:43:43.000000000 -0700 +@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver + static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var); + static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var); + static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c); ++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); ++ ++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; ++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; + + static int nss_is_https(conn_rec *c) + { + SSLConnRec *sslconn = myConnConfig(c); +- return sslconn && sslconn->ssl; ++ ++ return (sslconn && sslconn->ssl) ++ || (othermod_is_https && othermod_is_https(c)); + } + + static int ssl_is_https(conn_rec *c) { +@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) { + + void nss_var_register(void) + { ++ /* Always register these mod_nss optional functions */ + APR_REGISTER_OPTIONAL_FN(nss_is_https); + APR_REGISTER_OPTIONAL_FN(nss_var_lookup); + +- /* These can only be registered if mod_ssl is not loaded */ +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_is_https); +- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL) +- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); ++ /* Save the state of any previously registered mod_ssl functions */ ++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); ++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); ++ ++ /* Always register these local mod_ssl optional functions */ ++ APR_REGISTER_OPTIONAL_FN(ssl_is_https); ++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + + return; + } +@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv + */ + if (result == NULL && c != NULL) { + SSLConnRec *sslconn = myConnConfig(c); ++ ++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) ++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { ++ /* If mod_ssl is registered for this connection, ++ * pass any SSL_* variable through to the mod_ssl module ++ */ ++ return othermod_var_lookup(p, s, c, r, var); ++ } ++ + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) + result = nss_var_lookup_ssl(p, c, var+4); +@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv + return result; + } + +-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { ++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { + return nss_var_lookup(p, s, c, r, var); + } + diff --git a/SOURCES/mod_nss-tlsv1_1.patch b/SOURCES/mod_nss-tlsv1_1.patch new file mode 100644 index 0000000..be8449e --- /dev/null +++ b/SOURCES/mod_nss-tlsv1_1.patch @@ -0,0 +1,744 @@ +diff -rupN mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html +--- mod_nss-1.0.8.orig/docs/mod_nss.html 2012-10-15 13:53:48.889995000 -0700 ++++ mod_nss-1.0.8/docs/mod_nss.html 2012-10-16 11:37:30.983783000 -0700 +@@ -466,7 +466,7 @@ Example
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    + +- SSLv3/TLSv1
    ++ SSLv3/TLSv1.0/TLSv1.1
    + + + +@@ -578,106 +578,106 @@ definition
    + + SSL_RSA_WITH_DES_CBC_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_null_md5
    + + SSL_RSA_WITH_NULL_MD5
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_null_sha
    + + SSL_RSA_WITH_NULL_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_rc2_40_md5 + SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_rc4_128_md5 + SSL_RSA_WITH_RC4_128_MD5
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_rc4_128_sha + SSL_RSA_WITH_RC4_128_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_rc4_40_md5 + SSL_RSA_EXPORT_WITH_RC4_40_MD5
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + fortezza
    + + SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + fortezza_rc4_128_sha
    + + SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + fortezza_null
    + + SSL_FORTEZZA_DMS_WITH_NULL_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + fips_des_sha
    + + SSL_RSA_FIPS_WITH_DES_CBC_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + fips_3des_sha
    + + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_des_56_sha + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    + +- SSL3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_rc4_56_sha + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_aes_128_sha
    + + TLS_RSA_WITH_AES_128_CBC_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + rsa_aes_256_sha
    + + TLS_RSA_WITH_AES_256_CBC_SHA
    + +- SSLv3/TLSv1 ++ SSLv3/TLSv1.0/TLSv1.1 + + + +@@ -698,127 +698,127 @@ Definition
    + + ecdh_ecdsa_null_sha + TLS_ECDH_ECDSA_WITH_NULL_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_ecdsa_rc4_128_sha + TLS_ECDH_ECDSA_WITH_RC4_128_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_ecdsa_3des_sha + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_ecdsa_aes_128_sha + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_ecdsa_aes_256_sha + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_ecdsa_null_sha + TLS_ECDHE_ECDSA_WITH_NULL_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_ecdsa_rc4_128_sha + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_ecdsa_3des_sha + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_ecdsa_aes_128_sha + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_ecdsa_aes_256_sha + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_rsa_null_sha + TLS_ECDH_RSA_WITH_NULL_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_rsa_128_sha + TLS_ECDH_RSA_WITH_RC4_128_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_rsa_3des_sha + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_rsa_aes_128_sha + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_rsa_aes_256_sha + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + echde_rsa_null + TLS_ECDHE_RSA_WITH_NULL_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_rsa_rc4_128_sha + TLS_ECDHE_RSA_WITH_RC4_128_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_rsa_3des_sha + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_rsa_aes_128_sha + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdhe_rsa_aes_256_sha + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_anon_null_sha + TLS_ECDH_anon_WITH_NULL_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_anon_rc4_128sha + TLS_ECDH_anon_WITH_RC4_128_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_anon_3des_sha + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_anon_aes_128_sha + TLS_ECDH_anon_WITH_AES_128_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + ecdh_anon_aes_256_sha + TLS_ECDH_anon_WITH_AES_256_CBC_SHA +- TLSv1 ++ TLSv1.0/TLSv1.1 + + + +@@ -839,16 +839,35 @@ specifically but allows ciphers for that + Options are:
    +
      +
    • SSLv3
    • +-
    • TLSv1
    • ++
    • TLSv1 (legacy only; replaced by TLSv1.0)
    • ++
    • TLSv1.0
    • ++
    • TLSv1.1
    • +
    • All
    • +
    + Note that this differs from mod_ssl in that you can't add or subtract + protocols.
    ++
    ++If no NSSProtocol is specified, mod_nss will default to allowing the use of ++the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the ++minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol ++allowed. ++
    ++If values for NSSProtocol are specified, mod_nss will set both the minimum ++and the maximum allowed protocols based upon these entries allowing for the ++inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1 ++are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes ++protocol ranges to accept all protocols inclusively ++(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols ++in the middle of a range (e. g. - TLS 1.0).
    ++
    ++Finally, NSS will always automatically negotiate the use of the strongest ++possible protocol that has been specified which is acceptable to both sides of ++a given connection.
    + SSLv2 is not supported by default at this time.
    +
    + Example
    +
    +-NSSProtocol SSLv3,TLSv1
    ++NSSProtocol SSLv3,TLSv1.0,TLSv1.1
    +
    + NSSNickname
    +

    +@@ -1101,7 +1120,7 @@ was compiled against.
    + + SSL_PROTOCOL
    +
    +- SSLv2, SSLv3 or TLSv1
    ++ SSLv2, SSLv3, TLSv1.0, or TLSv1.1
    + + + +@@ -1443,7 +1462,7 @@ Opera, and + Safari) support SSL 3 and TLS so there is no need for a web server to + support + SSL 2. There are some known attacks against SSL 2 that are handled by +-SSL 3/TLS. SSL2 also doesn't support useful features like client ++SSL 3/TLS. SSLv2 also doesn't support useful features like client + authentication. +
    +

    Frequently Asked Questions

    +diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2012-10-15 13:53:48.971995000 -0700 ++++ mod_nss-1.0.8/mod_nss.c 2012-10-17 09:46:18.838689000 -0700 +@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds + "(`[+-]XXX,...,[+-]XXX' - see manual)") + SSL_CMD_SRV(Protocol, RAW_ARGS, + "Enable the various SSL protocols" +- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)") ++ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)") + SSL_CMD_ALL(VerifyClient, TAKE1, + "SSL Client Authentication " + "(`none', `optional', `require'") +@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds + "(`on', `off')") + SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, + "SSL Proxy: enable or disable SSL protocol flavors " +- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") ++ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)") + SSL_CMD_SRV(ProxyCipherSuite, TAKE1, + "SSL Proxy: colon-delimited list of permitted SSL ciphers " + "(`XXX:...:XXX' - see manual)") +diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in +--- mod_nss-1.0.8.orig/nss.conf.in 2012-10-15 13:53:48.856995000 -0700 ++++ mod_nss-1.0.8/nss.conf.in 2012-10-19 18:06:59.101468000 -0700 +@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 + # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography + #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha + +-NSSProtocol SSLv3,TLSv1 ++# SSL Protocol: ++# Cryptographic protocols that provide communication security. ++# NSS handles the specified protocols as "ranges", and automatically ++# negotiates the use of the strongest protocol for a connection starting ++# with the maximum specified protocol and downgrading as necessary to the ++# minimum specified protocol that can be used between two processes. ++# Since all protocol ranges are completely inclusive, and no protocol in the ++# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" ++# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". ++NSSProtocol SSLv3,TLSv1.0,TLSv1.1 + + # SSL Certificate Nickname: + # The nickname of the RSA server certificate you are going to use. +diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c +--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-15 13:53:49.165998000 -0700 ++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-19 17:44:04.973592000 -0700 +@@ -616,62 +616,98 @@ static void nss_init_ctx_protocol(server + apr_pool_t *ptemp, + modnss_ctx_t *mctx) + { +- int ssl2, ssl3, tls; ++ int ssl2, ssl3, tls, tls1_1; ++ char *protocol_marker = NULL; + char *lprotocols = NULL; + SECStatus stat; ++ SSLVersionRange enabledVersions; + +- ssl2 = ssl3 = tls = 0; ++ ssl2 = ssl3 = tls = tls1_1 = 0; ++ ++ /* ++ * Since this routine will be invoked individually for every thread ++ * associated with each 'server' object as well as for every thread ++ * associated with each 'proxy' object, identify the protocol marker ++ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy') ++ * via each thread's object type and apply this useful information to ++ * all log messages. ++ */ ++ if (mctx == mctx->sc->server) { ++ protocol_marker = "NSSProtocol"; ++ } else if (mctx == mctx->sc->proxy) { ++ protocol_marker = "NSSProxyProtocol"; ++ } + + if (mctx->sc->fips) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, +- "In FIPS mode, enabling TLSv1"); +- tls = 1; ++ "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1", ++ protocol_marker); ++ tls = tls1_1 = 1; + } else { + if (mctx->auth.protocols == NULL) { +- /* +- * Since this routine will be invoked individually for every +- * thread associated with each 'server' object as well as for +- * every thread associated with each 'proxy' object, issue a +- * single per-thread 'warning' message for either a 'server' +- * or a 'proxy' based upon the thread's object type. +- */ +- if (mctx == mctx->sc->server) { +- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, +- "NSSProtocol value not set; using: SSLv3 and TLSv1"); +- } else if (mctx == mctx->sc->proxy) { +- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, +- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); +- } ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, ++ "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1", ++ protocol_marker); + +- ssl3 = tls = 1; ++ ssl3 = tls = tls1_1 = 1; + } else { + lprotocols = strdup(mctx->auth.protocols); + ap_str_tolower(lprotocols); + + if (strstr(lprotocols, "all") != NULL) { + #ifdef WANT_SSL2 +- ssl2 = ssl3 = tls = 1; ++ ssl2 = ssl3 = tls = tls1_1= 1; + #else +- ssl3 = tls = 1; ++ ssl3 = tls = tls1_1 = 1; + #endif + } else { +- if (strstr(lprotocols, "sslv2") != NULL) { ++ char *protocol_list = NULL; ++ char *saveptr = NULL; ++ char *token = NULL; ++ ++ for (protocol_list = lprotocols; ; protocol_list = NULL) { ++ token = strtok_r(protocol_list, ",", &saveptr); ++ if (token == NULL) { ++ break; ++ } else if (strcmp(token, "sslv2") == 0) { + #ifdef WANT_SSL2 +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2"); +- ssl2 = 1; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Enabling SSL2", ++ protocol_marker); ++ ssl2 = 1; + #else +- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported"); ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, ++ "%s: SSL2 is not supported", ++ protocol_marker); + #endif +- } +- +- if (strstr(lprotocols, "sslv3") != NULL) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3"); +- ssl3 = 1; +- } +- +- if (strstr(lprotocols, "tlsv1") != NULL) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS"); +- tls = 1; ++ } else if (strcmp(token, "sslv3") == 0) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Enabling SSL3", ++ protocol_marker); ++ ssl3 = 1; ++ } else if (strcmp(token, "tlsv1") == 0) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Enabling TLSv1.0 via TLSv1", ++ protocol_marker); ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, ++ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.", ++ protocol_marker); ++ tls = 1; ++ } else if (strcmp(token, "tlsv1.0") == 0) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Enabling TLSv1.0", ++ protocol_marker); ++ tls = 1; ++ } else if (strcmp(token, "tlsv1.1") == 0) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Enabling TLSv1.1", ++ protocol_marker); ++ tls1_1 = 1; ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, ++ "%s: Unknown protocol '%s' not supported", ++ protocol_marker, token); ++ } + } + } + free(lprotocols); +@@ -686,31 +722,98 @@ static void nss_init_ctx_protocol(server + stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); + } + ++ /* Set protocol version ranges: ++ * ++ * (1) Set the minimum protocol accepted ++ * (2) Set the maximum protocol accepted ++ * (3) Protocol ranges extend from maximum down to minimum protocol ++ * (4) All protocol ranges are completely inclusive; ++ * no protocol in the middle of a range may be excluded ++ * (5) NSS automatically negotiates the use of the strongest protocol ++ * for a connection starting with the maximum specified protocol ++ * and downgrading as necessary to the minimum specified protocol ++ * ++ * For example, if SSL 3.0 is chosen as the minimum protocol, and ++ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and ++ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and ++ * cannot be excluded from this range. NSS will automatically negotiate ++ * to utilize the strongest acceptable protocol for a connection starting ++ * with the maximum specified protocol and downgrading as necessary to the ++ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). ++ */ + if (stat == SECSuccess) { ++ /* Set minimum protocol version (lowest -> highest) ++ * ++ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 ++ */ + if (ssl3 == 1) { +- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE); ++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [SSL 3.0] (minimum)", ++ protocol_marker); ++ } else if (tls == 1) { ++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [TLS 1.0] (minimum)", ++ protocol_marker); ++ } else if (tls1_1 == 1) { ++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [TLS 1.1] (minimum)", ++ protocol_marker); + } else { +- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE); ++ /* Set default minimum protocol version to SSL 3.0 */ ++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [SSL 3.0] (default minimum)", ++ protocol_marker); + } +- } +- if (stat == SECSuccess) { +- if (tls == 1) { +- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE); ++ ++ /* Set maximum protocol version (highest -> lowest) ++ * ++ * TLS 1.1 -> TLS 1.0 -> SSL 3.0 ++ */ ++ if (tls1_1 == 1) { ++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [TLS 1.1] (maximum)", ++ protocol_marker); ++ } else if (tls == 1) { ++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [TLS 1.0] (maximum)", ++ protocol_marker); ++ } else if (ssl3 == 1) { ++ enabledVersions.max = SSL_LIBRARY_VERSION_3_0; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [SSL 3.0] (maximum)", ++ protocol_marker); + } else { +- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE); ++ /* Set default maximum protocol version to TLS 1.1 */ ++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: [TLS 1.1] (default maximum)", ++ protocol_marker); + } ++ ++ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions); + } + + if (stat != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "SSL protocol initialization failed."); ++ "%s: SSL/TLS protocol initialization failed.", ++ protocol_marker); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + + mctx->ssl2 = ssl2; + mctx->ssl3 = ssl3; +- mctx->tls = tls; ++ if (tls1_1 == 1) { ++ mctx->tls = tls1_1; ++ } else { ++ mctx->tls = tls; ++ } + } + + static void nss_init_ctx_session_cache(server_rec *s, +@@ -791,6 +894,8 @@ static void nss_init_ctx_cipher_suite(se + PRBool cipher_state[ciphernum]; + PRBool fips_state[ciphernum]; + const char *suite = mctx->auth.cipher_suite; ++ char * object_type = NULL; ++ char * cipher_suite_marker = NULL; + char * ciphers; + char * fipsciphers = NULL; + int i; +@@ -820,6 +925,23 @@ static void nss_init_ctx_cipher_suite(se + + nss_die(); + } ++ ++ /* ++ * Since this routine will be invoked individually for every thread ++ * associated with each 'server' object as well as for every thread ++ * associated with each 'proxy' object, identify the cipher suite markers ++ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy') ++ * via each thread's object type and apply this useful information to ++ * all log messages. ++ */ ++ if (mctx == mctx->sc->server) { ++ object_type = "server"; ++ cipher_suite_marker = "NSSCipherSuite"; ++ } else if (mctx == mctx->sc->proxy) { ++ object_type = "proxy"; ++ cipher_suite_marker = "NSSProxyCipherSuite"; ++ } ++ + ciphers = strdup(suite); + + #define CIPHERSIZE 2048 +@@ -854,13 +976,13 @@ static void nss_init_ctx_cipher_suite(se + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "FIPS mode enabled, permitted SSL ciphers are: [%s]", +- fipsciphers); ++ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]", ++ object_type, fipsciphers); + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "Configuring permitted SSL ciphers [%s]", +- suite); ++ "%s: Configuring permitted SSL ciphers [%s]", ++ cipher_suite_marker, suite); + + /* Disable all NSS supported cipher suites. This is to prevent any new + * NSS cipher suites from getting automatically and unintentionally +@@ -899,7 +1021,7 @@ static void nss_init_ctx_cipher_suite(se + for (i=0; issl2 && countciphers(cipher_state, SSL2) == 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "SSL2 is enabled but no SSL2 ciphers are enabled."); ++ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.", ++ cipher_suite_marker); + nss_die(); + } + + if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "SSL3 is enabled but no SSL3 ciphers are enabled."); ++ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.", ++ cipher_suite_marker); + nss_die(); + } + + if (mctx->tls && countciphers(cipher_state, TLS) == 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +- "TLS is enabled but no TLS ciphers are enabled."); ++ "%s: TLS is enabled but no TLS ciphers are enabled.", ++ cipher_suite_marker); + nss_die(); + } + +diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c +--- mod_nss-1.0.8.orig/nss_engine_vars.c 2008-01-03 13:35:28.000000000 -0800 ++++ mod_nss-1.0.8/nss_engine_vars.c 2012-10-19 17:12:48.178045000 -0700 +@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver + case SSL_LIBRARY_VERSION_3_0: + result = "SSLv3"; + break; +- case SSL_LIBRARY_VERSION_3_1_TLS: ++ case SSL_LIBRARY_VERSION_TLS_1_0: ++ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */ + result = "TLSv1"; + break; ++ case SSL_LIBRARY_VERSION_TLS_1_1: ++ result = "TLSv1.1"; ++ break; + } + } + } diff --git a/SOURCES/mod_nss-wouldblock.patch b/SOURCES/mod_nss-wouldblock.patch new file mode 100644 index 0000000..405b67a --- /dev/null +++ b/SOURCES/mod_nss-wouldblock.patch @@ -0,0 +1,12 @@ +--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400 ++++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500 +@@ -259,7 +259,8 @@ + */ + if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) + || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { +- return 0; ++ PR_SetError(PR_WOULD_BLOCK_ERROR, 0); ++ return -1; + } + + if (inctx->rc != APR_SUCCESS) { diff --git a/SPECS/mod_nss.spec b/SPECS/mod_nss.spec new file mode 100644 index 0000000..6b0669c --- /dev/null +++ b/SPECS/mod_nss.spec @@ -0,0 +1,391 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}} + +Name: mod_nss +Version: 1.0.8 +Release: 25%{?dist} +Summary: SSL/TLS module for the Apache HTTP server +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://directory.fedoraproject.org/wiki/Mod_nss +Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= 4.9.2, nss-devel >= 3.14.0.0 +BuildRequires: httpd-devel, apr-devel, apr-util-devel +BuildRequires: pkgconfig +Requires: httpd-mmn = %{_httpd_mmn} +Requires(post): httpd, nss-tools +Requires: nss%{?_isa} >= 3.14.0.0 +# Although the following change reverses the desire of Bugzilla Bug #601939, it +# was provided to suppress the dangling symlink warning of Bugzilla Bug #906089 +# as exposed via 'rpmlint'. +Requires: %{_libdir}/libnssckbi.so + +# Change configuration to not conflict with mod_ssl +Patch1: mod_nss-conf.patch +# Generate a password-less NSS database +Patch2: mod_nss-gencert.patch +# Properly set blocking status when no data is available +Patch3: mod_nss-wouldblock.patch +# Add options for tuning client negotiate in NSS +Patch4: mod_nss-negotiate.patch +Patch5: mod_nss-reverseproxy.patch +Patch6: mod_nss-PK11_ListCerts_2.patch +Patch7: mod_nss-pcachesignal.h +Patch8: mod_nss-reseterror.patch +Patch9: mod_nss-lockpcache.patch +Patch10: mod_nss-httpd24.patch +Patch11: mod_nss-overlapping_memcpy.patch +Patch12: mod_nss-man.patch +Patch13: mod_nss-array_overrun.patch +Patch14: mod_nss-clientauth.patch +Patch15: mod_nss-no_shutdown_if_not_init_2.patch +Patch16: mod_nss-proxyvariables.patch +Patch17: mod_nss-tlsv1_1.patch +Patch18: mod_nss-sslmultiproxy.patch +Patch19: mod_nss-sslmultiproxy_2.patch +Patch20: mod_nss-docs-fix.patch + +%description +The mod_nss module provides strong cryptography for the Apache Web +server via the Secure Sockets Layer (SSL) and Transport Layer +Security (TLS) protocols using the Network Security Services (NSS) +security library. + +%prep +%setup -q +%patch1 -p1 -b .conf +%patch2 -p1 -b .gencert +%patch3 -p1 -b .wouldblock +%patch4 -p1 -b .negotiate +%patch5 -p1 -b .reverseproxy +%patch6 -p1 -b .PK11_ListCerts_2 +%patch7 -p1 -b .pcachesignal.h +%patch8 -p1 -b .reseterror +%patch9 -p1 -b .lockpcache +%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 +%patch10 -p1 -b .httpd24 +%endif +%patch11 -p1 -b .overlapping_memcpy +%patch12 -p1 -b .man +%patch13 -p1 -b .array_overrun +%patch14 -p1 -b .clientauth +%patch15 -p1 -b .no_shutdown_if_not_init_2 +%patch16 -p1 -b .proxyvariables +%patch17 -p1 -b .tlsv1_1 +%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 +%patch19 -p1 -b .sslmultiproxy_2 +%else +%patch18 -p1 -b .sslmultiproxy +%endif +%patch20 -p1 -b .docs-fix + +# Touch expression parser sources to prevent regenerating it +touch nss_expr_*.[chyl] + +%build + +CFLAGS="$RPM_OPT_FLAGS" +APXS=%{_httpd_apxs} + +export CFLAGS APXS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` +NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` +NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` + +NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` + +%configure \ + --with-nss-lib=$NSS_LIB_DIR \ + --with-nss-inc=$NSS_INCLUDE_DIR \ + --with-nspr-lib=$NSPR_LIB_DIR \ + --with-nspr-inc=$NSPR_INCLUDE_DIR \ + --with-apr-config --enable-ecc + +make %{?_smp_mflags} all + +%install +# The install target of the Makefile isn't used because that uses apxs +# which tries to enable the module in the build host httpd instead of in +# the build root. +rm -rf $RPM_BUILD_ROOT + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf +mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir} +mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules +mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8 + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd >= 2.4.x +mkdir -p $RPM_BUILD_ROOT%{_httpd_modconfdir} +sed -n /^LoadModule/p nss.conf > 10-nss.conf +sed -i /^LoadModule/d nss.conf +install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir} +%endif + +install -m 644 gencert.8 $RPM_BUILD_ROOT%{_mandir}/man8/ +install -m 644 nss_pcache.8 $RPM_BUILD_ROOT%{_mandir}/man8/ + +install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir} + +install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/ +install -m 755 nss_pcache $RPM_BUILD_ROOT%{_libexecdir}/ +# Provide a compatibility link to prevent disruption of customized deployments. +# +# NOTE: This link may be deprecated in a future release of 'mod_nss'. +# +ln -s %{_libexecdir}/nss_pcache $RPM_BUILD_ROOT%{_sbindir}/nss_pcache +install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ +ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/ +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log + +perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +umask 077 + +if [ "$1" -eq 1 ] ; then + if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then + %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1 + echo "" + echo "%{name} certificate database generated." + echo "" + fi + + # Make sure that the database ownership is setup properly. + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; +fi + +%files +%defattr(-,root,root,-) +%doc README LICENSE docs/mod_nss.html +%{_mandir}/man8/* +%config(noreplace) %{_httpd_confdir}/nss.conf +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/10-nss.conf +%endif +%{_libdir}/httpd/modules/libmodnss.so +%dir %{_sysconfdir}/httpd/alias/ +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db +%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log +%{_sysconfdir}/httpd/alias/libnssckbi.so +%{_libexecdir}/nss_pcache +%{_sbindir}/nss_pcache +%{_sbindir}/gencert + +%changelog +* Fri Nov 1 2013 Tomas Hoger - 1.0.8-25 +- Bugzilla Bug #1025317 - mod_nss: documentation formatting fixes [rhel-7] + +* Thu Oct 24 2013 Matthew Harmsen - 1.0.8-24 +- Add '--enable-ecc' option to '%configure' line under '%build' section of + this spec file (mharmsen) +- Bumped version build/runtime requirements for NSPR and NSS (mharmsen) +- [mod_nss-PK11_ListCerts_2.patch] +- Bugzilla Bug #1022295 - PK11_ListCerts called to retrieve all user + certificates for every server (rcritten) +- [mod_nss-array_overrun.patch] +- Bugzilla Bug #1022298 - overrunning array when executing nss_pcache + (rcritten) +- [mod_nss-clientauth.patch] +- Bugzilla Bug #1022921 - mod_nss: FakeBasicAuth authentication bypass + [rhel-7.0] (rcritten) +- [mod_nss-no_shutdown_if_not_init_2.patch] +- Bugzilla Bug #1022303 - File descriptor leak after "service httpd reload" + or httpd doesn't reload (rrelyea) +- [mod_nss-proxyvariables.patch] +- Bugzilla Bug #1022309 - mod_nss insists on Required value NSSCipherSuite + not set. (mharmsen) +- [mod_nss-tlsv1_1.patch] +- Bugzilla Bug #1022310 - current nss support TLS 1.1 so mod_nss should pick + it up (mharmsen) +- [mod_nss-sslmultiproxy_2.patch] +- Fixes Bugzilla Bug #1021458 - [RFE] Support ability to share mod_proxy with + other SSL providers (jorton, mharmsen, nkinder, & rcritten) + +* Tue Jul 30 2013 Joe Orton - 1.0.8-23 +- add dependency on httpd-mmn + +* Wed Jul 3 2013 Matthew Harmsen - 1.0.8-22 +- Moved 'nss_pcache' from %%sbindir to %%libexecdir + (provided compatibility link) + +* Tue Jul 2 2013 Matthew Harmsen - 1.0.8-21.1 +- Add the following explanation to the 'Dangling symlinks' textbox in rpmdiff: + Symlink 'etc/httpd/alias/libnssckbi.so' is deliberate. + This test does not belong in rpmdiff. This test belongs in TPS. + Since the symlink points to a file in another package, e.g. a + dependency or a system file, rpmdiff cannot detect this. Remember, + rpmdiff does not install or even know about package dependencies. + That's TPS's job. +- Add the following explanation to the 'Brewtap results' textbox in rpmdiff: + The '/etc/httpd/conf.d/nss.conf' file does not require a man page + because its parameters are sufficiently documented within the + configuration file itself. + The '/etc/httpd/conf.modules.d/10-nss.conf' file does not require + a man page because the file merely contains the line + 'LoadModule nss_module modules/libmodnss.so' to support httpd + loading of Dynamic Shared Objects ('/etc/httpd/conf/httpd.conf'). + +* Tue Jun 25 2013 Matthew Harmsen - 1.0.8-21 +- Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff + testing +- Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache +- Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss +- Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec +- Bugzilla Bug #948601 - Man page scan results for mod_nss + +* Thu Feb 14 2013 Fedora Release Engineering - 1.0.8-20.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 1.0.8-19.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 18 2012 Joe Orton - 1.0.8-18.1 +- fix build for RHEL7 + +* Fri Jun 15 2012 Rob Crittenden - 1.0.8-18 +- Actually apply the patch to use memmove in place of memcpy since the + buffers can overlap (#669118) + +* Tue Jun 12 2012 Nathan Kinder - 1.0.8-17 +- Port mod_nss to work with httpd 2.4 + +* Mon Apr 23 2012 Joe Orton - 1.0.8-16 +- packaging fixes/updates (#803072) + +* Fri Jan 13 2012 Fedora Release Engineering - 1.0.8-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Mar 7 2011 Rob Crittenden - 1.0.8-14 +- Add Requires(post) for nss-tools, gencert needs it (#652007) + +* Wed Mar 2 2011 Rob Crittenden - 1.0.8-13 +- Lock around the pipe to nss_pcache for retrieving the token PIN + (#677701) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.0.8-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Rob Crittenden - 1.0.8-11 +- Use memmove in place of memcpy since the buffers can overlap (#669118) + +* Wed Sep 29 2010 jkeating - 1.0.8-10 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Rob Crittenden - 1.0.8-9 +- Revert mod_nss-wouldblock patch +- Reset NSPR error before calling PR_Read(). This should fix looping + in #620856 + +* Fri Sep 17 2010 Rob Crittenden - 1.0.8-8 +- Fix hang when handling large POST under some conditions (#620856) + +* Tue Jun 22 2010 Rob Crittenden - 1.0.8-7 +- Remove file Requires on libnssckbi.so (#601939) + +* Fri May 14 2010 Rob Crittenden - 1.0.8-6 +- Ignore SIGHUP in nss_pcache (#591889). + +* Thu May 13 2010 Rob Crittenden - 1.0.8-5 +- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224) + +* Thu Mar 18 2010 Rob Crittenden - 1.0.8-4 +- Patch to add configuration options for new NSS negotiation API (#574187) +- Add (pre) for Requires on httpd so we can be sure the user and group are + already available +- Add file Requires on libnssckbi.so so symlink can't fail +- Use _sysconfdir macro instead of /etc +- Set minimum level of NSS to 3.12.6 + +* Mon Jan 25 2010 Rob Crittenden - 1.0.8-3 +- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744) + +* Sat Jul 25 2009 Fedora Release Engineering - 1.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Mar 2 2009 Rob Crittenden - 1.0.8-1 +- Update to 1.0.8 +- Add patch that fixes NSPR layer bug + +* Wed Feb 25 2009 Fedora Release Engineering - 1.0.7-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Aug 11 2008 Tom "spot" Callaway - 1.0.7-10 +- fix license tag + +* Mon Jul 28 2008 Rob Crittenden - 1.0.7-9 +- rebuild to bump NVR + +* Mon Jul 14 2008 Rob Crittenden - 1.0.7-8 +- Don't force module de-init during the configuration stage (453508) + +* Thu Jul 10 2008 Rob Crittenden - 1.0.7-7 +- Don't inherit the MP cache in multi-threaded mode (454701) +- Don't initialize NSS in each child if SSL isn't configured + +* Wed Jul 2 2008 Rob Crittenden - 1.0.7-6 +- Update the patch for FIPS to include fixes for nss_pcache, enforce + the security policy and properly initialize the FIPS token. + +* Mon Jun 30 2008 Rob Crittenden - 1.0.7-5 +- Include patch to fix NSSFIPS (446851) + +* Mon Apr 28 2008 Rob Crittenden - 1.0.7-4 +- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child + and not before. This is in response to a change in the NSS softtokn code + and should have always been done this way. (444348) +- The location of libnssckbi moved from /usr/lib[64] to /lib[64] +- The NSS database needs to be readable by apache since we need to use it + after the root priviledges are dropped. + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.7-3 +- Autorebuild for GCC 4.3 + +* Thu Oct 18 2007 Rob Crittenden 1.0.7-2 +- Register functions needed by mod_proxy if mod_ssl is not loaded. + +* Fri Jun 1 2007 Rob Crittenden 1.0.7-1 +- Update to 1.0.7 +- Remove Requires for nss and nspr since those are handled automatically + by versioned libraries +- Updated URL and Source to reference directory.fedoraproject.org + +* Mon Apr 9 2007 Rob Crittenden 1.0.6-2 +- Patch to properly detect the Apache model and set up NSS appropriately +- Patch to punt if a bad password is encountered +- Patch to fix crash when password.conf is malformatted +- Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7) + +* Mon Oct 23 2006 Rob Crittenden 1.0.6-1 +- Update to 1.0.6 + +* Fri Aug 04 2006 Rob Crittenden 1.0.3-4 +- Include LogLevel warn in nss.conf and use separate log files + +* Fri Aug 04 2006 Rob Crittenden 1.0.3-3 +- Need to initialize ECC certificate and key variables + +* Fri Aug 04 2006 Jarod Wilson 1.0.3-2 +- Use %%ghost for db files and install.log + +* Tue Jun 20 2006 Rob Crittenden 1.0.3-1 +- Initial build