mod_nss.git, branch master Unnamed repository; edit this file 'description' to name the repository. Add Vitezslav Cizek and Christian Heimes to AUTHORS 2016-03-01T16:47:38+00:00 Rob Crittenden rcritten@redhat.com 2016-03-01T16:47:38+00:00 35647512beb7b2436b4dc765941145aa8b2ced3c 






Update ChangeLog: DHE ciphers, gencert, FIPS, permission, ciphers
2016-03-01T16:42:27+00:00

Rob Crittenden
rcritten@redhat.com

2016-02-29T22:41:39+00:00

a06c95d3b9bbefd6a4bf6c6561d6e32891f791f4

* Check for Apache user owner/group read permissions of NSS database
* Update default ciphers to something more modern and secure
* Fix test for DH cipher directive
* Check for test and netstat before trying to use them
* Don't ignore NSSProtocol when NSSFIPS is enabled
  Based on patch by Matthew Harmsen <mharmsen@redhat.com>
* Use proper shell syntax to avoid creating /0
* tests: Centralize the openssl ciphers flags when comparing
* Basic test case for DHE cipher negotiation
* Remove -DH from test strings, duplicate test, fix test
* Add server support for DHE ciphers.





* Check for Apache user owner/group read permissions of NSS database
* Update default ciphers to something more modern and secure
* Fix test for DH cipher directive
* Check for test and netstat before trying to use them
* Don't ignore NSSProtocol when NSSFIPS is enabled
  Based on patch by Matthew Harmsen <mharmsen@redhat.com>
* Use proper shell syntax to avoid creating /0
* tests: Centralize the openssl ciphers flags when comparing
* Basic test case for DHE cipher negotiation
* Remove -DH from test strings, duplicate test, fix test
* Add server support for DHE ciphers.







Update default cipher set to include stronger ciphers
2016-03-01T16:42:27+00:00

Rob Crittenden
rcritten@redhat.com

2016-03-01T16:33:25+00:00

baa0d0257d14725790bda2b727b722f8829ade23

Insecure or less secure algorithms such as RC4, DES and 3DES are
removed. Perfect forward secrecy suites with ephemeral ECDH key
exchange have been added. IE 8 on Windows XP is no longer
supported.

https://fedorahosted.org/mod_nss/ticket/5





Insecure or less secure algorithms such as RC4, DES and 3DES are
removed. Perfect forward secrecy suites with ephemeral ECDH key
exchange have been added. IE 8 on Windows XP is no longer
supported.

https://fedorahosted.org/mod_nss/ticket/5







Check filesystem permissions on NSS database at startup
2016-03-01T16:42:27+00:00

Rob Crittenden
rcritten@redhat.com

2016-03-01T03:33:23+00:00

105d65bfedfa0e381dcebd197ef67aab799fc8b1

See if the configured user has read access to the NSS database
during initialization so the server can gracefully shutdown
rather than ending up in a forking loop because the database is
owned by root and is therefore unreadable once Apache starts
forking.

Adds a new configuration option, NSSSkipPermissionCheck <on/off>,
to skip this check in case something goes wrong.

https://fedorahosted.org/mod_nss/ticket/3





See if the configured user has read access to the NSS database
during initialization so the server can gracefully shutdown
rather than ending up in a forking loop because the database is
owned by root and is therefore unreadable once Apache starts
forking.

Adds a new configuration option, NSSSkipPermissionCheck <on/off>,
to skip this check in case something goes wrong.

https://fedorahosted.org/mod_nss/ticket/3







Change argumement order in make check so sqlite tests run
2016-03-01T16:42:27+00:00

Rob Crittenden
rcritten@redhat.com

2016-03-01T00:05:08+00:00

8e8befca612a8f70b9d47de5393c134aecf81494

Change 184804c82daf7fe04dfb0b0ecdc3e06be0c103c1 modified the
way arguments are handled in test/setup.sh such that sql: was
being dropped so tests were not being executed against sqlite
databases.





Change 184804c82daf7fe04dfb0b0ecdc3e06be0c103c1 modified the
way arguments are handled in test/setup.sh such that sql: was
being dropped so tests were not being executed against sqlite
databases.







Check for test and netstat before trying to use them
2016-02-29T21:45:09+00:00

Rob Crittenden
rcritten@redhat.com

2016-02-29T21:43:14+00:00

ce5a624ca88bcccf1591265d26bc28d27e822da1

These may not be available on all systems. Work around it best
we can. In the case of netstat this can be replaced by using
/dev/urandom or /dev/random instead and piping it through tr
to produce only ASCII strings.





These may not be available on all systems. Work around it best
we can. In the case of netstat this can be replaced by using
/dev/urandom or /dev/random instead and piping it through tr
to produce only ASCII strings.







Don't ignore NSSProtocol when NSSFIPS is enabled
2016-02-29T21:44:53+00:00

Rob Crittenden
rcritten@redhat.com

2016-02-29T18:56:20+00:00

ef90eb1b1e5b68aa53164813bd4a70697dcbef17

The value was always being set to TLS 1.0, 1.1 and 1.2, ignoring
the configuration value.

I suspect this is because this code dated to when only SSL2, 3 and
TLS 1.0 were supported so it only enabled TLS v1.0. When 1.1 and
1.2 were added it seemed natural to automatically enable those
as well. Natural but incorrect.

Based on patch by Matthew Harmsen <mharmsen@redhat.com>

RHBZ #1312052





The value was always being set to TLS 1.0, 1.1 and 1.2, ignoring
the configuration value.

I suspect this is because this code dated to when only SSL2, 3 and
TLS 1.0 were supported so it only enabled TLS v1.0. When 1.1 and
1.2 were added it seemed natural to automatically enable those
as well. Natural but incorrect.

Based on patch by Matthew Harmsen <mharmsen@redhat.com>

RHBZ #1312052







Use proper shell syntax to avoid creating /0
2016-02-29T21:09:17+00:00

Rob Crittenden
rcritten@redhat.com

2016-02-24T14:18:25+00:00

31a5ff02f6ff251629d597d43ee88fadb135ff8b

I used if [ $x > 0 ]; ... which is obviously wrong :-(

https://bugzilla.redhat.com/show_bug.cgi?id=1311392





I used if [ $x > 0 ]; ... which is obviously wrong :-(

https://bugzilla.redhat.com/show_bug.cgi?id=1311392







Fix test for DH cipher directive
2016-02-29T21:09:17+00:00

Rob Crittenden
rcritten@redhat.com

2016-02-29T19:45:44+00:00

ae8c616ade2199ca26bd39374707d44a04be7db3

Since we don't support ADH ciphers can just ignore DH-*

Note that OpenSSL defines the DH- ciphers but does not implement
them so the DH string support is there only for compatibility.





Since we don't support ADH ciphers can just ignore DH-*

Note that OpenSSL defines the DH- ciphers but does not implement
them so the DH string support is there only for compatibility.







tests: Centralize the openssl ciphers flags when comparing
2016-02-29T21:09:17+00:00

Rob Crittenden
rcritten@redhat.com

2016-02-15T19:10:58+00:00

5b93aa509881c307050de41e88000c33e13080be

I used to have a separate set of options when comparing the
NSS and OpenSSL ciphers. These differed between tests, sometimes
being just a difference in order. This just made the tests
hard to understand.





I used to have a separate set of options when comparing the
NSS and OpenSSL ciphers. These differed between tests, sometimes
being just a difference in order. This just made the tests
hard to understand.