diff options
author | Christian Heimes <cheimes@redhat.com> | 2016-02-08 15:52:25 +0100 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2016-02-29 16:09:17 -0500 |
commit | 9205812071bcd7bcf098efd80b82ec2bc1a62da4 (patch) | |
tree | 8cbbaa655156965d11da77585052d7762a69a1f8 | |
parent | 09eff5ae973290ff333928487e13974aa7ad0764 (diff) | |
download | mod_nss-9205812071bcd7bcf098efd80b82ec2bc1a62da4.tar.gz mod_nss-9205812071bcd7bcf098efd80b82ec2bc1a62da4.tar.xz mod_nss-9205812071bcd7bcf098efd80b82ec2bc1a62da4.zip |
Add server support for DHE ciphers
Similar patch was provided by Vitezslav Cizek <vcizek@suse.com>
Heavily modified by Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/mod_nss/ticket/15
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | docs/mod_nss.html | 40 | ||||
-rw-r--r-- | mod_nss.h | 3 | ||||
-rw-r--r-- | nss_engine_cipher.c | 20 | ||||
-rw-r--r-- | nss_engine_cipher.h | 2 | ||||
-rw-r--r-- | nss_engine_init.c | 15 |
6 files changed, 87 insertions, 2 deletions
diff --git a/configure.ac b/configure.ac index ceb3f1d..17d1103 100644 --- a/configure.ac +++ b/configure.ac @@ -259,6 +259,15 @@ else echo "ENABLE_SHA384=0" >> test/variable.py fi +CPPFLAGS="$CPPFLAGS $nspr_inc" +AX_CHECK_DEFINE(nss3/ssl.h, SSL_ENABLE_SERVER_DHE, server_dhe=yes, server_dhe=no) +if test "$server_dhe" = yes; then + extra_cppflags="$extra_cppflags -DENABLE_SERVER_DHE" + echo "ENABLE_SERVER_DHE=1" >> test/variable.py +else + echo "ENABLE_SERVER_DHE=0" >> test/variable.py +fi + # Substitute values AC_SUBST(APXS) AC_SUBST(apr_inc) diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 37588e8..c84f938 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -522,7 +522,7 @@ If it contains neither then mod_nss first tries to apply OpenSSL ciphers then NS <br> All ciphers are disabled by default. <br> <br> -Available ciphers are:<br> +Available RSA ciphers are:<br> <br> <table style="width: 70%; text-align: left;" cellpadding="2" cellspacing="2" border="1"> <tbody> @@ -675,6 +675,43 @@ Available ciphers are:<br> </tbody> </table> +<br>The available server-side DHE ciphers are:<br> +<br> +<table style="width: 70%; text-align: left;" border="1" cellpadding="2" cellspacing="2"> +<tbody><tr><td style="vertical-align: top; font-weight: bold;">Cipher Name<br> + </td><td style="vertical-align: top; font-weight: bold;">NSS Cipher definition<br> + </td><td style="vertical-align: top; font-weight: bold;">Protocol<br> + </td></tr><tr><td style="vertical-align: top;">dhe_rsa_des_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_DES_CBC_SHA<br> +</td><td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br> + </td></tr><tr><td style="vertical-align: top;">dhe_rsa_3des_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_aes_128_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_aes_256_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_camellia_128_sha<br> +</td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_camellia_256_sha<br> +</td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_aes_128_sha256<br> +</td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256<br> + </td><td style="vertical-align: top;">TLSv1.2</td></tr><tr> + <td valign="top">dhe_rsa_aes_256_sha256<br> + </td> + <td valign="top">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<br> + </td> + <td valign="top">TLSv1.2</td> + </tr> + <tr> + <td valign="top">dhe_rsa_aes_128_gcm_sha_256<br> + </td> + <td valign="top">TLS_DHE_RSA_WITH_AES_128_GCM_SHA256<br> + </td> + <td valign="top">TLSv1.2</td> + </tr> +</tbody> +</table> <br> Additionally there are a number of ECC ciphers:<br> <br> @@ -979,6 +1016,7 @@ The default is off.<br> <span style="font-weight: bold;">Example</span><br> <br> <big><big>NSSSessionTickets on<br> +</big></big> <br> <big><big>NSSUserName<br> </big></big><br> @@ -419,6 +419,9 @@ const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char * const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *nss_cmd_NSSSessionTickets(cmd_parms *cmd, void *dcfg, int flag); +#ifdef ENABLE_SERVER_DHE +const char *nss_cmd_NSSServerDHE(cmd_parms *cmd, void *dcfg, int flag); +#endif const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *); const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg); diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c index b0b51e4..ffa537e 100644 --- a/nss_engine_cipher.c +++ b/nss_engine_cipher.c @@ -32,6 +32,9 @@ cipher_properties ciphers_def[] = /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA not implemented 0x0008 */ {"rsa_des_sha", TLS_RSA_WITH_DES_CBC_SHA, "DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56}, {"rsa_3des_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA, "DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_HIGH, 168, 168}, +#ifdef ENABLE_SERVER_DHE + {"dhe_rsa_des_sha", TLS_DHE_RSA_WITH_DES_CBC_SHA, "EDH-RSA-DES-CBC-SHA", SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56}, +#endif {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, "AES128-SHA", SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, "AES256-SHA", SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256}, {"null_sha_256", TLS_RSA_WITH_NULL_SHA256, "NULL-SHA256", SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLSV1_2, SSL_STRONG_NONE, 0, 0}, @@ -49,6 +52,21 @@ cipher_properties ciphers_def[] = #endif {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_HIGH, 112, 168}, {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56}, +#ifdef ENABLE_SERVER_DHE + {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "EDH-RSA-DES-CBC3-SHA", SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168}, + {"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "DHE-RSA-AES128-SHA", SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128}, + {"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "DHE-RSA-AES256-SHA", SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256}, + {"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "DHE-RSA-CAMELLIA128-SHA", SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128}, + {"dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "DHE-RSA-CAMELLIA256-SHA", SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256}, + {"dhe_rsa_aes_128_sha256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "DHE-RSA-AES128-SHA256", SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128}, + {"dhe_rsa_aes_256_sha256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "DHE-RSA-AES256-SHA256", SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLSV1_2, SSL_HIGH, 256, 256}, +#ifdef ENABLE_GCM + {"dhe_rsa_aes_128_gcm_sha_256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "DHE-RSA-AES128-GCM-SHA256", SSL_kEDH|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128}, +#endif +#ifdef ENABLE_SHA384 + {"dhe_rsa_aes_256_gcm_sha_384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "DHE-RSA-AES256-GCM-SHA384", SSL_kEDH|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256}, +#endif +#endif /* ENABLE_SERVER_DHE */ #ifdef NSS_ENABLE_ECC {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0}, {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128}, @@ -289,7 +307,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis } else if (!strcmp(cipher, "aRSA")) { mask |= SSL_aRSA; } else if (!strcmp(cipher, "EDH")) { - mask |= SSL_EDH; + mask |= SSL_kEDH; #if 0 } else if (!strcmp(cipher, "ADH")) { mask |= SSL_ADH; diff --git a/nss_engine_cipher.h b/nss_engine_cipher.h index 80aac0e..f76099f 100644 --- a/nss_engine_cipher.h +++ b/nss_engine_cipher.h @@ -53,6 +53,8 @@ typedef struct #define SSL_ECDH (SSL_kECDHe|SSL_kECDHr|SSL_kEECDH) #define SSL_EECDH (SSL_kEECDH) #define SSL_ADH (SSL_kEDH) +#define SSL_kDHE 0x00040000L +#define SSL_DHE (SSL_kDHE) /* cipher strength */ #define SSL_STRONG_NONE 0x00000001L diff --git a/nss_engine_init.c b/nss_engine_init.c index 4460f53..44b5b88 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -829,6 +829,17 @@ static void nss_init_ctx_protocol(server_rec *s, nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } +#ifdef ENABLE_SERVER_DHE + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Enabling DHE key exchange"); + if (SSL_OptionSet(mctx->model, SSL_ENABLE_SERVER_DHE, + PR_TRUE) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to enable DHE key exchange"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } +#endif } static void nss_init_ctx_session_cache(server_rec *s, @@ -1043,6 +1054,10 @@ static void nss_init_ctx_cipher_suite(server_rec *s, /* Finally actually enable the selected ciphers */ for (i=0; i<ciphernum;i++) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%sable cipher: %s", + cipher_state[i] == 1 ? "En" : "Dis", + ciphers_def[i].name); SSL_CipherPrefSet(mctx->model, ciphers_def[i].num, cipher_state[i] == 1 ? PR_TRUE : PR_FALSE); } } |