diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2014-11-06 16:44:20 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2014-11-12 11:35:06 -0500 |
| commit | f8b6ab7dab90e92537de3cddc01d915d31bb87fc (patch) | |
| tree | e36414fa4a54c121e2ffdcadc7783f1472549255 | |
| parent | b5d1505fc81a33aa10d013efd247d00f631fc681 (diff) | |
| download | mod_nss-f8b6ab7dab90e92537de3cddc01d915d31bb87fc.tar.gz mod_nss-f8b6ab7dab90e92537de3cddc01d915d31bb87fc.tar.xz mod_nss-f8b6ab7dab90e92537de3cddc01d915d31bb87fc.zip | |
Completely remove support for SSLv2
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | configure.ac | 12 | ||||
| -rw-r--r-- | docs/mod_nss.html | 61 | ||||
| -rw-r--r-- | mod_nss.h | 5 | ||||
| -rw-r--r-- | nss_engine_config.c | 8 | ||||
| -rw-r--r-- | nss_engine_init.c | 49 |
6 files changed, 22 insertions, 116 deletions
@@ -1,3 +1,6 @@ +2014-11-06 Rob Crittenden <rcritten@redhat.com> + * Completely remove support for SSLv2 + 2014-10-28 Rob Crittenden <rcritten@redhat.com> * Add support for sqlite NSS databases (#1057650) diff --git a/configure.ac b/configure.ac index 351e7cd..de184da 100644 --- a/configure.ac +++ b/configure.ac @@ -22,18 +22,6 @@ AC_PROG_YACC AC_PROG_LEX AC_DECL_YYTEXT -AC_MSG_CHECKING(for SSL2) -AC_ARG_ENABLE(ssl2, - [ --enable-ssl2 enable SSLv2 (default=no)], - ssl2=$enableval, ssl2=no) -if test $ssl2 = yes; then - AC_MSG_RESULT(yes) - extra_cppflags="$extra_cppflags -DWANT_SSL2" -else - AC_MSG_RESULT(no) -fi -#AM_CONDITIONAL(SSL2, test x$ssl2 = xyes) - AC_MSG_CHECKING(for ECC) AC_ARG_ENABLE(ecc, [ --enable-ecc enable Elliptical Curve Cyptography (default=no)], diff --git a/docs/mod_nss.html b/docs/mod_nss.html index dea9db9..93499e5 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -145,12 +145,6 @@ tells us where the APR include files and libraries are located<br> </td> </tr> <tr> - <td style="vertical-align: top;">--enable-ssl2<br> - </td> - <td style="vertical-align: top;">SSLv2 is disabled by default.<br> - </td> - </tr> - <tr> <td style="vertical-align: top;">--enable-ecc<br> </td> <td style="vertical-align: top;">Enable Elliptical Curve @@ -404,16 +398,7 @@ The default value is 10000.<br> <br> <big><big>NSSSessionCacheTimeout</big></big><br> <br> -Specifies the number of seconds SSL 2 sessions are cached.<br> -<br> -The valid range is 5 - 100 seconds. A setting outside the valid range -is silently constrained.<br> -<br> -The default value is 100.<br> -<br> -<span style="font-weight: bold;">Example</span><br> -<br> -<code>NSSSessionCacheTimeout 100</code><br> +Deprecated.<br> <br> <big><big>NSSSession3CacheTimeout<br> </big></big><br> @@ -528,48 +513,6 @@ Available ciphers are:<br> </td> </tr> <tr> - <td style="vertical-align: top;">des<br> - </td> - <td style="vertical-align: top;">SSL_EN_DES_64_CBC_WITH_MD5<br> - </td> - <td style="vertical-align: top;">SSLv2</td> - </tr> - <tr> - <td style="vertical-align: top;">desede3<br> - </td> - <td style="vertical-align: top;">SSL_EN_DES_192_EDE3_CBC_WITH_MD5<br> - </td> - <td style="vertical-align: top;">SSLv2</td> - </tr> - <tr> - <td style="vertical-align: top;">rc2<br> - </td> - <td style="vertical-align: top;">SSL_EN_RC2_128_CBC_WITH_MD5<br> - </td> - <td style="vertical-align: top;">SSLv2</td> - </tr> - <tr> - <td style="vertical-align: top;">rc2export<br> - </td> - <td style="vertical-align: top;">SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5<br> - </td> - <td style="vertical-align: top;">SSLv2</td> - </tr> - <tr> - <td style="vertical-align: top;">rc4<br> - </td> - <td style="vertical-align: top;">SSL_EN_RC4_128_WITH_MD5<br> - </td> - <td style="vertical-align: top;">SSLv2</td> - </tr> - <tr> - <td style="vertical-align: top;">rc4export<br> - </td> - <td style="vertical-align: top;">SSL_EN_RC4_128_EXPORT40_WITH_MD5<br> - </td> - <td style="vertical-align: top;">SSLv2</td> - </tr> - <tr> <td style="vertical-align: top;">rsa_3des_sha<br> </td> <td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br> @@ -1121,7 +1064,7 @@ was compiled against.<br> <tr> <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br> </code></td> - <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2<br> + <td style="vertical-align: top;">SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2<br> </td> </tr> <tr> @@ -270,7 +270,6 @@ typedef struct { int as_server; - int ssl2; int ssl3; int tls; int tlsrollback; @@ -364,9 +363,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4}; /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 48 +#define ciphernum 42 #else -#define ciphernum 23 +#define ciphernum 17 #endif /* diff --git a/nss_engine_config.c b/nss_engine_config.c index 2f1fb5c..eac7f18 100644 --- a/nss_engine_config.c +++ b/nss_engine_config.c @@ -73,7 +73,6 @@ static void modnss_ctx_init(modnss_ctx_t *mctx) mctx->as_server = PR_TRUE; - mctx->ssl2 = PR_FALSE; mctx->ssl3 = PR_FALSE; mctx->tls = PR_FALSE; mctx->tlsrollback = PR_FALSE; @@ -572,11 +571,10 @@ const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, { SSLModConfigRec *mc = myModConfig(cmd->server); - mc->session_cache_timeout = atoi(arg); + /* Deprecated. Store a value, if any, just to complain + about it later. */ - if (mc->session_cache_timeout < 0) { - return "NSSSessionCacheTimeout: Invalid argument"; - } + mc->session_cache_timeout = atoi(arg); return NULL; } diff --git a/nss_engine_init.c b/nss_engine_init.c index 50b623d..4259cfb 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -36,13 +36,6 @@ char* INTERNAL_TOKEN_NAME = "internal "; cipher_properties ciphers_def[ciphernum] = { - /* SSL2 cipher suites */ - {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, - {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, - {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, - {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, - {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, - {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, /* SSL3/TLS cipher suites */ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, @@ -338,8 +331,14 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, /* * Fix up any global settings that aren't in the configuration */ - if (mc->session_cache_timeout == UNSET) { - mc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; + if (mc->session_cache_timeout != UNSET) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, + "NSSSessionCacheTimeout is deprecated. Ignoring."); + + /* We still need to pass in a legal value to + * SSL_ConfigMPServerSIDCache() and SSL_ConfigServerSessionIDCache() + * / + mc->session_cache_timeout = 0; /* use NSS default */ } if (mc->ssl3_session_cache_timeout == UNSET) { @@ -509,7 +508,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, - "Initializing SSL Session Cache of size %d. SSL2 timeout = %d, SSL3/TLS timeout = %d.", mc->session_cache_size, mc->session_cache_timeout, mc->ssl3_session_cache_timeout); + "Initializing SSL Session Cache of size %d. SSL3/TLS timeout = %d.", mc->session_cache_size, mc->ssl3_session_cache_timeout); ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded); if (!threaded) SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); @@ -621,13 +620,13 @@ static void nss_init_ctx_protocol(server_rec *s, apr_pool_t *ptemp, modnss_ctx_t *mctx) { - int ssl2, ssl3, tls, tls1_1, tls1_2; + int ssl3, tls, tls1_1, tls1_2; char *protocol_marker = NULL; char *lprotocols = NULL; SECStatus stat; SSLVersionRange enabledVersions; - ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0; + ssl3 = tls = tls1_1 = tls1_2 = 0; /* * Since this routine will be invoked individually for every thread @@ -659,11 +658,7 @@ static void nss_init_ctx_protocol(server_rec *s, ap_str_tolower(lprotocols); if (strstr(lprotocols, "all") != NULL) { -#ifdef WANT_SSL2 - ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 1; -#else ssl3 = tls = tls1_1 = tls1_2 = 1; -#endif } else { char *protocol_list = NULL; char *saveptr = NULL; @@ -674,16 +669,9 @@ static void nss_init_ctx_protocol(server_rec *s, if (token == NULL) { break; } else if (strcmp(token, "sslv2") == 0) { -#ifdef WANT_SSL2 - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "%s: Enabling SSL2", - protocol_marker); - ssl2 = 1; -#else ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%s: SSL2 is not supported", protocol_marker); -#endif } else if (strcmp(token, "sslv3") == 0) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s: Enabling SSL3", @@ -725,11 +713,7 @@ static void nss_init_ctx_protocol(server_rec *s, stat = SECSuccess; - if (ssl2 == 1) { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_TRUE); - } else { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); - } + stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); /* Set protocol version ranges: * @@ -826,7 +810,6 @@ static void nss_init_ctx_protocol(server_rec *s, nss_die(); } - mctx->ssl2 = ssl2; mctx->ssl3 = ssl3; mctx->tls = tls || tls1_1 || tls1_2; } @@ -1042,14 +1025,6 @@ static void nss_init_ctx_cipher_suite(server_rec *s, } } - /* See if any ciphers have been enabled for a given protocol */ - if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: SSL2 is enabled but no SSL2 ciphers are enabled.", - cipher_suite_marker); - nss_die(); - } - if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "%s: SSL3 is enabled but no SSL3 ciphers are enabled.", |