diff options
author | Rob Crittenden <rcritten@redhat.com> | 2013-10-11 17:51:23 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2014-02-21 14:20:19 -0500 |
commit | 25e23d6aa024c875bbbaefc8f11d2780e09036b2 (patch) | |
tree | a2f12aa564969ee2152c750321e03b5a5743ea99 /docs | |
parent | 399685fc1bfaeb6bcb0e5879872338981c7453b7 (diff) | |
download | mod_nss-25e23d6aa024c875bbbaefc8f11d2780e09036b2.tar.gz mod_nss-25e23d6aa024c875bbbaefc8f11d2780e09036b2.tar.xz mod_nss-25e23d6aa024c875bbbaefc8f11d2780e09036b2.zip |
Add support for TLS v1.1, protocol ranges.
Set protocol version ranges:
(1) Set the minimum protocol accepted
(2) Set the maximum protocol accepted
(3) Protocol ranges extend from maximum down to minimum
protocol
(4) All protocol ranges are completely inclusive;
no protocol in the middle of a range may be excluded
(5) NSS automatically negotiates the use of the strongest
protocol for a connection starting with the maximum
specified protocol and downgrading as necessary to the
minimum specified protocol
For example, if SSL 3.0 is chosen as the minimum protocol, and
TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not
and cannot be excluded from this range. NSS will automatically
negotiate to utilize the strongest acceptable protocol for a
connection starting with the maximum specified protocol and
downgrading as necessary to the minimum specified protocol
(TLS 1.1 -> TLS 1.0 -> SSL 3.0).
BZ 816394
Diffstat (limited to 'docs')
-rw-r--r-- | docs/mod_nss.html | 113 |
1 files changed, 66 insertions, 47 deletions
diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 2bd4bd6..7e18672 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -466,7 +466,7 @@ Example</span><br style="font-weight: bold;"> <br> Enables or disables FIPS 140 mode. This replaces the standard internal PKCS#11 module with a FIPS-enabled one. It also forces the -enabled protocols to TLSv1 and disables all ciphers but the +enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the FIPS ones. You may still select which ciphers you would like limited to those that are FIPS-certified. Any non-FIPS that are included in the NSSCipherSuite entry are automatically disabled. @@ -570,7 +570,7 @@ definition<br> </td> <td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1<br> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1<br> </td> </tr> <tr> @@ -578,106 +578,106 @@ definition<br> </td> <td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_null_md5<br> </td> <td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_null_sha<br> </td> <td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_rc2_40_md5</td> <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_rc4_128_md5</td> <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_rc4_128_sha</td> <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_rc4_40_md5</td> <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">fortezza<br> </td> <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">fortezza_rc4_128_sha<br> </td> <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">fortezza_null<br> </td> <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">fips_des_sha<br> </td> <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">fips_3des_sha<br> </td> <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_des_56_sha</td> <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSL3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_rc4_56_sha</td> <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_aes_128_sha<br> </td> <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> <tr> <td style="vertical-align: top;">rsa_aes_256_sha<br> </td> <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br> </td> - <td style="vertical-align: top;">SSLv3/TLSv1</td> + <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td> </tr> </tbody> </table> @@ -698,127 +698,127 @@ Definition<br> <tr> <td>ecdh_ecdsa_null_sha</td> <td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_ecdsa_rc4_128_sha</td> <td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_ecdsa_3des_sha</td> <td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_ecdsa_aes_128_sha</td> <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_ecdsa_aes_256_sha</td> <td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_ecdsa_null_sha</td> <td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_ecdsa_rc4_128_sha</td> <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_ecdsa_3des_sha</td> <td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_ecdsa_aes_128_sha</td> <td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_ecdsa_aes_256_sha</td> <td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_rsa_null_sha</td> <td>TLS_ECDH_RSA_WITH_NULL_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_rsa_128_sha</td> <td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_rsa_3des_sha</td> <td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_rsa_aes_128_sha</td> <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_rsa_aes_256_sha</td> <td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>echde_rsa_null</td> <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_rsa_rc4_128_sha</td> <td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_rsa_3des_sha</td> <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_rsa_aes_128_sha</td> <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdhe_rsa_aes_256_sha</td> <td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_anon_null_sha</td> <td>TLS_ECDH_anon_WITH_NULL_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_anon_rc4_128sha</td> <td>TLS_ECDH_anon_WITH_RC4_128_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_anon_3des_sha</td> <td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_anon_aes_128_sha</td> <td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> <tr> <td>ecdh_anon_aes_256_sha</td> <td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td> - <td>TLSv1</td> + <td>TLSv1.0/TLSv1.1</td> </tr> </tbody> </table> @@ -839,16 +839,35 @@ specifically but allows ciphers for that protocol to be used at all.<br> Options are:<br> <ul> <li><code>SSLv3</code></li> - <li><code>TLSv1</code></li> + <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li> + <li><code>TLSv1.0</code></li> + <li><code>TLSv1.1</code></li> <li><code>All</code></li> </ul> Note that this differs from mod_ssl in that you can't add or subtract protocols.<br> +<br> +If no NSSProtocol is specified, mod_nss will default to allowing the use of +the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the +minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol +allowed. +<br> +If values for NSSProtocol are specified, mod_nss will set both the minimum +and the maximum allowed protocols based upon these entries allowing for the +inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1 +are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes +protocol ranges to accept all protocols inclusively +(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols +in the middle of a range (e. g. - TLS 1.0).<br> +<br> +Finally, NSS will always automatically negotiate the use of the strongest +possible protocol that has been specified which is acceptable to both sides of +a given connection.<br> <a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br> <br> <span style="font-weight: bold;">Example</span><br> <br> -<code>NSSProtocol SSLv3,TLSv1</code><br> +<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1</code><br> <br> <big><big>NSSNickname<br> </big></big><br> @@ -1101,7 +1120,7 @@ was compiled against.<br> <tr> <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br> </code></td> - <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br> + <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, or TLSv1.1<br> </td> </tr> <tr> @@ -1443,7 +1462,7 @@ Opera, and Safari) support SSL 3 and TLS so there is no need for a web server to support SSL 2. There are some known attacks against SSL 2 that are handled by -SSL 3/TLS. SSL2 also doesn't support useful features like client +SSL 3/TLS. SSLv2 also doesn't support useful features like client authentication. <br> <h1><a name="FAQ"></a>Frequently Asked Questions</h1> |