| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
New server/vhost config option, NSSSessionTickets, to enable
or disable TLS Session Tickets support. This is off by default
in NSS.
|
| |
|
|
|
|
|
| |
Control the buffer size used on a POST when SSL renegotiation is
being done. The default is 128K.
Resolves BZ 1214366
|
| |
|
|
|
|
|
| |
I'm not going to commit a million of these 1-liners but I think
the code is stable enough that it won't be a big deal. If it
happens again I'll see about adding a fuzzer to assert_equal()
to avoid line number differences.
|
| |
|
|
|
|
|
|
|
| |
I originally just had nss_engine_cipher as an extra ld option
but this didn't enforce that nss_engine_cipher was already built
by the time test_cipher was. I instead added nss_engine_cipher
to the SOURCES line and dropped the extra linkage.
Build failure seen on aarch64 in BZ 1196222
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|
| |
|
|
|
|
|
|
|
| |
If an NSSCipherSuite is defined in a location or directory then
we re-do the SSL handshake. The cipher list wasn't being initialized
to PR_FALSE so changes are good that all ciphers would be enabled,
not just the ones in the local NSSCipherSuite setting.
Resolves BZ 1165408
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We do a chdir() to the NSS database location so that libnssckbi.so
is available when the database is opened. Strip off a sql: prefix
if one is available. This allows the new sqlite format to work.
Add an additional test pass configuring NSS using the sqlite format.
This requires a bit of a hack to pass in the value to python but
it will work for now.
Resolves: #1057650
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Protocol is a per-server or Virtual Host setting so I added a new
VH to do TLSv1.2 testing. It isn't as configurable as I'd like
because the port is hardcoded but it'll do for now.
|
| |
|
|
|
|
| |
This is in response to the POODLE CVE CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|
| |
|
|
|
| |
If support is available in NSS then it is just a matter of including
TLS 1.2 in the protocol range.
|
| | |
|
| |
|
|
|
|
| |
Add a DIST target to make it easier to tar things up.
Rename the make target test to check
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This tests in an in-tree Apache instance using the local libmodnss.so
shared library, so no pre-installation is necessary.
The tests use python-nose and a hacked python-requests library. It is
hacked so I can obtain the negotiated cipher and protocol as well as
pass a few other things into it.
Tests right now are limited to GET requests.
A new user certificate for 'beta' was added to gencert to do pass/fail
access control testing.
The basic process of the tests are:
- run setup.sh which sets up a new instance with createinstance.sh
and does some variable substitution.
- nosetests -v
I picture multiple test "suites" of different configurations. Right now
there is only one. A template file is provided for each suite.
Tested only on Fedora 20 right now.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
We don't need to include these in the source. The user should run
autoreconf -i -f before building.
|
| | |
|
| |
|
|
|
|
| |
CVE-2013-4566
Resolves #1037722
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
There is a single-set of hooks in mod_proxy so if mod_ssl was even
loaded,even if not being used, it would grab those hooks and mod_nss
would not work.
Resolves #1021469
|
| |
|
|
|
|
| |
Matthew Harmsen <mharmsen@redhat.com>
Resolvds #1036940
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Help clarify the error messages which didn't previously distinguish
between the following three variables:
NSSProtocol versus NSSProxyProtocol,
NSSCipherSuite versus NSSProxyCipherSuite, and
NSSNickname versus NSSProxyNickname
Ported from BZ 769906
|
| | |
|
| |
|
|
|
|
|
| |
- correct few cases of <code> used on text that should use normal font
- strip some redundant html tags
- use <pre> for larger command output blocks
- correct few typos
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set protocol version ranges:
(1) Set the minimum protocol accepted
(2) Set the maximum protocol accepted
(3) Protocol ranges extend from maximum down to minimum
protocol
(4) All protocol ranges are completely inclusive;
no protocol in the middle of a range may be excluded
(5) NSS automatically negotiates the use of the strongest
protocol for a connection starting with the maximum
specified protocol and downgrading as necessary to the
minimum specified protocol
For example, if SSL 3.0 is chosen as the minimum protocol, and
TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not
and cannot be excluded from this range. NSS will automatically
negotiate to utilize the strongest acceptable protocol for a
connection starting with the maximum specified protocol and
downgrading as necessary to the minimum specified protocol
(TLS 1.1 -> TLS 1.0 -> SSL 3.0).
BZ 816394
|
| |
|
|
|
|
| |
This was causing an FD leak.
BZ 784548
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
From Coverity:
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static
array "child_argv", with 5 elements, at position 5 with index variable
"5".
https://bugzilla.redhat.com/show_bug.cgi?id=714154
|
| |
|
|
|
|
| |
Patch contributed by Ulf Weltman
BZ 618466
|
| |
|
|
|
|
|
|
|
| |
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate
is not provided with which the BasicAuth can be Faked, and the client
provides an Authorization header, the FakeBasicAuth code in mod_nss may
not properly reject an attempt to spoof.
BZ 702437
|
| |
|
|
|
|
|
| |
pipe. Rarely requests to the pipe were getting overridden causing
that child to not enable SSL.
Fedora bug 677701
|
| | |
|
| |
|
|
| |
Patch ported from mod_ssl by Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
|
| |
memcpy of overlapping memory is no longer allowed by glibc.
This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
Patch ported by Stephen Gallagher.
|
| |
|
|
|
|
|
| |
PR_Read().
In testing with TPS from dogtag this really seems to fix #620856 this
time.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers.
Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering <wolter.eldering@vanad.com.cn>
bug 635324
|
| |
|
|
|
|
| |
This was discovered in the dogtag TPS subsystem. I haven't been able to
duplicate it outside of that but it is trivial inside. This seems to fix
it and brings the code closer to what mod_ssl does here as well.
|
