summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Don't send alert on SNI lookup failure to accomodate older clientsRob Crittenden2016-01-151-5/+19
| | | | | | | | | | | | | | | | | | | RFC 6066 section 3 says "It is NOT RECOMMENDED to send a warning-level unrecognized_name(112) alert, because the client's behavior in response to warning-level alerts is unpredictable." To maintain compatibility with mod_ssl, we will not send any alert (neither warning- nor fatal-level), i.e. we take the second action suggested in RFC. "If the server understood the ClientHello extension but does not recognize the server name, the server SHOULD take one of two actions: either abort the handshake by sending a fatal-level unrecognized_name(112) alert or continue the handshake." This is based on mod_ssl commit r1684462
* Add cipher test for ECDH+aRSARob Crittenden2016-01-151-0/+3
|
* Document some python dependencies needed by make checkRob Crittenden2016-01-151-0/+5
|
* Quote gcm and sha384 config values when comparing themRob Crittenden2015-11-181-2/+2
|
* Become 1.0.12Rob Crittenden2015-10-022-1/+2
|
* Fix memory leaks, uninit var, invalid readRob Crittenden2015-10-023-4/+14
| | | | | | | | | | | | | | Issues reported from valgrind. The invalid read came from using SNI hostInfo data directly. Just use the copy we apr_strndup() instead and all is well. The SNI hostInfo values were leaking. I had removed the calls to SECITEM_FreweItem at some point and forgotten to re-add them. mc->semid was not explicitly initialized so could have blown up if the compiler didn't automatically set it to 0. Explicitly set it to make warning go away (and to be safe).
* Fix typo in valgrind in start script, create separate logsRob Crittenden2015-10-021-1/+1
| | | | | Use the %p option to generate separate logs for each process with valgrind.
* Update changelog with reverse proxy SNI and whitespace cleanupRob Crittenden2015-10-021-0/+6
|
* Cleanup to remove a slew of trailing whitespaceRob Crittenden2015-10-0215-147/+147
|
* Add a test for reverse proxy SNIRob Crittenden2015-10-025-3/+31
|
* Rework SNI client reverse proxyRob Crittenden2015-10-023-17/+43
| | | | | | | | | | | | | Add a note to the table to indicate that the handhake is complete so we don't set the extension every time data is read or written. Drop NSSHandshakeCallback() as it didn't do anything and is replaced by the proxy callback. Extend the checks around calling SetURL to match those in mod_ssl: - a hostname is available - not SSLv3 - not an IP address
* Send SNI extension mod_nss acts as a reverse proxystanda2015-10-021-0/+39
|
* Don't run live webserver tests as the root userRob Crittenden2015-10-021-1/+5
| | | | | Apache doesn't like running as root and this ends up hanging the build process.
* Update README with SNI information and other useful bitsRob Crittenden2015-10-021-0/+14
|
* Update ChangeLog, fix frees, build Apache 2.2, autoconfRob Crittenden2015-10-021-0/+10
|
* Modernize autotools configuration slightly, add config.hRob Crittenden2015-10-023-6/+17
| | | | | | | | | | | I need to generate config.h because Apache ships its own autotools-generated config.h which redefines a lot of variables like PACKAGE_NAME, PACKAGE_TARBALL, etc. By having my own configh I can reset things before the compiler complains. The downside is that compile-time options are hidden in a config file instead of being defined on the gcc command-line.
* Fix some compiler warnings (and one real bug)Rob Crittenden2015-10-022-6/+5
| | | | | | | Most of these are unused variable. There is one adding an extra set of parens. The bug is using the wrong index variable, i instead of j.
* Fix compatibility with RHEL 6.x (Apache 2.2.x and NSS 3.15.1)Rob Crittenden2015-10-0212-8/+97
|
* Replace PR_Free with PORT_Freestanda2015-10-021-3/+3
| | | | Contributed by Stanislav Tokos
* Initialize session_tickets as FALSE instead of UNSETFedora Cloud User2015-10-021-1/+1
|
* Add -DH as another exclusion in the SSLv3 cipher testRob Crittenden2015-10-021-1/+1
| | | | make check was failing in Fedora rawhide
* Update changelog with SNI, SECURE_RENEG, hintsRob Crittenden2015-10-021-0/+5
|
* Add some hints when NSS database cannot be initializedRob Crittenden2015-10-021-7/+35
| | | | Check the permissions to see if the key file is readable.
* Add the SECURE_RENEG environment variableRob Crittenden2015-10-022-0/+8
|
* Enable the core dump directoryRob Crittenden2015-10-021-0/+2
|
* Always enable the glibc memory checking routinesRob Crittenden2015-10-021-1/+3
|
* Add test suite for SNIRob Crittenden2015-10-0212-130/+510
| | | | | | | | | | | | | | | | | | | | | | | | | python for OpenSSL is in quite a sad state with several competing mid-level implementations which provide different feature sets. The httplib client provides access to the negotiated cipher and protocol but not SNI (and it has lousy hostname checking). The urllib3 client provides SNI and is generally better but doesn't give any details on the connection. So I'm using both. The original one is used for basic server testing and the urllib3 one is used just for SNI testing. Also: - Indent the test configuration to make it more readable - Add separate config file for SNI testing - Add a CGI configuration and script to test CGI variables - Change client cipher test to use AES256-SHA instead of RC4 - Add a commented-out valgrind option in start for future debuggers - Change the VirtualServers to *:port and use ServerName - Add per-VH document roots so SNI can be more easily tested
* Add support for Server Name Indication (SNI)Rob Crittenden2015-10-028-13/+383
| | | | | | | | Uses a hash table to pair up server names and nicknames and a lookup is done during the handshake to determine which nickname to be used, and therefore which VirtualHost. Based heavily on patch from Stanislav Tokos <stokos@suse.de>
* Update changelog with memory, SHA384 and OpenSSL ciphersRob Crittenden2015-10-021-0/+7
|
* NSS added support for some SHA384 ciphers, add themRob Crittenden2015-10-026-5/+130
| | | | | | | I don't want to assume these ciphers are available in every distro so I'm bending over backwards a bit to check for availablility and get the defines right for the python cipher tests.
* Fix cipher memory leak and use PORT_Free instead of PR_FreeRob Crittenden2015-10-021-2/+3
| | | | | When retrieving the negotiated cipher the string was being leaked and the wrong free was being used for subject and issuer.
* Fix invalid read when retrieving PEM certificateRob Crittenden2015-10-021-8/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based heavily on patch submitted by Stanislav Tokos <stokos@suse.de> ==30687== Invalid read of size 1 ==30687== at 0x4C2D902: memmove (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==30687== by 0x9D0A844: nss_var_lookup_nss_cert_PEM (string3.h:58) ==30687== by 0x9D0AF58: nss_var_lookup_nss_cert (nss_engine_vars.c:437) ==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339) ==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878) ==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork) ==30687== by 0x15B2C7: ap_process_request (in /usr/sbin/httpd2-prefork) ==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x153C52: ap_run_process_connection (in /usr/sbin/httpd2-prefork) ==30687== by 0x1602DD: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x160585: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x1610AC: ap_mpm_run (in /usr/sbin/httpd2-prefork) ==30687== Address 0xf8cbc11 is 0 bytes after a block of size 1,745 alloc'd ==30687== at 0x4C29F09: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==30687== by 0xAD0573F: PORT_Alloc_Util (in /usr/lib64/libnssutil3.so) ==30687== by 0xACFE179: NSSBase64_EncodeItem_Util (in /usr/lib64/libnssutil3.so) ==30687== by 0xACFE1DA: BTOA_DataToAscii_Util (in /usr/lib64/libnssutil3.so) ==30687== by 0x9D0A7EC: nss_var_lookup_nss_cert_PEM (nss_engine_vars.c:569) ==30687== by 0x9D0AF58: nss_var_lookup_nss_cert (nss_engine_vars.c:437) ==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339) ==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878) ==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork) ==30687== by 0x15B2C7: ap_process_request (in /usr/sbin/httpd2-prefork) ==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x153C52: ap_run_process_connection (in /usr/sbin/httpd2-prefork)
* Implement EECDH, kECDH, AECDH, ECDSA and aECDSA cipher macrosRob Crittenden2015-10-022-0/+46
| | | | Also add test for AESGCM
* The OpenSSL DEFAULT cipher macro shouldn't enable NULL ciphersRob Crittenden2015-10-022-0/+21
|
* Update ChangeLog with doc, compiler warning and cipher fixesRob Crittenden2015-10-021-0/+7
|
* Correctly handle disabled ciphersRob Crittenden2015-10-021-1/+1
| | | | | | | | | A cipher value could be -1, 0 or 1 meaning completely disabled, disabled and enabled. A -1 passed to SSL_CipherPrefSet() could cause a cipher to actually be enabled. Now pass PR_TRUE if the cipher is enabled otherwise pass PR_FALSE. Fix CVE-2015-5244
* Add cast to suppress compiler warningRob Crittenden2015-08-271-1/+1
|
* Use %ld instead of %d for potentially long integer valuesRob Crittenden2015-08-271-1/+1
|
* Switch set_cipher_value() to void since there is no return valueRob Crittenden2015-08-271-4/+2
|
* Fix usage of sizeof() within strncat to not overflow bufferRob Crittenden2015-08-271-4/+4
|
* Add 'v' to refererences of protocols (e.g. SSLv3)Matthew Harmsen2015-07-291-7/+8
| | | | BZ #1066236
* Update ChangeLog with some recent updatesRob Crittenden2015-07-271-0/+8
| | | | | | | * Add RenegBufferSize option (#1214366) * Add support for TLS Session Tickets (RFC 5077) * Fix logical AND support in OpenSSL cipher compatibility (CVE-2015-3276)
* Fix logical AND support in OpenSSL cipher compatibilityRob Crittenden2015-07-227-155/+401
| | | | | | | | | | | | | | | | | | | | | | | | | The + operator didn't perform properly at all. It is supposed to be used either for logical AND to combine two cipher suites or to move ciphers to the end of the list. Given that NSS doesn't support cipher ordering + is a no-op in this case. Also add in a slew of missing aliases: kRSA, aRSA, EDH, ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128, AES256, CAMELLIA, CAMELLIA128, CAMELLIA256. Fix the definition of TLSv1.2. Define some ciphers as unimplemented in NSS. Renumber the mask/protocol/strength values to ensure uniqueness. Replace the existing cipher test to one that compares the output of the NSS-generated cipher string with the openssl generated string. There are a lot of restrictions on the openssl string since so much isn't either implemented or needed for mod_nss. Add a new openssl-compatible cipher request test to the server tests.
* Add support for TLS Session Tickets (RFC 5077)Rob Crittenden2015-06-115-0/+34
| | | | | | New server/vhost config option, NSSSessionTickets, to enable or disable TLS Session Tickets support. This is off by default in NSS.
* Add RenegBufferSize optionRob Crittenden2015-06-106-7/+67
| | | | | | | Control the buffer size used on a POST when SSL renegotiation is being done. The default is 128K. Resolves BZ 1214366
* Fix test failure due to line number change in test_cipher.pyRob Crittenden2015-02-271-1/+1
| | | | | | | I'm not going to commit a million of these 1-liners but I think the code is stable enough that it won't be a big deal. If it happens again I'll see about adding a fuzzer to assert_equal() to avoid line number differences.
* Change way test_cipher is built to avoid parallel build problemsRob Crittenden2015-02-271-2/+1
| | | | | | | | | I originally just had nss_engine_cipher as an extra ld option but this didn't enforce that nss_engine_cipher was already built by the time test_cipher was. I instead added nss_engine_cipher to the SOURCES line and dropped the extra linkage. Build failure seen on aarch64 in BZ 1196222
* Become 1.0.11Rob Crittenden2014-12-021-1/+1
|
* Address compiler warningRob Crittenden2014-12-021-2/+2
|
* Add compatibility for mod_ssl-style cipher definitionsRob Crittenden2014-12-0215-267/+946
| | | | | | | | - Add Camelia ciphers - Remove Fortezza ciphers - Add TLSv1.2-specific ciphers Resolves BZ: #862938
generated by cgit (git 2.34.1) at 2024-09-28 07:55:27 +0000