| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6066 section 3 says "It is NOT RECOMMENDED to
send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level
alerts is unpredictable."
To maintain compatibility with mod_ssl, we will not send
any alert (neither warning- nor fatal-level),
i.e. we take the second action suggested in RFC.
"If the server understood the ClientHello extension
but does not recognize the server name, the server
SHOULD take one of two actions: either abort the handshake by
sending a fatal-level unrecognized_name(112) alert or
continue the handshake."
This is based on mod_ssl commit r1684462
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issues reported from valgrind.
The invalid read came from using SNI hostInfo data directly. Just
use the copy we apr_strndup() instead and all is well.
The SNI hostInfo values were leaking. I had removed the calls
to SECITEM_FreweItem at some point and forgotten to re-add them.
mc->semid was not explicitly initialized so could have blown up
if the compiler didn't automatically set it to 0. Explicitly set
it to make warning go away (and to be safe).
|
|
|
|
|
| |
Use the %p option to generate separate logs for each process
with valgrind.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a note to the table to indicate that the handhake is complete
so we don't set the extension every time data is read or written.
Drop NSSHandshakeCallback() as it didn't do anything and is replaced
by the proxy callback.
Extend the checks around calling SetURL to match those in mod_ssl:
- a hostname is available
- not SSLv3
- not an IP address
|
| |
|
|
|
|
|
| |
Apache doesn't like running as root and this ends up hanging
the build process.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I need to generate config.h because Apache ships its own
autotools-generated config.h which redefines a lot of
variables like PACKAGE_NAME, PACKAGE_TARBALL, etc.
By having my own configh I can reset things before the compiler
complains. The downside is that compile-time options are hidden
in a config file instead of being defined on the gcc
command-line.
|
|
|
|
|
|
|
| |
Most of these are unused variable. There is one adding an extra
set of parens.
The bug is using the wrong index variable, i instead of j.
|
| |
|
|
|
|
| |
Contributed by Stanislav Tokos
|
| |
|
|
|
|
| |
make check was failing in Fedora rawhide
|
| |
|
|
|
|
| |
Check the permissions to see if the key file is readable.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python for OpenSSL is in quite a sad state with several competing
mid-level implementations which provide different feature sets.
The httplib client provides access to the negotiated cipher and
protocol but not SNI (and it has lousy hostname checking).
The urllib3 client provides SNI and is generally better but doesn't
give any details on the connection.
So I'm using both. The original one is used for basic server testing
and the urllib3 one is used just for SNI testing.
Also:
- Indent the test configuration to make it more readable
- Add separate config file for SNI testing
- Add a CGI configuration and script to test CGI variables
- Change client cipher test to use AES256-SHA instead of RC4
- Add a commented-out valgrind option in start for future
debuggers
- Change the VirtualServers to *:port and use ServerName
- Add per-VH document roots so SNI can be more easily tested
|
|
|
|
|
|
|
|
| |
Uses a hash table to pair up server names and nicknames and
a lookup is done during the handshake to determine which
nickname to be used, and therefore which VirtualHost.
Based heavily on patch from Stanislav Tokos <stokos@suse.de>
|
| |
|
|
|
|
|
|
|
| |
I don't want to assume these ciphers are available in
every distro so I'm bending over backwards a bit to
check for availablility and get the defines right
for the python cipher tests.
|
|
|
|
|
| |
When retrieving the negotiated cipher the string was being leaked
and the wrong free was being used for subject and issuer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based heavily on patch submitted by Stanislav Tokos <stokos@suse.de>
==30687== Invalid read of size 1
==30687== at 0x4C2D902: memmove (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30687== by 0x9D0A844: nss_var_lookup_nss_cert_PEM (string3.h:58)
==30687== by 0x9D0AF58: nss_var_lookup_nss_cert
(nss_engine_vars.c:437)
==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339)
==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878)
==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork)
==30687== by 0x15B2C7: ap_process_request (in
/usr/sbin/httpd2-prefork)
==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x153C52: ap_run_process_connection (in
/usr/sbin/httpd2-prefork)
==30687== by 0x1602DD: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x160585: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x1610AC: ap_mpm_run (in /usr/sbin/httpd2-prefork)
==30687== Address 0xf8cbc11 is 0 bytes after a block of size 1,745
alloc'd
==30687== at 0x4C29F09: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30687== by 0xAD0573F: PORT_Alloc_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0xACFE179: NSSBase64_EncodeItem_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0xACFE1DA: BTOA_DataToAscii_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0x9D0A7EC: nss_var_lookup_nss_cert_PEM
(nss_engine_vars.c:569)
==30687== by 0x9D0AF58: nss_var_lookup_nss_cert
(nss_engine_vars.c:437)
==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339)
==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878)
==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork)
==30687== by 0x15B2C7: ap_process_request (in
/usr/sbin/httpd2-prefork)
==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x153C52: ap_run_process_connection (in
/usr/sbin/httpd2-prefork)
|
|
|
|
| |
Also add test for AESGCM
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
A cipher value could be -1, 0 or 1 meaning completely disabled,
disabled and enabled. A -1 passed to SSL_CipherPrefSet() could
cause a cipher to actually be enabled. Now pass PR_TRUE if
the cipher is enabled otherwise pass PR_FALSE.
Fix CVE-2015-5244
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
BZ #1066236
|
|
|
|
|
|
|
| |
* Add RenegBufferSize option (#1214366)
* Add support for TLS Session Tickets (RFC 5077)
* Fix logical AND support in OpenSSL cipher compatibility
(CVE-2015-3276)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The + operator didn't perform properly at all. It is supposed
to be used either for logical AND to combine two cipher suites
or to move ciphers to the end of the list. Given that NSS
doesn't support cipher ordering + is a no-op in this case.
Also add in a slew of missing aliases: kRSA, aRSA, EDH,
ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128,
AES256, CAMELLIA, CAMELLIA128, CAMELLIA256.
Fix the definition of TLSv1.2.
Define some ciphers as unimplemented in NSS.
Renumber the mask/protocol/strength values to ensure uniqueness.
Replace the existing cipher test to one that compares the output
of the NSS-generated cipher string with the openssl generated
string. There are a lot of restrictions on the openssl string
since so much isn't either implemented or needed for mod_nss.
Add a new openssl-compatible cipher request test to the server
tests.
|
|
|
|
|
|
| |
New server/vhost config option, NSSSessionTickets, to enable
or disable TLS Session Tickets support. This is off by default
in NSS.
|
|
|
|
|
|
|
| |
Control the buffer size used on a POST when SSL renegotiation is
being done. The default is 128K.
Resolves BZ 1214366
|
|
|
|
|
|
|
| |
I'm not going to commit a million of these 1-liners but I think
the code is stable enough that it won't be a big deal. If it
happens again I'll see about adding a fuzzer to assert_equal()
to avoid line number differences.
|
|
|
|
|
|
|
|
|
| |
I originally just had nss_engine_cipher as an extra ld option
but this didn't enforce that nss_engine_cipher was already built
by the time test_cipher was. I instead added nss_engine_cipher
to the SOURCES line and dropped the extra linkage.
Build failure seen on aarch64 in BZ 1196222
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|