| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
|
| |
From Coverity:
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static
array "child_argv", with 5 elements, at position 5 with index variable
"5".
https://bugzilla.redhat.com/show_bug.cgi?id=714154
|
| |
|
|
|
|
| |
Patch contributed by Ulf Weltman
BZ 618466
|
| |
|
|
|
|
|
|
|
| |
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate
is not provided with which the BasicAuth can be Faked, and the client
provides an Authorization header, the FakeBasicAuth code in mod_nss may
not properly reject an attempt to spoof.
BZ 702437
|
| |
|
|
|
|
|
| |
pipe. Rarely requests to the pipe were getting overridden causing
that child to not enable SSL.
Fedora bug 677701
|
| | |
|
| |
|
|
| |
Patch ported from mod_ssl by Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
|
| |
memcpy of overlapping memory is no longer allowed by glibc.
This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
Patch ported by Stephen Gallagher.
|
| |
|
|
|
|
|
| |
PR_Read().
In testing with TPS from dogtag this really seems to fix #620856 this
time.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers.
Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering <wolter.eldering@vanad.com.cn>
bug 635324
|
| |
|
|
|
|
| |
This was discovered in the dogtag TPS subsystem. I haven't been able to
duplicate it outside of that but it is trivial inside. This seems to fix
it and brings the code closer to what mod_ssl does here as well.
|
| |
|
|
|
|
|
|
|
|
| |
* Ignore SIGHUP in nss_pcache (#591889).
Contributed by Joshua Roys <roysjosh@gmail.com>
2010-05-13 Rob Crittenden <rcritten@redhat.com>
* Compare CN value of remote host with requested host in reverse proxy.
* Add configuration option to disable this, defaulting to on. (#591224)
* Based on patch from Joshua Roys <roysjosh@gmail.com
|
| |
|
|
| |
Contributed by Joshua Roys <roysjosh@gmail.com>
|
| |
|
|
|
|
| |
Add configuration option to disable this, defaulting to on.
591224
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This bug has lingered for so long since mod_nss wasn't able to be used
with mod_proxy until now. What one would see with this bug is sometimes
a page would work, sometimes not (just the headers would be retrieved).
The problem was we were return 0 which means EOF and was interpreted
by upper levels to mean the transfer was done rather than no data being
available.
484380
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
entire configuration state. Other modules were relying on mod_nss
leaving NSS initialized.
453508
|
| |
|
|
|
|
| |
Don't initialize the database if the SSL is disabled in the configuration
454701
|
| |
|
|
| |
by the NSS FIPS 140-2 security policy.
|
| |
|
|
|
|
|
| |
trailing tab in its value causing NSS to not find it.
If there is no password stored for a token return a 1-byte response
so that the read on the other end won't time out.
|
| |
|
|
| |
446101
|
| |
|
|
|
|
|
|
|
|
| |
1. In nss_init_SSLLibrary() the server config wasn't being set properly
for each virtual server so FIPS wasn't getting turned on.
2. There seem to be a problem in NSS_Shutdown() that makes subsequent
logins appear to succeed but they actually are skipped causing keys
and certs to not be available.
Also switch an error message to a warning related to FIPS ciphers.
|
| |
|
|
|
|
|
|
|
| |
token. It apparently always did this for hardware tokens as it is part
of the PKCS#11 spec.
This moves the initialization code into the child process init function.
444348
|
| |
|
|
|
| |
See if the certificate has a version before trying to decode it into a
CGI variable.
|
| |
|
|
| |
do at least secure proxy in front of an unsecure host.
|
| |
|
|
|
|
| |
non-existant file.
Don't require a password file AND NSSPassPhraseHelper. Only
the helper is required.
|
| | |
|
| |
|
|
| |
wasn't found.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Bring in some updates based on diffs from 2.0.59 to 2.2.4
- Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled.
Don't depend on the fact that TRUE == 1
- Remove some dead code
- Minor update to the buffer code that buffers POST data during a
renegotation
- Optimize setting environment variables by using a switch statement.
|
| |
|
|
| |
Log a warning on a malformed password file entry instead of dropping core.
|
| |
|
|
| |
Fix typo in cipher echde_rsa_null (transposed h and d).
|
| |
|
|
|
|
|
|
| |
Stop processing tokens when a login fails so we can correctly report
the failure.
Fix an off-by-one error in nss_pcache that prevented 1 character
passwords (not a huge problem but a bug none-the-less).
|
| |
|
|
|
|
| |
The way I was using to detect the model being used was incorrect. Now
use the # of threads available. Guaranteed to be 0 for prefork and > 0 for
worker (threaded)
|
| |
|
|
| |
Don't fire up the NSS engine if SSL isn't enabled.
|
| |
|
|
| |
Add support for setting a default OCSP responder.
|
| |
|
|
|
| |
Only call NSS_Shutdown when we've initialized the database.
Also update the NSS log messages to those added in NSS 3.11.3.
|
| |
|
|
|
|
|
| |
If the password stored in a file pointed to by NSSPassPhraseDialog
didn't match the database password then Apache would core on
Solaris (because passwd was NULL). The error message is still a bit
lackluster but at least it doesn't core anymore.
|
| |
|
|
|
|
|
|
| |
and the available ciphers.
Clarify starting up Apache without requiring user intervention.
Fix a few bad links to NSPR.
|
| |
|
|
|
|
|
|
|
| |
Add new NSSPassPhraseDialog method, defer, where only the tokens that
are found in the file pointed to by this directive are initialized.
Otherwise every token that NSS finds it attempts to authenticate.
Syntax is: NSSPassPhraseDialog defer:/path/to/password.conf
|
| |
|
|
|
|
| |
was being triggered during the first module unload when calling
NSS_Shutdown because the cache wasn't finished setting itself up
in MP mode.
|
| |
|
|
|
| |
* nss_engine_kernel.c (nss_hook_Access): Omit further access control
checks if SSL is not in use regardless of vhost settings.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a (bounded) buffer of request body data to provide a limited
but safe fix for the mod_nss renegotiation-vs-requests-with-bodies
bug:
* mod_nss.h (nss_io_buffer_fill): Add prototype.
* nss_engine_io.c (nss_io_buffer_fill,
nss_io_filter_buffer): New functions.
* nss_engine_kernel.c (nss_hook_Access): If a renegotiation is needed,
and the request has a non-zero content-length, or a t-e header (and
100-continue was not requested), call nss_io_buffer_fill to set aside
the request body data if possible, then proceed with the negotiation.
PR: 12355
|
| |
|
|
|
|
|
|
|
| |
* nss_engine_vars.c (nss_var_lookup_ssl_cert_remain): New function.
(nss_var_lookup_nss_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.
* nss_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if +StdEnvVars is
configured.
|
