summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix invalid read when retrieving PEM certificateRob Crittenden2015-10-021-8/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based heavily on patch submitted by Stanislav Tokos <stokos@suse.de> ==30687== Invalid read of size 1 ==30687== at 0x4C2D902: memmove (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==30687== by 0x9D0A844: nss_var_lookup_nss_cert_PEM (string3.h:58) ==30687== by 0x9D0AF58: nss_var_lookup_nss_cert (nss_engine_vars.c:437) ==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339) ==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878) ==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork) ==30687== by 0x15B2C7: ap_process_request (in /usr/sbin/httpd2-prefork) ==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x153C52: ap_run_process_connection (in /usr/sbin/httpd2-prefork) ==30687== by 0x1602DD: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x160585: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x1610AC: ap_mpm_run (in /usr/sbin/httpd2-prefork) ==30687== Address 0xf8cbc11 is 0 bytes after a block of size 1,745 alloc'd ==30687== at 0x4C29F09: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==30687== by 0xAD0573F: PORT_Alloc_Util (in /usr/lib64/libnssutil3.so) ==30687== by 0xACFE179: NSSBase64_EncodeItem_Util (in /usr/lib64/libnssutil3.so) ==30687== by 0xACFE1DA: BTOA_DataToAscii_Util (in /usr/lib64/libnssutil3.so) ==30687== by 0x9D0A7EC: nss_var_lookup_nss_cert_PEM (nss_engine_vars.c:569) ==30687== by 0x9D0AF58: nss_var_lookup_nss_cert (nss_engine_vars.c:437) ==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339) ==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878) ==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork) ==30687== by 0x15B2C7: ap_process_request (in /usr/sbin/httpd2-prefork) ==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork) ==30687== by 0x153C52: ap_run_process_connection (in /usr/sbin/httpd2-prefork)
* Implement EECDH, kECDH, AECDH, ECDSA and aECDSA cipher macrosRob Crittenden2015-10-022-0/+46
| | | | Also add test for AESGCM
* The OpenSSL DEFAULT cipher macro shouldn't enable NULL ciphersRob Crittenden2015-10-022-0/+21
|
* Update ChangeLog with doc, compiler warning and cipher fixesRob Crittenden2015-10-021-0/+7
|
* Correctly handle disabled ciphersRob Crittenden2015-10-021-1/+1
| | | | | | | | | A cipher value could be -1, 0 or 1 meaning completely disabled, disabled and enabled. A -1 passed to SSL_CipherPrefSet() could cause a cipher to actually be enabled. Now pass PR_TRUE if the cipher is enabled otherwise pass PR_FALSE. Fix CVE-2015-5244
* Add cast to suppress compiler warningRob Crittenden2015-08-271-1/+1
|
* Use %ld instead of %d for potentially long integer valuesRob Crittenden2015-08-271-1/+1
|
* Switch set_cipher_value() to void since there is no return valueRob Crittenden2015-08-271-4/+2
|
* Fix usage of sizeof() within strncat to not overflow bufferRob Crittenden2015-08-271-4/+4
|
* Add 'v' to refererences of protocols (e.g. SSLv3)Matthew Harmsen2015-07-291-7/+8
| | | | BZ #1066236
* Update ChangeLog with some recent updatesRob Crittenden2015-07-271-0/+8
| | | | | | | * Add RenegBufferSize option (#1214366) * Add support for TLS Session Tickets (RFC 5077) * Fix logical AND support in OpenSSL cipher compatibility (CVE-2015-3276)
* Fix logical AND support in OpenSSL cipher compatibilityRob Crittenden2015-07-227-155/+401
| | | | | | | | | | | | | | | | | | | | | | | | | The + operator didn't perform properly at all. It is supposed to be used either for logical AND to combine two cipher suites or to move ciphers to the end of the list. Given that NSS doesn't support cipher ordering + is a no-op in this case. Also add in a slew of missing aliases: kRSA, aRSA, EDH, ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128, AES256, CAMELLIA, CAMELLIA128, CAMELLIA256. Fix the definition of TLSv1.2. Define some ciphers as unimplemented in NSS. Renumber the mask/protocol/strength values to ensure uniqueness. Replace the existing cipher test to one that compares the output of the NSS-generated cipher string with the openssl generated string. There are a lot of restrictions on the openssl string since so much isn't either implemented or needed for mod_nss. Add a new openssl-compatible cipher request test to the server tests.
* Add support for TLS Session Tickets (RFC 5077)Rob Crittenden2015-06-115-0/+34
| | | | | | New server/vhost config option, NSSSessionTickets, to enable or disable TLS Session Tickets support. This is off by default in NSS.
* Add RenegBufferSize optionRob Crittenden2015-06-106-7/+67
| | | | | | | Control the buffer size used on a POST when SSL renegotiation is being done. The default is 128K. Resolves BZ 1214366
* Fix test failure due to line number change in test_cipher.pyRob Crittenden2015-02-271-1/+1
| | | | | | | I'm not going to commit a million of these 1-liners but I think the code is stable enough that it won't be a big deal. If it happens again I'll see about adding a fuzzer to assert_equal() to avoid line number differences.
* Change way test_cipher is built to avoid parallel build problemsRob Crittenden2015-02-271-2/+1
| | | | | | | | | I originally just had nss_engine_cipher as an extra ld option but this didn't enforce that nss_engine_cipher was already built by the time test_cipher was. I instead added nss_engine_cipher to the SOURCES line and dropped the extra linkage. Build failure seen on aarch64 in BZ 1196222
* Become 1.0.11Rob Crittenden2014-12-021-1/+1
|
* Address compiler warningRob Crittenden2014-12-021-2/+2
|
* Add compatibility for mod_ssl-style cipher definitionsRob Crittenden2014-12-0215-267/+946
| | | | | | | | - Add Camelia ciphers - Remove Fortezza ciphers - Add TLSv1.2-specific ciphers Resolves BZ: #862938
* Initialize cipher list when re-negotiating handshake.Rob Crittenden2014-11-212-0/+27
| | | | | | | | | If an NSSCipherSuite is defined in a location or directory then we re-do the SSL handshake. The cipher list wasn't being initialized to PR_FALSE so changes are good that all ciphers would be enabled, not just the ones in the local NSSCipherSuite setting. Resolves BZ 1165408
* Completely remove support for SSLv2Rob Crittenden2014-11-126-116/+22
|
* Add support for sqlite NSS databasesRob Crittenden2014-10-2810-24/+57
| | | | | | | | | | | | We do a chdir() to the NSS database location so that libnssckbi.so is available when the database is opened. Strip off a sql: prefix if one is available. This allows the new sqlite format to work. Add an additional test pass configuring NSS using the sqlite format. This requires a bit of a hack to pass in the value to python but it will work for now. Resolves: #1057650
* Add stokos@suse.de to AUTHORS and ChangelogRob Crittenden2014-10-282-0/+4
|
* Compare subject CN and VS hostname during server start upstanda2014-10-221-5/+13
|
* gencert is not executable in the tree so call bash directlyRob Crittenden2014-10-221-1/+1
|
* Become 1.0.10Rob Crittenden2014-10-172-1/+6
|
* Add a new VirtualHost for testing TLS v1.2Rob Crittenden2014-10-179-18/+210
| | | | | | Protocol is a per-server or Virtual Host setting so I added a new VH to do TLSv1.2 testing. It isn't as configurable as I'd like because the port is hardcoded but it'll do for now.
* Don't enable SSL 3 by defaultRob Crittenden2014-10-163-5/+5
| | | | | | This is in response to the POODLE CVE CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
* Add support for enabling TLS v1.2Rob Crittenden2014-10-165-71/+86
| | | | | If support is available in NSS then it is just a matter of including TLS 1.2 in the protocol range.
* Correct the gencert man page, the NSS database has a passwordRob Crittenden2014-07-021-1/+1
|
* Become 1.0.9Rob Crittenden2014-02-261-1/+5
| | | | | | Add a DIST target to make it easier to tar things up. Rename the make target test to check
* Add some basic functional tests.Rob Crittenden2014-02-2611-5/+1804
| | | | | | | | | | | | | | | | | | | | | | | | | This tests in an in-tree Apache instance using the local libmodnss.so shared library, so no pre-installation is necessary. The tests use python-nose and a hacked python-requests library. It is hacked so I can obtain the negotiated cipher and protocol as well as pass a few other things into it. Tests right now are limited to GET requests. A new user certificate for 'beta' was added to gencert to do pass/fail access control testing. The basic process of the tests are: - run setup.sh which sets up a new instance with createinstance.sh and does some variable substitution. - nosetests -v I picture multiple test "suites" of different configurations. Right now there is only one. A template file is provided for each suite. Tested only on Fedora 20 right now.
* Finally added a .gitignoreRob Crittenden2014-02-241-0/+31
|
* Remove an unused variableRob Crittenden2014-02-211-3/+0
|
* Apache 2.4 compatibility changesRob Crittenden2014-02-218-13/+13
|
* Rename configure.in to configure.acRob Crittenden2014-02-211-0/+0
|
* Remove a bunch of auto-generated filesRob Crittenden2014-02-2112-39974/+258
| | | | | We don't need to include these in the source. The user should run autoreconf -i -f before building.
* Update Changelog and AUTHORSRob Crittenden2014-02-212-0/+48
|
* Fix incorrect handling of NSSVerifyClient in directory contextRob Crittenden2014-02-211-1/+1
| | | | | | CVE-2013-4566 Resolves #1037722
* Fix argument handling in nss_pcacheRob Crittenden2014-02-211-2/+2
|
* Move nss_pcache to /usr/libexecRob Crittenden2014-02-212-2/+3
|
* Work with mod_proxy when mod_ssl is also loaded.Rob Crittenden2014-02-213-27/+52
| | | | | | | | There is a single-set of hooks in mod_proxy so if mod_ssl was even loaded,even if not being used, it would grab those hooks and mod_nss would not work. Resolves #1021469
* Document sample mod_nss use cases, including FIPS.Rob Crittenden2014-02-211-2/+297
| | | | | | Matthew Harmsen <mharmsen@redhat.com> Resolvds #1036940
* Install nss_pcache.8 man pageRob Crittenden2014-02-211-0/+1
|
* Clarify the error messages to distinguish between server and proxyRob Crittenden2014-02-211-4/+38
| | | | | | | | | | | Help clarify the error messages which didn't previously distinguish between the following three variables: NSSProtocol versus NSSProxyProtocol, NSSCipherSuite versus NSSProxyCipherSuite, and NSSNickname versus NSSProxyNickname Ported from BZ 769906
* Fix usage string in nss_pcache to include semidRob Crittenden2014-02-211-1/+1
|
* Documentation formatting fixesTomas Hoger2014-02-211-104/+100
| | | | | | | - correct few cases of <code> used on text that should use normal font - strip some redundant html tags - use <pre> for larger command output blocks - correct few typos
* Add support for TLS v1.1, protocol ranges.Rob Crittenden2014-02-215-90/+259
| | | | | | | | | | | | | | | | | | | | | | | | | | Set protocol version ranges: (1) Set the minimum protocol accepted (2) Set the maximum protocol accepted (3) Protocol ranges extend from maximum down to minimum protocol (4) All protocol ranges are completely inclusive; no protocol in the middle of a range may be excluded (5) NSS automatically negotiates the use of the strongest protocol for a connection starting with the maximum specified protocol and downgrading as necessary to the minimum specified protocol For example, if SSL 3.0 is chosen as the minimum protocol, and TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and cannot be excluded from this range. NSS will automatically negotiate to utilize the strongest acceptable protocol for a connection starting with the maximum specified protocol and downgrading as necessary to the minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). BZ 816394
* Only clear the SSL Session Cache when shutting the server down.Rob Crittenden2013-10-111-3/+3
| | | | | | This was causing an FD leak. BZ 784548
* Moved 'nss_pcache' and provided compatibility link.Matthew Harmsen2013-07-031-1/+9
|
generated by cgit (git 2.34.1) at 2025-07-01 14:04:41 +0000