| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Check for Apache user owner/group read permissions of NSS database
* Update default ciphers to something more modern and secure
* Fix test for DH cipher directive
* Check for test and netstat before trying to use them
* Don't ignore NSSProtocol when NSSFIPS is enabled
Based on patch by Matthew Harmsen <mharmsen@redhat.com>
* Use proper shell syntax to avoid creating /0
* tests: Centralize the openssl ciphers flags when comparing
* Basic test case for DHE cipher negotiation
* Remove -DH from test strings, duplicate test, fix test
* Add server support for DHE ciphers.
|
|
|
|
|
|
|
|
|
| |
Insecure or less secure algorithms such as RC4, DES and 3DES are
removed. Perfect forward secrecy suites with ephemeral ECDH key
exchange have been added. IE 8 on Windows XP is no longer
supported.
https://fedorahosted.org/mod_nss/ticket/5
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See if the configured user has read access to the NSS database
during initialization so the server can gracefully shutdown
rather than ending up in a forking loop because the database is
owned by root and is therefore unreadable once Apache starts
forking.
Adds a new configuration option, NSSSkipPermissionCheck <on/off>,
to skip this check in case something goes wrong.
https://fedorahosted.org/mod_nss/ticket/3
|
|
|
|
|
|
|
| |
Change 184804c82daf7fe04dfb0b0ecdc3e06be0c103c1 modified the
way arguments are handled in test/setup.sh such that sql: was
being dropped so tests were not being executed against sqlite
databases.
|
|
|
|
|
|
|
| |
These may not be available on all systems. Work around it best
we can. In the case of netstat this can be replaced by using
/dev/urandom or /dev/random instead and piping it through tr
to produce only ASCII strings.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The value was always being set to TLS 1.0, 1.1 and 1.2, ignoring
the configuration value.
I suspect this is because this code dated to when only SSL2, 3 and
TLS 1.0 were supported so it only enabled TLS v1.0. When 1.1 and
1.2 were added it seemed natural to automatically enable those
as well. Natural but incorrect.
Based on patch by Matthew Harmsen <mharmsen@redhat.com>
RHBZ #1312052
|
|
|
|
|
|
| |
I used if [ $x > 0 ]; ... which is obviously wrong :-(
https://bugzilla.redhat.com/show_bug.cgi?id=1311392
|
|
|
|
|
|
|
| |
Since we don't support ADH ciphers can just ignore DH-*
Note that OpenSSL defines the DH- ciphers but does not implement
them so the DH string support is there only for compatibility.
|
|
|
|
|
|
|
| |
I used to have a separate set of options when comparing the
NSS and OpenSSL ciphers. These differed between tests, sometimes
being just a difference in order. This just made the tests
hard to understand.
|
| |
|
|
|
|
|
|
|
| |
The AESGCM test was duplicated. Remove one.
Two different tests were in test_AES_no_ECDH. I broke one out
separately.
|
|
|
|
|
|
|
|
| |
Similar patch was provided by Vitezslav Cizek <vcizek@suse.com>
Heavily modified by Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/mod_nss/ticket/15
|
|
|
|
|
|
|
|
|
|
|
| |
- Drop the check that NSSProxyNickname be required
- Add basic reverse proxy test case
- Don't send SSL alert on SNI lookup failure
- Fail for colons in credentials with FakeBasicAuth
- Always call SSL_ShutdownServerSessionIDCache() in ModuleKill
- Document some python dependencies needed by make check
- Add cipher test for ECDH+aRSA
- Quote gcm and sha384 config values when comparing them
|
|
|
|
|
|
|
|
| |
This was incorrectly a required value when it is a completely
optional setting. Remove it from the check completely and add
a log entry when it is set.
https://bugzilla.redhat.com/show_bug.cgi?id=874847
|
|
|
|
|
|
|
|
| |
Fetches https://www.google.com and just looks for a 200 response.
This adds implicit requirement that the test machine has Internet
access so I might have to remove this eventually, but it at
least exercises that code in a positive test case.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The guard of NSS_IsInitialized() was too strict because of the
way Apache loads and unloads modules. We need to clean up the
SessionIDCache thread locking when a SIGHUP is received otherwise
a crash will occur.
Note that this also eliminates a rather huge memory leak when
the server is reloaded with a SIGHUP.
https://bugzilla.redhat.com/show_bug.cgi?id=1277613
https://bugzilla.redhat.com/show_bug.cgi?id=1295976
https://fedorahosted.org/mod_nss/ticket/16
|
|
|
|
|
|
| |
Update gencert to do a better job parsing arguments so I can
pass in a --test flag to generate a special test-only user
certificate to test colons in the DN.
|
|
|
|
|
| |
We will eventually want to use mod_auth_basic's AuthBasicFake
but this will do for now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6066 section 3 says "It is NOT RECOMMENDED to
send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level
alerts is unpredictable."
To maintain compatibility with mod_ssl, we will not send
any alert (neither warning- nor fatal-level),
i.e. we take the second action suggested in RFC.
"If the server understood the ClientHello extension
but does not recognize the server name, the server
SHOULD take one of two actions: either abort the handshake by
sending a fatal-level unrecognized_name(112) alert or
continue the handshake."
This is based on mod_ssl commit r1684462
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issues reported from valgrind.
The invalid read came from using SNI hostInfo data directly. Just
use the copy we apr_strndup() instead and all is well.
The SNI hostInfo values were leaking. I had removed the calls
to SECITEM_FreweItem at some point and forgotten to re-add them.
mc->semid was not explicitly initialized so could have blown up
if the compiler didn't automatically set it to 0. Explicitly set
it to make warning go away (and to be safe).
|
|
|
|
|
| |
Use the %p option to generate separate logs for each process
with valgrind.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a note to the table to indicate that the handhake is complete
so we don't set the extension every time data is read or written.
Drop NSSHandshakeCallback() as it didn't do anything and is replaced
by the proxy callback.
Extend the checks around calling SetURL to match those in mod_ssl:
- a hostname is available
- not SSLv3
- not an IP address
|
| |
|
|
|
|
|
| |
Apache doesn't like running as root and this ends up hanging
the build process.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I need to generate config.h because Apache ships its own
autotools-generated config.h which redefines a lot of
variables like PACKAGE_NAME, PACKAGE_TARBALL, etc.
By having my own configh I can reset things before the compiler
complains. The downside is that compile-time options are hidden
in a config file instead of being defined on the gcc
command-line.
|
|
|
|
|
|
|
| |
Most of these are unused variable. There is one adding an extra
set of parens.
The bug is using the wrong index variable, i instead of j.
|
| |
|
|
|
|
| |
Contributed by Stanislav Tokos
|
| |
|
|
|
|
| |
make check was failing in Fedora rawhide
|
| |
|
|
|
|
| |
Check the permissions to see if the key file is readable.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python for OpenSSL is in quite a sad state with several competing
mid-level implementations which provide different feature sets.
The httplib client provides access to the negotiated cipher and
protocol but not SNI (and it has lousy hostname checking).
The urllib3 client provides SNI and is generally better but doesn't
give any details on the connection.
So I'm using both. The original one is used for basic server testing
and the urllib3 one is used just for SNI testing.
Also:
- Indent the test configuration to make it more readable
- Add separate config file for SNI testing
- Add a CGI configuration and script to test CGI variables
- Change client cipher test to use AES256-SHA instead of RC4
- Add a commented-out valgrind option in start for future
debuggers
- Change the VirtualServers to *:port and use ServerName
- Add per-VH document roots so SNI can be more easily tested
|
|
|
|
|
|
|
|
| |
Uses a hash table to pair up server names and nicknames and
a lookup is done during the handshake to determine which
nickname to be used, and therefore which VirtualHost.
Based heavily on patch from Stanislav Tokos <stokos@suse.de>
|
| |
|
|
|
|
|
|
|
| |
I don't want to assume these ciphers are available in
every distro so I'm bending over backwards a bit to
check for availablility and get the defines right
for the python cipher tests.
|
|
|
|
|
| |
When retrieving the negotiated cipher the string was being leaked
and the wrong free was being used for subject and issuer.
|