| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add configuration option to disable this, defaulting to on.
591224
|
| |
|
|
|
|
|
|
|
| |
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
|
| |
|
|
|
|
|
|
|
| |
token. It apparently always did this for hardware tokens as it is part
of the PKCS#11 spec.
This moves the initialization code into the child process init function.
444348
|
| |
|
|
| |
do at least secure proxy in front of an unsecure host.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bring in some updates based on diffs from 2.0.59 to 2.2.4
- Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled.
Don't depend on the fact that TRUE == 1
- Remove some dead code
- Minor update to the buffer code that buffers POST data during a
renegotation
- Optimize setting environment variables by using a switch statement.
|
| |
|
|
| |
Add support for setting a default OCSP responder.
|
| |
|
|
|
|
|
|
|
| |
Add new NSSPassPhraseDialog method, defer, where only the tokens that
are found in the file pointed to by this directive are initialized.
Otherwise every token that NSS finds it attempts to authenticate.
Syntax is: NSSPassPhraseDialog defer:/path/to/password.conf
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a (bounded) buffer of request body data to provide a limited
but safe fix for the mod_nss renegotiation-vs-requests-with-bodies
bug:
* mod_nss.h (nss_io_buffer_fill): Add prototype.
* nss_engine_io.c (nss_io_buffer_fill,
nss_io_filter_buffer): New functions.
* nss_engine_kernel.c (nss_hook_Access): If a renegotiation is needed,
and the request has a non-zero content-length, or a t-e header (and
100-continue was not requested), call nss_io_buffer_fill to set aside
the request body data if possible, then proceed with the negotiation.
PR: 12355
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issue was that mod_ssl wasn't always picking up ssl-unclean-shutdown
settings. This isn't an issue for mod_nss since it doesn't support
separate shutdown modes, but this does simplify the code a bit.
* mod_nss.h: Remove nss_hook_Translate.
* nss_engine_kernel.c
(nss_hook_ReadReq): Merge in nss_hook_Translate.
(nss_hook_Translate): Remove.
* mod_nss.c (nss_register_hooks): Ensure that _ReadReq
hook runs after mod_setenvif.c; don't register translate_name hook.
|
| |
|
|
|
|
|
| |
Change the kludge for determining the current version of Apache we're
building against. Claim to be building against 2.0.55 if not told
otherwise. The exact version matters less than knowing which API to
use.
|
| |
|
|
| |
Fix compilation warnings
|
| |
|
|
| |
Replace C++ style comments to make the Sun Forte compiler happy.
|
| |
|
|
| |
by default. To enable it, pass --enable-ecc to configure.
|
| |
|
|
|
|
|
| |
from Oden Eriksson.
The conditional to determine which API to use is a bit weak at the moment
but it works with Apache 2.0.54 and 2.2.0.
|
| |
|
|
|
| |
a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed
directive.
|
| |
|
|
|
|
| |
adding new configuration directives. For the others we need to
initialize an NSS socket differently whether we will be acting as a
client or a server.
|
| | |
|
| |
|
|
|
| |
database module, configures for SSLv3 and TLSv1 and enables the
2 FIPS ciphers (and disables all the others).
|
| | |
|
| |
|
|
| |
co-exist with mod_ssl.
|
| |
|
|
|
|
| |
SSLEnforceValid Cert on/off to allow one to start with a bad cert.
Fix up some error messages and add in a missing cipher.
|
| |
|
