| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
See if the configured user has read access to the NSS database
during initialization so the server can gracefully shutdown
rather than ending up in a forking loop because the database is
owned by root and is therefore unreadable once Apache starts
forking.
Adds a new configuration option, NSSSkipPermissionCheck <on/off>,
to skip this check in case something goes wrong.
https://fedorahosted.org/mod_nss/ticket/3
|
| |
|
|
|
|
|
|
| |
Similar patch was provided by Vitezslav Cizek <vcizek@suse.com>
Heavily modified by Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/mod_nss/ticket/15
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
I need to generate config.h because Apache ships its own
autotools-generated config.h which redefines a lot of
variables like PACKAGE_NAME, PACKAGE_TARBALL, etc.
By having my own configh I can reset things before the compiler
complains. The downside is that compile-time options are hidden
in a config file instead of being defined on the gcc
command-line.
|
| | |
|
| |
|
|
|
|
|
|
| |
Uses a hash table to pair up server names and nicknames and
a lookup is done during the handshake to determine which
nickname to be used, and therefore which VirtualHost.
Based heavily on patch from Stanislav Tokos <stokos@suse.de>
|
| |
|
|
|
|
| |
New server/vhost config option, NSSSessionTickets, to enable
or disable TLS Session Tickets support. This is off by default
in NSS.
|
| |
|
|
|
|
|
| |
Control the buffer size used on a POST when SSL renegotiation is
being done. The default is 128K.
Resolves BZ 1214366
|
| |
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
There is a single-set of hooks in mod_proxy so if mod_ssl was even
loaded,even if not being used, it would grab those hooks and mod_nss
would not work.
Resolves #1021469
|
| |
|
|
|
|
|
| |
pipe. Rarely requests to the pipe were getting overridden causing
that child to not enable SSL.
Fedora bug 677701
|
| |
|
|
|
|
|
|
|
|
|
|
| |
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers.
Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering <wolter.eldering@vanad.com.cn>
bug 635324
|
| |
|
|
|
|
| |
Add configuration option to disable this, defaulting to on.
591224
|
| |
|
|
|
|
|
|
|
| |
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
|
| |
|
|
|
|
|
|
|
| |
token. It apparently always did this for hardware tokens as it is part
of the PKCS#11 spec.
This moves the initialization code into the child process init function.
444348
|
| |
|
|
| |
do at least secure proxy in front of an unsecure host.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bring in some updates based on diffs from 2.0.59 to 2.2.4
- Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled.
Don't depend on the fact that TRUE == 1
- Remove some dead code
- Minor update to the buffer code that buffers POST data during a
renegotation
- Optimize setting environment variables by using a switch statement.
|
| |
|
|
| |
Add support for setting a default OCSP responder.
|
| |
|
|
|
|
|
|
|
| |
Add new NSSPassPhraseDialog method, defer, where only the tokens that
are found in the file pointed to by this directive are initialized.
Otherwise every token that NSS finds it attempts to authenticate.
Syntax is: NSSPassPhraseDialog defer:/path/to/password.conf
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a (bounded) buffer of request body data to provide a limited
but safe fix for the mod_nss renegotiation-vs-requests-with-bodies
bug:
* mod_nss.h (nss_io_buffer_fill): Add prototype.
* nss_engine_io.c (nss_io_buffer_fill,
nss_io_filter_buffer): New functions.
* nss_engine_kernel.c (nss_hook_Access): If a renegotiation is needed,
and the request has a non-zero content-length, or a t-e header (and
100-continue was not requested), call nss_io_buffer_fill to set aside
the request body data if possible, then proceed with the negotiation.
PR: 12355
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issue was that mod_ssl wasn't always picking up ssl-unclean-shutdown
settings. This isn't an issue for mod_nss since it doesn't support
separate shutdown modes, but this does simplify the code a bit.
* mod_nss.h: Remove nss_hook_Translate.
* nss_engine_kernel.c
(nss_hook_ReadReq): Merge in nss_hook_Translate.
(nss_hook_Translate): Remove.
* mod_nss.c (nss_register_hooks): Ensure that _ReadReq
hook runs after mod_setenvif.c; don't register translate_name hook.
|
| |
|
|
|
|
|
| |
Change the kludge for determining the current version of Apache we're
building against. Claim to be building against 2.0.55 if not told
otherwise. The exact version matters less than knowing which API to
use.
|
| |
|
|
| |
Fix compilation warnings
|
| |
|
|
| |
Replace C++ style comments to make the Sun Forte compiler happy.
|
| |
|
|
| |
by default. To enable it, pass --enable-ecc to configure.
|
| |
|
|
|
|
|
| |
from Oden Eriksson.
The conditional to determine which API to use is a bit weak at the moment
but it works with Apache 2.0.54 and 2.2.0.
|
| |
|
|
|
| |
a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed
directive.
|
| |
|
|
|
|
| |
adding new configuration directives. For the others we need to
initialize an NSS socket differently whether we will be acting as a
client or a server.
|
| | |
|
| |
|
|
|
| |
database module, configures for SSLv3 and TLSv1 and enables the
2 FIPS ciphers (and disables all the others).
|
| | |
|
| |
|
|
| |
co-exist with mod_ssl.
|
| |
|
|
|
|
| |
SSLEnforceValid Cert on/off to allow one to start with a bad cert.
Fix up some error messages and add in a missing cipher.
|
| |
|
