summaryrefslogtreecommitdiffstats
path: root/nss_engine_init.c
Commit message (Collapse)AuthorAgeFilesLines
* Add controls for managing SSL renegotiationrcritten2010-03-021-0/+18
| | | | | | | | | NSS is introducing some new controls in response to CVE-2009-3555, MITM attacks via session renegotiation. This patch adds some tuning so these options can be set at run time. Patch contributed by Kai Engert based on some early work by Rob Crittenden.
* Restore moduleKill function so that NSS remains initialized during thercritten2008-07-161-3/+11
| | | | | | | entire configuration state. Other modules were relying on mod_nss leaving NSS initialized. 453508
* Don't inherit the MP cache when running in threaded modercritten2008-07-141-4/+35
| | | | | | Don't initialize the database if the SSL is disabled in the configuration 454701
* Make FIPS mode work. This fixes 2 problems:rcritten2008-05-161-2/+3
| | | | | | | | | | 1. In nss_init_SSLLibrary() the server config wasn't being set properly for each virtual server so FIPS wasn't getting turned on. 2. There seem to be a problem in NSS_Shutdown() that makes subsequent logins appear to succeed but they actually are skipped causing keys and certs to not be available. Also switch an error message to a warning related to FIPS ciphers.
* NSS has been modified to not allow a fork after an NSS_Init() in the softrcritten2008-05-091-164/+228
| | | | | | | | | token. It apparently always did this for hardware tokens as it is part of the PKCS#11 spec. This moves the initialization code into the child process init function. 444348
* Only NSSPassPhraseHelper needs to be required.rcritten2007-06-071-3/+2
|
* Resolves: 241936rcritten2007-05-311-3/+3
| | | | | | | | | | | Bring in some updates based on diffs from 2.0.59 to 2.2.4 - Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled. Don't depend on the fact that TRUE == 1 - Remove some dead code - Minor update to the buffer code that buffers POST data during a renegotation - Optimize setting environment variables by using a switch statement.
* 226747rcritten2007-02-011-1/+1
| | | | Fix typo in cipher echde_rsa_null (transposed h and d).
* 213081rcritten2006-10-301-3/+3
| | | | | | The way I was using to detect the model being used was incorrect. Now use the # of threads available. Guaranteed to be 0 for prefork and > 0 for worker (threaded)
* 212426rcritten2006-10-261-14/+17
| | | | Don't fire up the NSS engine if SSL isn't enabled.
* 211612rcritten2006-10-201-3/+52
| | | | Add support for setting a default OCSP responder.
* 211139rcritten2006-10-171-6/+9
| | | | | Only call NSS_Shutdown when we've initialized the database. Also update the NSS log messages to those added in NSS 3.11.3.
* Initialize the NSS cache before NSS_Init is called. A race conditionrcritten2006-08-241-8/+8
| | | | | | was being triggered during the first module unload when calling NSS_Shutdown because the cache wasn't finished setting itself up in MP mode.
* 200855rcritten2006-08-021-6/+2
| | | | | | | Turns out I didn't need to defer startup at all, the LogLevel in nss.conf was enough. I actually had the compare reversed anyway, but that was the least of the problem. 30% of the time the server would core during shutdown due to a race condition.
* 200855rcritten2006-08-021-11/+19
| | | | | | | | | | | Defer loading the server certificates until the 2nd module load. Otherwise any problems with said certificate(s) will not be displayed because the VirtualHost logging hasn't been turned on yet. Switch a slew of APLOG_INFO to APLOG_ERR. And add a default LogLevel to nss.conf.in. This is not inherited from httpd.conf.
* 196070rcritten2006-06-211-3/+15
| | | | | Fix some warnings related to not checking the return value of getcwd and chdir.
* 196070rcritten2006-06-201-4/+3
| | | | Fix compilation warnings
* 188300rcritten2006-04-071-12/+16
| | | | Replace C++ style comments to make the Sun Forte compiler happy.
* Add support for Elliptical Curve Cryptography (ECC). This is disabledrcritten2006-03-021-53/+117
| | | | by default. To enable it, pass --enable-ecc to configure.
* Add in check to be sure that the same server isn't initialized with SSLrcritten2005-10-281-0/+15
| | | | | | more than once. This avoids a crash during shutdown where the same certificates and keys will try to be released multiple times. This is based on ssl_init_server_check() from mod_ssl.
* Close the proxy model socket so NSS can be shutdown gracefully. Alsorcritten2005-10-111-4/+14
| | | | | correct an error where the PKCS#11 slot isn't closed unless a the certificate key is obtained. This also affected NSS_Shutdown().
* Add support for seeding the NSS Random Number Generator. This addsrcritten2005-10-031-2/+8
| | | | | a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed directive.
* Add proxy support to mod_nss. Most of the changes are related torcritten2005-09-291-34/+73
| | | | | | adding new configuration directives. For the others we need to initialize an NSS socket differently whether we will be acting as a client or a server.
* Make SSL2 an optional protocol, disabled by default.rcritten2005-09-131-5/+9
|
* Improve FIPS configuration:rcritten2005-09-081-11/+59
| | | | | | | | | - The NSS ciphers are enumerated to find those that are FIPS approved - This list of approved ciphers is compared to the NSSCipherSuite entry and those enabled, approved ciphers are configured. This way you aren't forced to use all of the FIPS ciphers (in case you don't want a 56-bit cipher enabled). - Only TLSv1 should be enabled.
* Add OCSP supportrcritten2005-09-061-3/+18
|
* Add a FIPS configuration option. This enables the FIPS internalrcritten2005-08-191-29/+84
| | | | | database module, configures for SSLv3 and TLSv1 and enables the 2 FIPS ciphers (and disables all the others).
* Also clean up the SSL Session ID Cache when shutting down.rcritten2005-08-041-3/+13
| | | | | | If we are using the forked model, use the MP version of the Session ID cache. Don't call PR_Cleanup(), this could cause problems.
* Properly clean up the SSL environment so NSS can be shut down gracefully.rcritten2005-08-041-4/+30
|
* Add NSS database prefix supportrcritten2005-06-291-6/+19
|
* Fix formatting and variable name in error message.rcritten2005-06-031-2/+2
|
* Changed function and configuration names so mod_nss can peacefullyrcritten2005-05-311-86/+89
| | | | co-exist with mod_ssl.
* When doing SSLVerifyCert require then we need to always require thercritten2005-05-241-1/+1
| | | | certificate to match what OpenSSL does.
* By default, don't start with an expired cert. Add optionrcritten2005-05-201-13/+16
| | | | | | SSLEnforceValid Cert on/off to allow one to start with a bad cert. Fix up some error messages and add in a missing cipher.
* Initial import of mod_nssrcritten2005-05-171-0/+984
generated by cgit (git 2.34.1) at 2025-09-27 03:00:36 +0000