| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Similar patch was provided by Vitezslav Cizek <vcizek@suse.com>
Heavily modified by Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/mod_nss/ticket/15
|
|
|
|
|
|
|
|
| |
This was incorrectly a required value when it is a completely
optional setting. Remove it from the check completely and add
a log entry when it is set.
https://bugzilla.redhat.com/show_bug.cgi?id=874847
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The guard of NSS_IsInitialized() was too strict because of the
way Apache loads and unloads modules. We need to clean up the
SessionIDCache thread locking when a SIGHUP is received otherwise
a crash will occur.
Note that this also eliminates a rather huge memory leak when
the server is reloaded with a SIGHUP.
https://bugzilla.redhat.com/show_bug.cgi?id=1277613
https://bugzilla.redhat.com/show_bug.cgi?id=1295976
https://fedorahosted.org/mod_nss/ticket/16
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6066 section 3 says "It is NOT RECOMMENDED to
send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level
alerts is unpredictable."
To maintain compatibility with mod_ssl, we will not send
any alert (neither warning- nor fatal-level),
i.e. we take the second action suggested in RFC.
"If the server understood the ClientHello extension
but does not recognize the server name, the server
SHOULD take one of two actions: either abort the handshake by
sending a fatal-level unrecognized_name(112) alert or
continue the handshake."
This is based on mod_ssl commit r1684462
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issues reported from valgrind.
The invalid read came from using SNI hostInfo data directly. Just
use the copy we apr_strndup() instead and all is well.
The SNI hostInfo values were leaking. I had removed the calls
to SECITEM_FreweItem at some point and forgotten to re-add them.
mc->semid was not explicitly initialized so could have blown up
if the compiler didn't automatically set it to 0. Explicitly set
it to make warning go away (and to be safe).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a note to the table to indicate that the handhake is complete
so we don't set the extension every time data is read or written.
Drop NSSHandshakeCallback() as it didn't do anything and is replaced
by the proxy callback.
Extend the checks around calling SetURL to match those in mod_ssl:
- a hostname is available
- not SSLv3
- not an IP address
|
|
|
|
|
|
|
| |
Most of these are unused variable. There is one adding an extra
set of parens.
The bug is using the wrong index variable, i instead of j.
|
| |
|
|
|
|
| |
Check the permissions to see if the key file is readable.
|
|
|
|
|
|
|
|
| |
Uses a hash table to pair up server names and nicknames and
a lookup is done during the handshake to determine which
nickname to be used, and therefore which VirtualHost.
Based heavily on patch from Stanislav Tokos <stokos@suse.de>
|
|
|
|
|
|
|
|
|
| |
A cipher value could be -1, 0 or 1 meaning completely disabled,
disabled and enabled. A -1 passed to SSL_CipherPrefSet() could
cause a cipher to actually be enabled. Now pass PR_TRUE if
the cipher is enabled otherwise pass PR_FALSE.
Fix CVE-2015-5244
|
|
|
|
|
|
| |
New server/vhost config option, NSSSessionTickets, to enable
or disable TLS Session Tickets support. This is off by default
in NSS.
|
| |
|
|
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do a chdir() to the NSS database location so that libnssckbi.so
is available when the database is opened. Strip off a sql: prefix
if one is available. This allows the new sqlite format to work.
Add an additional test pass configuring NSS using the sqlite format.
This requires a bit of a hack to pass in the value to python but
it will work for now.
Resolves: #1057650
|
| |
|
|
|
|
|
|
| |
This is in response to the POODLE CVE CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|
|
|
|
|
| |
If support is available in NSS then it is just a matter of including
TLS 1.2 in the protocol range.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Help clarify the error messages which didn't previously distinguish
between the following three variables:
NSSProtocol versus NSSProxyProtocol,
NSSCipherSuite versus NSSProxyCipherSuite, and
NSSNickname versus NSSProxyNickname
Ported from BZ 769906
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set protocol version ranges:
(1) Set the minimum protocol accepted
(2) Set the maximum protocol accepted
(3) Protocol ranges extend from maximum down to minimum
protocol
(4) All protocol ranges are completely inclusive;
no protocol in the middle of a range may be excluded
(5) NSS automatically negotiates the use of the strongest
protocol for a connection starting with the maximum
specified protocol and downgrading as necessary to the
minimum specified protocol
For example, if SSL 3.0 is chosen as the minimum protocol, and
TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not
and cannot be excluded from this range. NSS will automatically
negotiate to utilize the strongest acceptable protocol for a
connection starting with the maximum specified protocol and
downgrading as necessary to the minimum specified protocol
(TLS 1.1 -> TLS 1.0 -> SSL 3.0).
BZ 816394
|
|
|
|
|
|
| |
This was causing an FD leak.
BZ 784548
|
|
|
|
|
|
|
|
|
|
| |
From Coverity:
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static
array "child_argv", with 5 elements, at position 5 with index variable
"5".
https://bugzilla.redhat.com/show_bug.cgi?id=714154
|
|
|
|
|
|
| |
Patch contributed by Ulf Weltman
BZ 618466
|
|
|
|
|
|
|
| |
pipe. Rarely requests to the pipe were getting overridden causing
that child to not enable SSL.
Fedora bug 677701
|
|
|
|
|
|
|
|
|
|
|
|
| |
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers.
Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering <wolter.eldering@vanad.com.cn>
bug 635324
|
|
|
|
|
|
|
|
|
| |
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
|
|
|
|
|
|
|
| |
entire configuration state. Other modules were relying on mod_nss
leaving NSS initialized.
453508
|
|
|
|
|
|
| |
Don't initialize the database if the SSL is disabled in the configuration
454701
|
|
|
|
|
|
|
|
|
|
| |
1. In nss_init_SSLLibrary() the server config wasn't being set properly
for each virtual server so FIPS wasn't getting turned on.
2. There seem to be a problem in NSS_Shutdown() that makes subsequent
logins appear to succeed but they actually are skipped causing keys
and certs to not be available.
Also switch an error message to a warning related to FIPS ciphers.
|
|
|
|
|
|
|
|
|
| |
token. It apparently always did this for hardware tokens as it is part
of the PKCS#11 spec.
This moves the initialization code into the child process init function.
444348
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bring in some updates based on diffs from 2.0.59 to 2.2.4
- Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled.
Don't depend on the fact that TRUE == 1
- Remove some dead code
- Minor update to the buffer code that buffers POST data during a
renegotation
- Optimize setting environment variables by using a switch statement.
|
|
|
|
| |
Fix typo in cipher echde_rsa_null (transposed h and d).
|
|
|
|
|
|
| |
The way I was using to detect the model being used was incorrect. Now
use the # of threads available. Guaranteed to be 0 for prefork and > 0 for
worker (threaded)
|
|
|
|
| |
Don't fire up the NSS engine if SSL isn't enabled.
|
|
|
|
| |
Add support for setting a default OCSP responder.
|
|
|
|
|
| |
Only call NSS_Shutdown when we've initialized the database.
Also update the NSS log messages to those added in NSS 3.11.3.
|
|
|
|
|
|
| |
was being triggered during the first module unload when calling
NSS_Shutdown because the cache wasn't finished setting itself up
in MP mode.
|
|
|
|
|
|
|
| |
Turns out I didn't need to defer startup at all, the LogLevel in nss.conf
was enough. I actually had the compare reversed anyway, but that was
the least of the problem. 30% of the time the server would core during
shutdown due to a race condition.
|
|
|
|
|
|
|
|
|
|
|
| |
Defer loading the server certificates until the 2nd module load. Otherwise
any problems with said certificate(s) will not be displayed because
the VirtualHost logging hasn't been turned on yet.
Switch a slew of APLOG_INFO to APLOG_ERR.
And add a default LogLevel to nss.conf.in. This is not inherited from
httpd.conf.
|
|
|
|
|
| |
Fix some warnings related to not checking the return value of
getcwd and chdir.
|
|
|
|
| |
Fix compilation warnings
|
|
|
|
| |
Replace C++ style comments to make the Sun Forte compiler happy.
|
|
|
|
| |
by default. To enable it, pass --enable-ecc to configure.
|
|
|
|
|
|
| |
more than once. This avoids a crash during shutdown where the same
certificates and keys will try to be released multiple times. This is
based on ssl_init_server_check() from mod_ssl.
|
|
|
|
|
| |
correct an error where the PKCS#11 slot isn't closed unless a the
certificate key is obtained. This also affected NSS_Shutdown().
|
|
|
|
|
| |
a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed
directive.
|