| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
We will eventually want to use mod_auth_basic's AuthBasicFake
but this will do for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issues reported from valgrind.
The invalid read came from using SNI hostInfo data directly. Just
use the copy we apr_strndup() instead and all is well.
The SNI hostInfo values were leaking. I had removed the calls
to SECITEM_FreweItem at some point and forgotten to re-add them.
mc->semid was not explicitly initialized so could have blown up
if the compiler didn't automatically set it to 0. Explicitly set
it to make warning go away (and to be safe).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Uses a hash table to pair up server names and nicknames and
a lookup is done during the handshake to determine which
nickname to be used, and therefore which VirtualHost.
Based heavily on patch from Stanislav Tokos <stokos@suse.de>
|
| |
|
|
|
|
|
| |
Control the buffer size used on a POST when SSL renegotiation is
being done. The default is 128K.
Resolves BZ 1214366
|
| |
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|
| |
|
|
|
|
|
|
|
| |
If an NSSCipherSuite is defined in a location or directory then
we re-do the SSL handshake. The cipher list wasn't being initialized
to PR_FALSE so changes are good that all ciphers would be enabled,
not just the ones in the local NSSCipherSuite setting.
Resolves BZ 1165408
|
| | |
|
| |
|
|
|
|
| |
CVE-2013-4566
Resolves #1037722
|
| |
|
|
|
|
|
|
|
| |
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate
is not provided with which the BasicAuth can be Faked, and the client
provides an Authorization header, the FakeBasicAuth code in mod_nss may
not properly reject an attempt to spoof.
BZ 702437
|
| |
|
|
|
|
|
|
|
|
|
| |
Bring in some updates based on diffs from 2.0.59 to 2.2.4
- Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled.
Don't depend on the fact that TRUE == 1
- Remove some dead code
- Minor update to the buffer code that buffers POST data during a
renegotation
- Optimize setting environment variables by using a switch statement.
|
| |
|
|
|
| |
* nss_engine_kernel.c (nss_hook_Access): Omit further access control
checks if SSL is not in use regardless of vhost settings.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a (bounded) buffer of request body data to provide a limited
but safe fix for the mod_nss renegotiation-vs-requests-with-bodies
bug:
* mod_nss.h (nss_io_buffer_fill): Add prototype.
* nss_engine_io.c (nss_io_buffer_fill,
nss_io_filter_buffer): New functions.
* nss_engine_kernel.c (nss_hook_Access): If a renegotiation is needed,
and the request has a non-zero content-length, or a t-e header (and
100-continue was not requested), call nss_io_buffer_fill to set aside
the request body data if possible, then proceed with the negotiation.
PR: 12355
|
| |
|
|
|
|
|
|
|
| |
* nss_engine_vars.c (nss_var_lookup_ssl_cert_remain): New function.
(nss_var_lookup_nss_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.
* nss_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if +StdEnvVars is
configured.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issue was that mod_ssl wasn't always picking up ssl-unclean-shutdown
settings. This isn't an issue for mod_nss since it doesn't support
separate shutdown modes, but this does simplify the code a bit.
* mod_nss.h: Remove nss_hook_Translate.
* nss_engine_kernel.c
(nss_hook_ReadReq): Merge in nss_hook_Translate.
(nss_hook_Translate): Remove.
* mod_nss.c (nss_register_hooks): Ensure that _ReadReq
hook runs after mod_setenvif.c; don't register translate_name hook.
|
| |
|
|
| |
Replace C++ style comments to make the Sun Forte compiler happy.
|
| |
|
|
| |
by default. To enable it, pass --enable-ecc to configure.
|
| |
|
|
| |
co-exist with mod_ssl.
|
| |
|
|
|
|
| |
SSL_CLIENT_I_DN_ was incorrectly parsing the client certificate subject
instead of the issuer subject.
Print out PEM files the same way as OpenSSL
|
| |
|
