From 25e23d6aa024c875bbbaefc8f11d2780e09036b2 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 11 Oct 2013 17:51:23 -0400 Subject: Add support for TLS v1.1, protocol ranges. Set protocol version ranges: (1) Set the minimum protocol accepted (2) Set the maximum protocol accepted (3) Protocol ranges extend from maximum down to minimum protocol (4) All protocol ranges are completely inclusive; no protocol in the middle of a range may be excluded (5) NSS automatically negotiates the use of the strongest protocol for a connection starting with the maximum specified protocol and downgrading as necessary to the minimum specified protocol For example, if SSL 3.0 is chosen as the minimum protocol, and TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and cannot be excluded from this range. NSS will automatically negotiate to utilize the strongest acceptable protocol for a connection starting with the maximum specified protocol and downgrading as necessary to the minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). BZ 816394 --- docs/mod_nss.html | 113 ++++++++++++++++------------ mod_nss.c | 4 +- nss.conf.in | 11 ++- nss_engine_init.c | 215 ++++++++++++++++++++++++++++++++++++++++++++---------- nss_engine_vars.c | 6 +- 5 files changed, 259 insertions(+), 90 deletions(-) diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 2bd4bd6..7e18672 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -466,7 +466,7 @@ Example

Enables or disables FIPS 140 mode. This replaces the standard internal PKCS#11 module with a FIPS-enabled one. It also forces the -enabled protocols to TLSv1 and disables all ciphers but the +enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the FIPS ones. You may still select which ciphers you would like limited to those that are FIPS-certified. Any non-FIPS that are included in the NSSCipherSuite entry are automatically disabled. @@ -570,7 +570,7 @@ definition
SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSLv3/TLSv1
+ SSLv3/TLSv1.0/TLSv1.1
@@ -578,106 +578,106 @@ definition
SSL_RSA_WITH_DES_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_null_md5
SSL_RSA_WITH_NULL_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_null_sha
SSL_RSA_WITH_NULL_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_rc2_40_md5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_rc4_128_md5 SSL_RSA_WITH_RC4_128_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_rc4_128_sha SSL_RSA_WITH_RC4_128_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_rc4_40_md5 SSL_RSA_EXPORT_WITH_RC4_40_MD5
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 fortezza
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 fortezza_rc4_128_sha
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 fortezza_null
SSL_FORTEZZA_DMS_WITH_NULL_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 fips_des_sha
SSL_RSA_FIPS_WITH_DES_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 fips_3des_sha
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_des_56_sha TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- SSL3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_rc4_56_sha TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_aes_128_sha
TLS_RSA_WITH_AES_128_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 rsa_aes_256_sha
TLS_RSA_WITH_AES_256_CBC_SHA
- SSLv3/TLSv1 + SSLv3/TLSv1.0/TLSv1.1 @@ -698,127 +698,127 @@ Definition
ecdh_ecdsa_null_sha TLS_ECDH_ECDSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_ecdsa_rc4_128_sha TLS_ECDH_ECDSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_ecdsa_3des_sha TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_ecdsa_aes_128_sha TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_ecdsa_aes_256_sha TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_ecdsa_null_sha TLS_ECDHE_ECDSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_ecdsa_rc4_128_sha TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_ecdsa_3des_sha TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_ecdsa_aes_128_sha TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_ecdsa_aes_256_sha TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_rsa_null_sha TLS_ECDH_RSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_rsa_128_sha TLS_ECDH_RSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_rsa_3des_sha TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_rsa_aes_128_sha TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_rsa_aes_256_sha TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 echde_rsa_null TLS_ECDHE_RSA_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_rsa_rc4_128_sha TLS_ECDHE_RSA_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_rsa_3des_sha TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_rsa_aes_128_sha TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdhe_rsa_aes_256_sha TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_anon_null_sha TLS_ECDH_anon_WITH_NULL_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_anon_rc4_128sha TLS_ECDH_anon_WITH_RC4_128_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_anon_3des_sha TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_anon_aes_128_sha TLS_ECDH_anon_WITH_AES_128_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 ecdh_anon_aes_256_sha TLS_ECDH_anon_WITH_AES_256_CBC_SHA - TLSv1 + TLSv1.0/TLSv1.1 @@ -839,16 +839,35 @@ specifically but allows ciphers for that protocol to be used at all.
Options are:
Note that this differs from mod_ssl in that you can't add or subtract protocols.
+
+If no NSSProtocol is specified, mod_nss will default to allowing the use of +the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the +minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol +allowed. +
+If values for NSSProtocol are specified, mod_nss will set both the minimum +and the maximum allowed protocols based upon these entries allowing for the +inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1 +are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes +protocol ranges to accept all protocols inclusively +(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols +in the middle of a range (e. g. - TLS 1.0).
+
+Finally, NSS will always automatically negotiate the use of the strongest +possible protocol that has been specified which is acceptable to both sides of +a given connection.
SSLv2 is not supported by default at this time.

Example

-NSSProtocol SSLv3,TLSv1
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1

NSSNickname

@@ -1101,7 +1120,7 @@ was compiled against.
SSL_PROTOCOL
 - SSLv2, SSLv3 or TLSv1
+ SSLv2, SSLv3, TLSv1.0, or TLSv1.1
@@ -1443,7 +1462,7 @@ Opera, and Safari) support SSL 3 and TLS so there is no need for a web server to support SSL 2. There are some known attacks against SSL 2 that are handled by -SSL 3/TLS. SSL2 also doesn't support useful features like client +SSL 3/TLS. SSLv2 also doesn't support useful features like client authentication.

Frequently Asked Questions

diff --git a/mod_nss.c b/mod_nss.c index e4fed90..efb1f7b 100644 --- a/mod_nss.c +++ b/mod_nss.c @@ -90,7 +90,7 @@ static const command_rec nss_config_cmds[] = { "(`[+-]XXX,...,[+-]XXX' - see manual)") SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable the various SSL protocols" - "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)") + "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)") SSL_CMD_ALL(VerifyClient, TAKE1, "SSL Client Authentication " "(`none', `optional', `require'") @@ -135,7 +135,7 @@ static const command_rec nss_config_cmds[] = { "(`on', `off')") SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, "SSL Proxy: enable or disable SSL protocol flavors " - "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") + "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)") SSL_CMD_SRV(ProxyCipherSuite, TAKE1, "SSL Proxy: colon-delimited list of permitted SSL ciphers " "(`XXX:...:XXX' - see manual)") diff --git a/nss.conf.in b/nss.conf.in index 4411cdc..050ce8a 100644 --- a/nss.conf.in +++ b/nss.conf.in @@ -109,7 +109,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha -NSSProtocol SSLv3,TLSv1 +# SSL Protocol: +# Cryptographic protocols that provide communication security. +# NSS handles the specified protocols as "ranges", and automatically +# negotiates the use of the strongest protocol for a connection starting +# with the maximum specified protocol and downgrading as necessary to the +# minimum specified protocol that can be used between two processes. +# Since all protocol ranges are completely inclusive, and no protocol in the +# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" +# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". +NSSProtocol SSLv3,TLSv1.0,TLSv1.1 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. diff --git a/nss_engine_init.c b/nss_engine_init.c index a7186bb..0e584cb 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -616,49 +616,97 @@ static void nss_init_ctx_protocol(server_rec *s, apr_pool_t *ptemp, modnss_ctx_t *mctx) { - int ssl2, ssl3, tls; + int ssl2, ssl3, tls, tls1_1; + char *protocol_marker = NULL; char *lprotocols = NULL; SECStatus stat; + SSLVersionRange enabledVersions; - ssl2 = ssl3 = tls = 0; + ssl2 = ssl3 = tls = tls1_1 = 0; + + /* + * Since this routine will be invoked individually for every thread + * associated with each 'server' object as well as for every thread + * associated with each 'proxy' object, identify the protocol marker + * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy') + * via each thread's object type and apply this useful information to + * all log messages. + */ + if (mctx == mctx->sc->server) { + protocol_marker = "NSSProtocol"; + } else if (mctx == mctx->sc->proxy) { + protocol_marker = "NSSProxyProtocol"; + } if (mctx->sc->fips) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "In FIPS mode, enabling TLSv1"); - tls = 1; + "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1", + protocol_marker); + tls = tls1_1 = 1; } else { if (mctx->auth.protocols == NULL) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "NSSProtocols not set; using: SSLv3 and TLSv1"); - ssl3 = tls = 1; + "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1", + protocol_marker); + ssl3 = tls = tls1_1 = 1; } else { lprotocols = strdup(mctx->auth.protocols); ap_str_tolower(lprotocols); if (strstr(lprotocols, "all") != NULL) { #ifdef WANT_SSL2 - ssl2 = ssl3 = tls = 1; + ssl2 = ssl3 = tls = tls1_1 = 1; #else - ssl3 = tls = 1; + ssl3 = tls = tls1_1 = 1; #endif } else { - if (strstr(lprotocols, "sslv2") != NULL) { + char *protocol_list = NULL; + char *saveptr = NULL; + char *token = NULL; + + for (protocol_list = lprotocols; ; protocol_list = NULL) { + token = strtok_r(protocol_list, ",", &saveptr); + if (token == NULL) { + break; + } else if (strcmp(token, "sslv2") == 0) { #ifdef WANT_SSL2 - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2"); - ssl2 = 1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling SSL2", + protocol_marker); + ssl2 = 1; #else - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported"); + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "%s: SSL2 is not supported", + protocol_marker); #endif - } - - if (strstr(lprotocols, "sslv3") != NULL) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3"); - ssl3 = 1; - } - - if (strstr(lprotocols, "tlsv1") != NULL) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS"); - tls = 1; + } else if (strcmp(token, "sslv3") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling SSL3", + protocol_marker); + ssl3 = 1; + } else if (strcmp(token, "tlsv1") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.0 via TLSv1", + protocol_marker); + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.", + protocol_marker); + tls = 1; + } else if (strcmp(token, "tlsv1.0") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.0", + protocol_marker); + tls = 1; + } else if (strcmp(token, "tlsv1.1") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.1", + protocol_marker); + tls1_1 = 1; + } else { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: Unknown protocol '%s' not supported", + protocol_marker, token); + } } } free(lprotocols); @@ -673,31 +721,98 @@ static void nss_init_ctx_protocol(server_rec *s, stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); } + /* Set protocol version ranges: + * + * (1) Set the minimum protocol accepted + * (2) Set the maximum protocol accepted + * (3) Protocol ranges extend from maximum down to minimum protocol + * (4) All protocol ranges are completely inclusive; + * no protocol in the middle of a range may be excluded + * (5) NSS automatically negotiates the use of the strongest protocol + * for a connection starting with the maximum specified protocol + * and downgrading as necessary to the minimum specified protocol + * + * For example, if SSL 3.0 is chosen as the minimum protocol, and + * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and + * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and + * cannot be excluded from this range. NSS will automatically negotiate + * to utilize the strongest acceptable protocol for a connection starting + * with the maximum specified protocol and downgrading as necessary to the + * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). + */ if (stat == SECSuccess) { + /* Set minimum protocol version (lowest -> highest) + * + * SSL 3.0 -> TLS 1.0 -> TLS 1.1 + */ if (ssl3 == 1) { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE); + enabledVersions.min = SSL_LIBRARY_VERSION_3_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [SSL 3.0] (minimum)", + protocol_marker); + } else if (tls == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.0] (minimum)", + protocol_marker); + } else if (tls1_1 == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.1] (minimum)", + protocol_marker); } else { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE); + /* Set default minimum protocol version to SSL 3.0 */ + enabledVersions.min = SSL_LIBRARY_VERSION_3_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [SSL 3.0] (default minimum)", + protocol_marker); } - } - if (stat == SECSuccess) { - if (tls == 1) { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE); + + /* Set maximum protocol version (highest -> lowest) + * + * TLS 1.1 -> TLS 1.0 -> SSL 3.0 + */ + if (tls1_1 == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.1] (maximum)", + protocol_marker); + } else if (tls == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.0] (maximum)", + protocol_marker); + } else if (ssl3 == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_3_0; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [SSL 3.0] (maximum)", + protocol_marker); } else { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE); + /* Set default maximum protocol version to TLS 1.1 */ + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.1] (default maximum)", + protocol_marker); } + + stat = SSL_VersionRangeSet(mctx->model, &enabledVersions); } if (stat != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL protocol initialization failed."); + "%s: SSL/TLS protocol initialization failed.", + protocol_marker); nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } mctx->ssl2 = ssl2; mctx->ssl3 = ssl3; - mctx->tls = tls; + if (tls1_1 == 1) { + mctx->tls = tls1_1; + } else { + mctx->tls = tls; + } } static void nss_init_ctx_session_cache(server_rec *s, @@ -778,6 +893,8 @@ static void nss_init_ctx_cipher_suite(server_rec *s, PRBool cipher_state[ciphernum]; PRBool fips_state[ciphernum]; const char *suite = mctx->auth.cipher_suite; + char * object_type = NULL; + char * cipher_suite_marker = NULL; char * ciphers; char * fipsciphers = NULL; int i; @@ -790,6 +907,23 @@ static void nss_init_ctx_cipher_suite(server_rec *s, "Required value NSSCipherSuite not set."); nss_die(); } + + /* + * Since this routine will be invoked individually for every thread + * associated with each 'server' object as well as for every thread + * associated with each 'proxy' object, identify the cipher suite markers + * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy') + * via each thread's object type and apply this useful information to + * all log messages. + */ + if (mctx == mctx->sc->server) { + object_type = "server"; + cipher_suite_marker = "NSSCipherSuite"; + } else if (mctx == mctx->sc->proxy) { + object_type = "proxy"; + cipher_suite_marker = "NSSProxyCipherSuite"; + } + ciphers = strdup(suite); #define CIPHERSIZE 2048 @@ -824,13 +958,13 @@ static void nss_init_ctx_cipher_suite(server_rec *s, } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "FIPS mode enabled, permitted SSL ciphers are: [%s]", - fipsciphers); + "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]", + object_type, fipsciphers); } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "Configuring permitted SSL ciphers [%s]", - suite); + "%s: Configuring permitted SSL ciphers [%s]", + cipher_suite_marker, suite); /* Disable all NSS supported cipher suites. This is to prevent any new * NSS cipher suites from getting automatically and unintentionally @@ -869,7 +1003,7 @@ static void nss_init_ctx_cipher_suite(server_rec *s, for (i=0; issl2 && countciphers(cipher_state, SSL2) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL2 is enabled but no SSL2 ciphers are enabled."); + "%s: SSL2 is enabled but no SSL2 ciphers are enabled.", + cipher_suite_marker); nss_die(); } if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "SSL3 is enabled but no SSL3 ciphers are enabled."); + "%s: SSL3 is enabled but no SSL3 ciphers are enabled.", + cipher_suite_marker); nss_die(); } if (mctx->tls && countciphers(cipher_state, TLS) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "TLS is enabled but no TLS ciphers are enabled."); + "%s: TLS is enabled but no TLS ciphers are enabled.", + cipher_suite_marker); nss_die(); } diff --git a/nss_engine_vars.c b/nss_engine_vars.c index b3dcf92..8f0379a 100644 --- a/nss_engine_vars.c +++ b/nss_engine_vars.c @@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c) case SSL_LIBRARY_VERSION_3_0: result = "SSLv3"; break; - case SSL_LIBRARY_VERSION_3_1_TLS: + case SSL_LIBRARY_VERSION_TLS_1_0: + /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */ result = "TLSv1"; break; + case SSL_LIBRARY_VERSION_TLS_1_1: + result = "TLSv1.1"; + break; } } } -- cgit