From bbde2f3f569b0b483b2ba8ce0cf5b43092f210ff Mon Sep 17 00:00:00 2001
From: rcritten <>
Date: Thu, 29 Sep 2005 19:35:44 +0000
Subject: Add proxy support to mod_nss. Most of the changes are related to
adding new configuration directives. For the others we need to initialize an
NSS socket differently whether we will be acting as a client or a server.
---
docs/mod_nss.html | 174 +++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 138 insertions(+), 36 deletions(-)
(limited to 'docs')
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index 8d38d47..7d6f5f1 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -1,4 +1,6 @@
+
+
-
-
mod_nss
@@ -32,25 +32,18 @@
Environment Variables
Database Management
Why is SSLv2 disabled?
-
+Frequently Asked Questions
Introduction
The mod_ssl package was
created in April 1998 by Ralf S.
Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It stays under a
-BSD-style
-license which is equivalent to the license used by The Apache Group for the Apache
-webserver
-itself. This means, in short, that you are free to use it both for
-commercial
-and non-commercial purposes as long as you retain the authors'
-copyright
-notices and give the proper credit.
-
-
-mod_nss is based directly on the mod_ssl package from Apache
+ href="mailto:ben@algroup.co.uk">Ben Laurie. It is licensed under
+the Apache 2.0
+license.
+
+mod_nss is based directly on the mod_ssl package from Apache
2.0.54. It is a conversion from using OpenSSL calls to using NSS
calls instead.
@@ -93,6 +86,20 @@ installation. The assumption is that this has the layout of: PATH/lib,
PATH/include, etc.
+
+ --with-nss-inc=PATH
+ |
+ The file system path to the NSS
+include directory (e.g. /usr/local/include/nss3)
+ |
+
+
+ --with-nss-lib=PATH
+ |
+ The file system path to the NSS
+lib directory (e.g. /usr/local/lib)
+ |
+
--with-nspr=[PATH]
|
@@ -100,6 +107,20 @@ PATH/include, etc.
installation. The assumption is that this has the layout of: PATH/lib,
PATH/include, etc.
+
+ --with-nspr-inc=PATH
+ |
+ The file system path to the NSPR
+include directory (e.g. /usr/local/include/nspr4)
+ |
+
+
+ --with-nspr-lib=PATH
+ |
+ The file system path to the NSPR
+lib directory (e.g. /usr/local/lib)
+ |
+
--with-apxs=[PATH]
|
@@ -117,7 +138,7 @@ tells us where the APR include files and libraries are located
If --with-nss or --with-nspr are not passed configure will look
-for the mozilla-[nss|nspr]-devel packages and use the libraries with
+for the [nss|nspr]-devel packages and use the libraries with
that if found.
It is strongly recommended that the mozilla.org version be used.
@@ -371,12 +392,12 @@ limited to those that are FIPS-certified. Any non-FIPS that are
included in the NSSCipherSuite entry are automatically disabled.
The allowable ciphers are:
-- rsa_3des_sha
-- rsa_des_sha
-- fips_3des_sha
-- fips_des_sha
-- rsa_des_56_sha
-- fortezza
+ - rsa_3des_sha
+ - rsa_des_sha
+ - fips_3des_sha
+ - fips_des_sha
+ - rsa_des_56_sha
+ - fortezza
FIPS is disabled by default.
@@ -404,7 +425,8 @@ Example
A space-separated list of the SSL ciphers used, with the prefix +
to enable or - to disable.
-All ciphers are disabled by default. The SSLv2 ciphers cannot be enabled because
+All ciphers are disabled by default. The SSLv2 ciphers cannot be
+enabled because
SSLv2 is not allowed in mod_nss.
Available ciphers are:
@@ -622,7 +644,7 @@ be enclosed in double quotes.
NSSNickname Server-Cert
NSSNickname "This contains a space"
-NSSEnforceValidCerts
+NSSEnforceValidCerts
By default mod_nss will not start up if the server
certificate is not valid. This means that if the certificate has
@@ -636,7 +658,7 @@ not recommended.
NSSEnforceValidCerts on
-NSSVerifyClient
+NSSVerifyClient
Determines whether Client Certificate
Authentication will be requested or required. This may be set in a
@@ -646,18 +668,17 @@ per-directry context an SSL renogitation is required and a certificate
requested from the client.
Available options are:
-
none: no client certificate
is required or requested
- - code>optional: a client
+
+ - code>optional: a client
certificate is requested but if one is not available, the connection
may continue.
-
+
require: a valid client
certificate is required for the connection to continue.
-
The mod_ssl option option_no_ca
is not supported.
@@ -732,7 +753,45 @@ Provides a regular expression-based access-control mechanism. Access
may be restricted (or allowed) based on any number of variables such as
components of the client certificate, the remote IP address, etc.
-NSSRequire
+Example
+
+NSSRequire
+
+NSSProxyEngine
+
+Enables or disables mod_nss HTTPS support for mod_proxy.
+
+Example
+
+NSSProxyEngine on
+
+NSSProxyProtocol
+
+Specifies the SSL protocols that may be used in proxy connections. The
+syntax is identical to NSSProtocol.
+
+Example
+
+NSSProxyProtocol SSLv3
+
+NSSProxyCipherSuite
+
+Specifies the SSL ciphers available for proxy connections. They syntax
+is identical to NSSCipherSuite.
+
+Example
+
+NSSProxyCipherSuite
++rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5
+
+NSSProxyNickname
+
+The nickname of the client certificate to send if the remote server
+requests client authentication.
+
+Example
+
+NSSProxyNickname beta
Environment Variables
Quite a few environment variables (for CGI and SSI) may be set
depending on the NSSOptions configuration. It can be expensive to set
@@ -1121,10 +1180,53 @@ have NSS validate it:
% certutil -V -n Server-Cert -u V -d .
certutil: certificate is valid
Why is SSLv2 disabled?
-All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and
-Safari) support SSL 3 and TLS so there is no need for a web server to support
+All major browsers (Firefox, Internet Explorer, Mozilla, Netscape,
+Opera, and
+Safari) support SSL 3 and TLS so there is no need for a web server to
+support
SSL 2. There are some known attacks against SSL 2 that are handled by
-SSL 3/TLS. SSL2 also doesn't support useful features like client authentication.
-
+SSL 3/TLS. SSL2 also doesn't support useful features like client
+authentication.
+
+Frequently Asked Questions
+Q. Does mod_nss support mod_proxy?
+
+A. In order to use the mod_nss proxy support you will need to build
+your own mod_proxy by applying a patch found in bug 36468.
+The patch is needed so we can compare the hostname contained in the
+remote certificate with the hostname you meant to visit. This prevents
+man-in-the-middle attacks.
+
+You also have to change the SSL functions that mod_proxy looks to use.
+You'll need to apply this patch:
+
+1038,1039c1038,1039
+< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+---
+> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
+> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
+1041,1042c1041,1042
+< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
+NULL;
+< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
+= NULL;
+---
+> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
+NULL;
+> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
+= NULL;
+1069,1070c1069,1070
+< proxy_ssl_enable =
+APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+< proxy_ssl_disable =
+APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+---
+> proxy_ssl_enable =
+APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
+> proxy_ssl_disable =
+APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);
+
--
cgit