2011-01-12 Rob Crittenden * Don't use memcpy as it may operate on overlapping memory (#669118) Patch ported from mod_ssl by Stephen Gallagher 2010-09-22 Rob Crittenden * Only call PK11_ListCerts once and pass it when configuring each virtual server. This saves considerable time when there are a lot of certificates and/or virtual servers. (#635324) * Change enforce so that we only check the validity of the certificate if enforcecerts is enabled (the default). Patch contributed by Wolter Eldering 2010-09-17 Rob Crittenden * Fix endless read loop in some situations when handling POST data (#620856) This was discovered in the dogtag TPS subsystem. I haven't been able to duplicate it outside of that but it is trivial inside. This seems to fix it and brings the code closer to what mod_ssl does here as well. 2010-05-14 Rob Crittenden * Ignore SIGHUP in nss_pcache (#591889). Contributed by Joshua Roys 2010-05-13 Rob Crittenden * Compare CN value of remote host with requested host in reverse proxy. * Add configuration option to disable this, defaulting to on. (#591224) Based on patch from Joshua Roys 2010-03-22 Rob Crittenden * Update list of errors we translate 2010-03-02 Rob Crittenden * Add controls for managing SSL renegotiation NSS is introducing some new controls in response to CVE-2009-3555, MITM attacks via session renegotiation. This patch adds some tuning so these options can be set at run time. Patch contributed by Kai Engert 2008-07-21 Rob Crittenden * mod_nss 1.0.8 2008-07-02 Rob Crittenden * Don't allow blank passwords if FIPS is enabled. This is not allowed by the NSS FIPS 140-2 security policy. 2008-05-16 Rob Crittenden * No need to link with softokn3 * Fix FIPS mode * There seem to be a problem in NSS_Shutdown() that makes subsequent logins appear to succeed but they actually are skipped causing keys and certs to not be available. * Also switch an error message to a warning related to FIPS ciphers. 2008-05-09 Rob Crittenden * NSS has been modified to not allow a fork after an NSS_Init() in the soft token. It apparently always did this for hardware tokens as it is part of the PKCS#11 spec. * This moves the initialization code into the child process init function. 2008-01-03 Rob Crittenden * See if the certificate has a version before trying to decode it into a CGI variable. 2007-10-18 Rob Crittenden * If mod_ssl isn't loaded then register the hooks to mod_proxy so we can do at least secure proxy in front of an unsecure host. 2007-06-07 Rob Crittenden * The error message was wrong if NSSPassPhraseHelper pointed to a non-existant file. * Don't require a password file AND NSSPassPhraseHelper. Only the helper is required. 2007-06-01 Rob Crittenden * mod_nss 1.0.7 * Stop processing tokens when a login fails so we can correctly report the failure. * Fix an off-by-one error in nss_pcache that prevented 1 character passwords (not a huge problem but a bug none-the-less). * Bring in some updates based on diffs from 2.0.59 to 2.2.4 * Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is enabled. * Don't depend on the fact that TRUE == 1 * Remove some dead code * Minor update to the buffer code that buffers POST data during a renegotation * Optimize setting environment variables by using a switch statement. * Fix typo in cipher echde_rsa_null (transposed h and d). * The way I was using to detect the model being used was incorrect. Now use the # of threads available. Guaranteed to be 0 for prefork and > 0 for worker (threaded) 2006-10-27 Rob Crittenden * mod_nss 1.0.6 * If NSSEngine is off then simply don't initialize NSS at all. * Add support for setting a default OCSP responder. 2006-10-17 Rob Crittenden * mod_nss 1.0.5 * Fix for a minor problem introduced with 1.0.4. NSS_Shutdown() was being called during module unload even if SSL wasn't enabled causing an error to display in the log. 2006-10-11 Rob Crittenden * mod_nss 1.0.4 * Merged in some changes from mod_ssl: * new env variables SSL_{SERVER,CLIENT}_V_REMAIN that contains number of days until certificate expires * Attempt to buffer POST data in a SSL renegotiation. * And some changes specific to mod_nss: * Better way to distinguish Apache 2.0.x versus Apache 2.2.x. The old way broke when 2.0.56 was introduced. * Fix crash bug if the stored token password doesn't match the database password * Add new NSSPassPhraseDialog method, defer, where only the tokens that are found in the file pointed to by this directive are initialized. * Fix race condition in initializing the NSS session cache that could cause a core on startup. * Update nss.conf.in to contain LogLevel and its own log files * A missing initialization when built with ECC support that could cause the server to not start 2006-06-21 Rob Crittenden * mod_nss 1.0.3 * Final ECC support * Compiles on Solaris with the Forte Workshop compiler (tested with 6.2 and 11). * A number of compilation warnings were addressed * gencert now uses bash instead of ksh 2006-03-02 Rob Crittenden * Experimental Eliptical Curve Cryptopgraphy (ECC) added. Requires a version of NSS also build with ECC support. Available in the CVS tip. 2006-01-31 Rob Crittenden * mod_nss 1.0.2 * Add support for Apache 2.2 (contributed by Oden Eriksson) 2006-09-20 Rob Crittenden * mod_nss 1.0.0 * Support for SSLv2, SSLv3, TLSv1 * OCSP and CRLs * Client certificate authentication * Can run concurrently with mod_ssl