Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2013-08-07 20:43:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2013-08-02 15:01:07.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2013-08-07 20:43:07.000000000 +0200 @@ -1,0 +2,10 @@ +Fri Aug 2 08:29:35 UTC 2013 - [email protected] + +- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. +- mod_nss-clientauth.patch: merged from RHEL6 pkg +- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg +- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg +- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg +- make it build on both Apache2 2.4 and 2.2 systems + +------------------------------------------------------------------- New: ---- mod_nss-PK11_ListCerts_2.patch mod_nss-clientauth.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-sslmultiproxy.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.1oLG3Z/_old 2013-08-07 20:43:08.000000000 +0200 +++ /var/tmp/diff_new_pack.1oLG3Z/_new 2013-08-07 20:43:08.000000000 +0200 @@ -53,6 +53,11 @@ Patch10: mod_nss-proxyvariables.patch Patch11: mod_nss-tlsv1_1.patch Patch12: mod_nss-array_overrun.patch +Patch13: mod_nss-clientauth.patch +Patch14: mod_nss-no_shutdown_if_not_init_2.patch +Patch15: mod_nss-PK11_ListCerts_2.patch +Patch16: mod_nss-sslmultiproxy.patch +Patch17: mod_nss-overlapping_memcpy.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 @@ -78,12 +83,19 @@ %patch6 -p1 -b .pcachesignal.h %patch7 -p1 -b .reseterror %patch8 -p1 -b .lockpcache -%if 0%{?suse_version} >= 1300 -%patch9 -p1 -b .http24 -%endif %patch10 -p1 -b .proxyvariables %patch11 -p1 -b .tlsv1_1 %patch12 -p1 -b .array_overrun +%patch13 -p1 -b .clientauth.patch +%patch14 -p1 -b .no_shutdown_if_not_init_2 +%patch15 -p1 -b .PK11_ListCerts_2 +%patch16 -p1 -b .sslmultiproxy +%patch17 -p1 -b .overlapping_memcpy + +# keep this last, otherwise we get fuzzyness from above +%if 0%{?suse_version} >= 1300 +%patch9 -p1 -b .http24 +%endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] ++++++ mod_nss-PK11_ListCerts_2.patch ++++++ diff -pu mod_nss.h mod_nss.h.PK11_ListCerts --- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800 +++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800 @@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void nss_init_Child(apr_pool_t *, server_rec *); -void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); apr_status_t nss_init_ModuleKill(void *data); apr_status_t nss_init_ChildKill(void *data); int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts --- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800 +++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800 @@ -26,7 +26,7 @@ static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); -static CERTCertificate* FindServerCertFromNickname(const char* name); +static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); /* @@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); + CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); /* @@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p /* * Read the server certificate and key */ - nss_init_ConfigureServer(s, p, ptemp, sc); + nss_init_ConfigureServer(s, p, ptemp, sc, clist); + } + + if (clist) { + CERT_DestroyCertList(clist); } } @@ -880,7 +886,8 @@ static void nss_init_certificate(server_ SECKEYPrivateKey **serverkey, SSLKEAType *KEAtype, PRFileDesc *model, - int enforce) + int enforce, + const CERTCertList* clist) { SECCertTimeValidity certtimestatus; SECStatus secstatus; @@ -894,17 +901,15 @@ static void nss_init_certificate(server_ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Using nickname %s.", nickname); - *servercert = FindServerCertFromNickname(nickname); + *servercert = FindServerCertFromNickname(nickname, clist); /* Verify the certificate chain. */ if (*servercert != NULL) { SECCertificateUsage usage = certificateUsageSSLServer; - if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Certificate not verified: '%s'", nickname); + if (enforce) { + if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - if (enforce) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); nss_die(); @@ -994,7 +999,8 @@ static void nss_init_certificate(server_ static void nss_init_server_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - modnss_ctx_t *mctx) + modnss_ctx_t *mctx, + const CERTCertList* clist) { SECStatus secstatus; @@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server nss_init_certificate(s, mctx->nickname, &mctx->servercert, &mctx->serverkey, &mctx->serverKEAType, - mctx->model, mctx->enforce); + mctx->model, mctx->enforce, clist); #ifdef NSS_ENABLE_ECC nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, &mctx->eccserverkey, &mctx->eccserverKEAType, - mctx->model, mctx->enforce); + mctx->model, mctx->enforce, clist); #endif } @@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server static void nss_init_proxy_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { nss_init_ctx(s, p, ptemp, sc->proxy); - nss_init_server_certs(s, p, ptemp, sc->proxy); + nss_init_server_certs(s, p, ptemp, sc->proxy, clist); } static void nss_init_server_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { nss_init_server_check(s, p, ptemp, sc->server); nss_init_ctx(s, p, ptemp, sc->server); - nss_init_server_certs(s, p, ptemp, sc->server); + nss_init_server_certs(s, p, ptemp, sc->server, clist); } /* @@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r void nss_init_ConfigureServer(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { if (sc->enabled == TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Configuring server for SSL protocol"); - nss_init_server_ctx(s, p, ptemp, sc); + nss_init_server_ctx(s, p, ptemp, sc, clist); } if (sc->proxy_enabled == TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Enabling proxy."); - nss_init_proxy_ctx(s, p, ptemp, sc); + nss_init_proxy_ctx(s, p, ptemp, sc, clist); } } @@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve nss_init_SSLLibrary(base_server); /* Configure all virtual servers */ + CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); if (sc->server->servercert == NULL && NSS_IsInitialized()) - nss_init_ConfigureServer(s, p, mc->ptemp, sc); + nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + } + if (clist) { + CERT_DestroyCertList(clist); } /* @@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER * newest, valid server certificate. */ static CERTCertificate* -FindServerCertFromNickname(const char* name) +FindServerCertFromNickname(const char* name, const CERTCertList* clist) { - CERTCertList* clist; CERTCertificate* bestcert = NULL; CERTCertListNode *cln; @@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n if (name == NULL) return NULL; - clist = PK11_ListCerts(PK11CertListUser, NULL); - for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist); cln = CERT_LIST_NEXT(cln)) { CERTCertificate* cert = cln->cert; @@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n if (bestcert) { bestcert = CERT_DupCertificate(bestcert); } - if (clist) { - CERT_DestroyCertList(clist); - } return bestcert; } ++++++ mod_nss-clientauth.patch ++++++ The first fix is to retrieve the full certificate subject instead of just the CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL. The second always attempts to retrieve the client certificate in nss_hook_ReadReq(). https://bugzilla.redhat.com/show_bug.cgi?id=702437 --- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400 +++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400 @@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes status = SSL_AuthCertificate(arg, socket, checksig, isServer); - if (status == SECSuccess) { - conn_rec *c = filter_ctx->c; - SSLConnRec *sslconn = myConnConfig(c); - - sslconn->client_cert = SSL_PeerCertificate(socket); - sslconn->client_dn = NULL; - } + /* The certificate is copied to sslconn->client_cert in + * nss_hook_ReadReq() + */ return status; } --- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400 +++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400 @@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) nss_util_vhostid(r->pool, r->server)); } + if (sslconn->client_cert != NULL) + CERT_DestroyCertificate(sslconn->client_cert); + sslconn->client_cert = SSL_PeerCertificate(ssl); + sslconn->client_dn = NULL; + return DECLINED; } @@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) } if (!sslconn->client_dn) { - char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); - sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); + sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); PORT_Free(cp); } ++++++ mod_nss-httpd24.patch ++++++ --- /var/tmp/diff_new_pack.1oLG3Z/_old 2013-08-07 20:43:08.000000000 +0200 +++ /var/tmp/diff_new_pack.1oLG3Z/_new 2013-08-07 20:43:08.000000000 +0200 @@ -1,7 +1,8 @@ -diff -ru mod_nss/mod_nss.c mod_nss-1.0.8/mod_nss.c ---- mod_nss/mod_nss.c 2012-06-12 12:23:29.961000000 -0700 -+++ mod_nss-1.0.8/mod_nss.c 2012-06-12 12:00:35.957002099 -0700 -@@ -349,7 +349,7 @@ +Index: mod_nss-1.0.8/mod_nss.c +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.c ++++ mod_nss-1.0.8/mod_nss.c +@@ -362,7 +362,7 @@ static int nss_hook_pre_connection(conn_ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, "Connection to child %ld established " "(server %s, client %s)", c->id, sc->vhost_id, @@ -10,18 +11,19 @@ mctx = sslconn->is_proxy ? sc->proxy : sc->server; -diff -ru mod_nss/mod_nss.h mod_nss-1.0.8/mod_nss.h ---- mod_nss/mod_nss.h 2012-06-12 12:23:29.962000000 -0700 -+++ mod_nss-1.0.8/mod_nss.h 2012-06-12 12:00:35.955002240 -0700 -@@ -27,7 +27,6 @@ - #include "http_protocol.h" +Index: mod_nss-1.0.8/mod_nss.h +=================================================================== +--- mod_nss-1.0.8.orig/mod_nss.h ++++ mod_nss-1.0.8/mod_nss.h +@@ -28,7 +28,6 @@ + #include "mod_ssl.h" #include "util_script.h" #include "util_filter.h" -#include "mpm.h" #include "apr.h" #include "apr_strings.h" #define APR_WANT_STRFUNC -@@ -490,7 +489,7 @@ +@@ -481,7 +480,7 @@ int nss_rand_seed(server_rec *s, apr_poo SECStatus nss_Init_Tokens(server_rec *s); /* Logging */ @@ -30,9 +32,10 @@ void nss_die(void); /* NSS callback */ -diff -ru mod_nss/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c ---- mod_nss/nss_engine_init.c 2012-06-12 12:23:29.962000000 -0700 -+++ mod_nss-1.0.8/nss_engine_init.c 2012-06-12 12:00:35.955002240 -0700 +Index: mod_nss-1.0.8/nss_engine_init.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_init.c ++++ mod_nss-1.0.8/nss_engine_init.c @@ -15,7 +15,7 @@ #include "mod_nss.h" @@ -42,10 +45,11 @@ #include "secmod.h" #include "sslerr.h" #include "pk11func.h" -diff -ru mod_nss/nss_engine_io.c mod_nss-1.0.8/nss_engine_io.c ---- mod_nss/nss_engine_io.c 2012-06-12 12:23:29.963000000 -0700 -+++ mod_nss-1.0.8/nss_engine_io.c 2012-06-12 12:00:35.956002167 -0700 -@@ -621,13 +621,13 @@ +Index: mod_nss-1.0.8/nss_engine_io.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_io.c ++++ mod_nss-1.0.8/nss_engine_io.c +@@ -620,13 +620,13 @@ static apr_status_t nss_filter_io_shutdo PR_Close(ssl); /* log the fact that we've closed the connection */ @@ -61,7 +65,7 @@ } /* deallocate the SSL connection */ -@@ -1165,7 +1165,7 @@ +@@ -1164,7 +1164,7 @@ static PRStatus PR_CALLBACK nspr_filter_ filter_ctx = (nss_filter_ctx_t *)(fd->secret); c = filter_ctx->c; @@ -70,10 +74,11 @@ } /* -diff -ru mod_nss/nss_engine_kernel.c mod_nss-1.0.8/nss_engine_kernel.c ---- mod_nss/nss_engine_kernel.c 2012-06-12 12:23:29.963000000 -0700 -+++ mod_nss-1.0.8/nss_engine_kernel.c 2012-06-12 12:00:35.954002314 -0700 -@@ -73,7 +73,7 @@ +Index: mod_nss-1.0.8/nss_engine_kernel.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_kernel.c ++++ mod_nss-1.0.8/nss_engine_kernel.c +@@ -73,7 +73,7 @@ int nss_hook_ReadReq(request_rec *r) /* * Log information about incoming HTTPS requests */ @@ -82,7 +87,7 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "%s HTTPS request received for child %ld (server %s)", (r->connection->keepalives <= 0 ? -@@ -530,7 +530,7 @@ +@@ -530,7 +530,7 @@ int nss_hook_Access(request_rec *r) ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Access to %s denied for %s " "(requirement expression not fulfilled)", @@ -91,10 +96,11 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Failed expression: %s", req->cpExpr); -diff -ru mod_nss/nss_engine_log.c mod_nss-1.0.8/nss_engine_log.c ---- mod_nss/nss_engine_log.c 2012-06-12 12:23:29.964000000 -0700 -+++ mod_nss-1.0.8/nss_engine_log.c 2012-06-12 12:00:35.955002240 -0700 -@@ -321,7 +321,7 @@ +Index: mod_nss-1.0.8/nss_engine_log.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_log.c ++++ mod_nss-1.0.8/nss_engine_log.c +@@ -321,7 +321,7 @@ void nss_die(void) exit(1); } @@ -103,7 +109,7 @@ { const char *err; PRInt32 error; -@@ -340,7 +340,7 @@ +@@ -340,7 +340,7 @@ void nss_log_nss_error(const char *file, err = "Unknown"; } @@ -112,10 +118,11 @@ "SSL Library Error: %d %s", error, err); } -diff -ru mod_nss/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c ---- mod_nss/nss_engine_vars.c 2012-06-12 12:23:29.965000000 -0700 -+++ mod_nss-1.0.8/nss_engine_vars.c 2012-06-12 12:00:35.948002812 -0700 -@@ -178,7 +178,7 @@ +Index: mod_nss-1.0.8/nss_engine_vars.c +=================================================================== +--- mod_nss-1.0.8.orig/nss_engine_vars.c ++++ mod_nss-1.0.8/nss_engine_vars.c +@@ -196,7 +196,7 @@ char *nss_var_lookup(apr_pool_t *p, serv && sslconn && sslconn->ssl) result = nss_var_lookup_ssl(p, c, var+4); else if (strcEQ(var, "REMOTE_ADDR")) @@ -124,7 +131,7 @@ else if (strcEQ(var, "HTTPS")) { if (sslconn && sslconn->ssl) result = "on"; -@@ -194,7 +194,7 @@ +@@ -212,7 +212,7 @@ char *nss_var_lookup(apr_pool_t *p, serv if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) result = nss_var_lookup_nss_version(p, var+12); else if (strcEQ(var, "SERVER_SOFTWARE")) ++++++ mod_nss-no_shutdown_if_not_init_2.patch ++++++ diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800 +++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800 @@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da server_rec *s; int shutdown = 0; - /* Clear any client-side session cache data */ - SSL_ClearSessionCache(); - /* * Free the non-pool allocated structures * in the per-server configurations @@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da } if (shutdown) { + /* Clear any client-side session cache data */ + SSL_ClearSessionCache(); + if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()) != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++++++ mod_nss-sslmultiproxy.patch ++++++ Index: mod_nss-1.0.8/mod_nss.c =================================================================== --- mod_nss-1.0.8.orig/mod_nss.c +++ mod_nss-1.0.8/mod_nss.c @@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c return sslconn; } +static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; + int nss_proxy_enable(conn_rec *c) { SSLSrvConfigRec *sc = mySrvConfig(c->base_server); @@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c) SSLConnRec *sslconn = nss_init_connection_ctx(c); if (!sc->proxy_enabled) { + if (othermod_proxy_enable) { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, + "mod_nss proxy not configured, passing through to mod_ssl module"); + return othermod_proxy_enable(c); + } + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, "SSL Proxy requested for %s but not enabled " "[Hint: NSSProxyEngine]", sc->vhost_id); @@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c) return 1; } -int ssl_proxy_enable(conn_rec *c) { +static int ssl_proxy_enable(conn_rec *c) { return nss_proxy_enable(c); } @@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c) SSLConnRec *sslconn; + if (othermod_engine_disable) { + othermod_engine_disable(c); + } + if (sc->enabled == FALSE) { return 0; } @@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c) return 1; } -int ssl_engine_disable(conn_rec *c) { +static int ssl_engine_disable(conn_rec *c) { return nss_engine_disable(c); } @@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_ nss_var_register(); + /* Always register these mod_nss optional functions */ APR_REGISTER_OPTIONAL_FN(nss_proxy_enable); APR_REGISTER_OPTIONAL_FN(nss_engine_disable); - /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */ - if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); - if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + /* Save the state of any previously registered mod_ssl functions */ + othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); + othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); + + /* Always register these local mod_ssl optional functions */ + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); } module AP_MODULE_DECLARE_DATA nss_module = { Index: mod_nss-1.0.8/mod_nss.h =================================================================== --- mod_nss-1.0.8.orig/mod_nss.h +++ mod_nss-1.0.8/mod_nss.h @@ -13,8 +13,8 @@ * limitations under the License. */ -#ifndef __MOD_SSL_H__ -#define __MOD_SSL_H__ +#ifndef __MOD_NSS_H__ +#define __MOD_NSS_H__ /* Apache headers */ #include "httpd.h" @@ -25,6 +25,7 @@ #include "http_connection.h" #include "http_request.h" #include "http_protocol.h" +#include "mod_ssl.h" #include "util_script.h" #include "util_filter.h" #include "mpm.h" @@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r); /* Variables */ void nss_var_register(void); char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); -char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); void nss_var_log_config_register(apr_pool_t *p); APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup, (apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *)); -APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, - (apr_pool_t *, server_rec *, - conn_rec *, request_rec *, - char *)); /* An optional function which returns non-zero if the given connection * is using SSL/TLS. */ APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); /* Proxy Support */ int nss_proxy_enable(conn_rec *c); int nss_engine_disable(conn_rec *c); -int ssl_proxy_enable(conn_rec *c); -int ssl_engine_disable(conn_rec *c); APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); /* I/O */ PRFileDesc * nss_io_new_fd(); @@ -495,4 +486,4 @@ void nss_die(void); /* NSS callback */ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); -#endif /* __MOD_SSL_H__ */ +#endif /* __MOD_NSS_H__ */ Index: mod_nss-1.0.8/nss_engine_vars.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_vars.c +++ mod_nss-1.0.8/nss_engine_vars.c @@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var); static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var); static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c); +static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); + +static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; +static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; static int nss_is_https(conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); - return sslconn && sslconn->ssl; + + return (sslconn && sslconn->ssl) + || (othermod_is_https && othermod_is_https(c)); } static int ssl_is_https(conn_rec *c) { @@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) { void nss_var_register(void) { + /* Always register these mod_nss optional functions */ APR_REGISTER_OPTIONAL_FN(nss_is_https); APR_REGISTER_OPTIONAL_FN(nss_var_lookup); - /* These can only be registered if mod_ssl is not loaded */ - if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_is_https); - if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL) - APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + /* Save the state of any previously registered mod_ssl functions */ + othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); + othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); + + /* Always register these local mod_ssl optional functions */ + APR_REGISTER_OPTIONAL_FN(ssl_is_https); + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); return; } @@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv */ if (result == NULL && c != NULL) { SSLConnRec *sslconn = myConnConfig(c); + + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { + /* If mod_ssl is registered for this connection, + * pass any SSL_* variable through to the mod_ssl module + */ + return othermod_var_lookup(p, s, c, r, var); + } + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) && sslconn && sslconn->ssl) result = nss_var_lookup_ssl(p, c, var+4); @@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv return result; } -char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { +static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { return nss_var_lookup(p, s, c, r, var); } ++++++ mod_nss-tlsv1_1.patch ++++++ --- /var/tmp/diff_new_pack.1oLG3Z/_old 2013-08-07 20:43:08.000000000 +0200 +++ /var/tmp/diff_new_pack.1oLG3Z/_new 2013-08-07 20:43:08.000000000 +0200 @@ -391,9 +391,9 @@ +# with the maximum specified protocol and downgrading as necessary to the +# minimum specified protocol that can be used between two processes. +# Since all protocol ranges are completely inclusive, and no protocol in the -+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" -+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". -+NSSProtocol SSLv3,TLSv1.0,TLSv1.1 ++# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2" ++# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2". ++NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
