Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2014-11-06 16:50:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-10-31 19:57:44.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2014-11-06 16:50:56.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Nov 4 14:13:46 UTC 2014 - [email protected] + +- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch + that adding small fixes for support of TLS v1.2 + +------------------------------------------------------------------- New: ---- mod_nss-add_support_for_enabling_TLS_v1.2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.e5AH66/_old 2014-11-06 16:50:58.000000000 +0100 +++ /var/tmp/diff_new_pack.e5AH66/_new 2014-11-06 16:50:58.000000000 +0100 @@ -72,6 +72,8 @@ Patch23: mod_nss-bnc863518-reopen_dev_tty.diff # PATCH-FIX-UPSTREAM bnc#897712 [email protected] -- check for the misconfiguration of certificate's CN and virtual name Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch +# PATCH-FIX-UPSTREAM bnc#902068 [email protected] -- small fixes for TLS-v1.2 +Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -112,6 +114,7 @@ %patch20 -p0 -b .ciphers.doc.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch +%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} >= 1300 ++++++ mod_nss-add_support_for_enabling_TLS_v1.2.patch ++++++ >From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Thu, 16 Oct 2014 14:05:05 -0400 Subject: [PATCH] Add support for enabling TLS v1.2 If support is available in NSS then it is just a matter of including TLS 1.2 in the protocol range. --- docs/mod_nss.html | 97 ++++++++++++++++++++++++++++--------------------------- mod_nss.c | 4 +-- nss.conf.in | 2 +- nss_engine_init.c | 51 +++++++++++++++++------------ nss_engine_vars.c | 3 ++ 5 files changed, 86 insertions(+), 71 deletions(-) Index: mod_nss-1.0.8/nss.conf.in =================================================================== --- mod_nss-1.0.8.orig/nss.conf.in +++ mod_nss-1.0.8/nss.conf.in @@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha -NSSProtocol SSLv3,TLSv1 +NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. Index: mod_nss-1.0.8/nss_engine_vars.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_vars.c +++ mod_nss-1.0.8/nss_engine_vars.c @@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver case SSL_LIBRARY_VERSION_TLS_1_1: result = "TLSv1.1"; break; + case SSL_LIBRARY_VERSION_TLS_1_2: + result = "TLSv1.2"; + break; } } } Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c +++ mod_nss-1.0.8/nss_engine_init.c @@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server * cannot be excluded from this range. NSS will automatically negotiate * to utilize the strongest acceptable protocol for a connection starting * with the maximum specified protocol and downgrading as necessary to the - * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0). + * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0). */ if (stat == SECSuccess) { /* Set minimum protocol version (lowest -> highest) * - * SSL 3.0 -> TLS 1.0 -> TLS 1.1 + * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 */ if (ssl3 == 1) { enabledVersions.min = SSL_LIBRARY_VERSION_3_0; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
