Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-10-19 22:53:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-07-20 11:21:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-10-20 00:09:01.000000000 +0200 @@ -1,0 +2,39 @@ +Wed Oct 14 09:23:18 UTC 2015 - [email protected] + +- mod_nss-httpd24.patch applied depending on %{apache_branch} + instead of %{suse_version}, fixes build for sle11 with new apache + +------------------------------------------------------------------- +Fri Oct 2 14:35:41 UTC 2015 - [email protected] + +- test module with %apache_test_module_curl + +------------------------------------------------------------------- +Mon Sep 7 08:25:03 UTC 2015 - [email protected] + +- unified ciphers with SLE-12 + * modified patches: + mod_nss-cipherlist_update_for_tls12-doc.diff + mod_nss-cipherlist_update_for_tls12.diff + update-ciphers.patch + +------------------------------------------------------------------- +Mon Sep 7 08:03:31 UTC 2015 - [email protected] + +- send TLS server name extension on proxy connections (bsc#933832) + * added mod_nss-reverse_proxy_send_SNI.patch +- updates to the SNI code (from Stanislav Tokos): + update update-ciphers.patch + (bsc#928039) + merge changes from the mod_nss-SNI_support.patch to: + 0001-SNI-check-with-NameVirtualHosts.patch + (bnc#927402) + abstract hash for NSSNickname and ServerName, add ServerAliases and Wild + Cards for vhost + (bsc#927402, bsc#928039, bsc#930922) + replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts) + (bsc#930186) + add alert about permission on the certificate database + (bsc#933265) + +------------------------------------------------------------------- Old: ---- mod_nss-SNI_support.patch New: ---- 0001-SNI-check-with-NameVirtualHosts.patch mod_nss-reverse_proxy_send_SNI.patch update-ciphers.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.XpMPTp/_old 2015-10-20 00:09:02.000000000 +0200 +++ /var/tmp/diff_new_pack.XpMPTp/_new 2015-10-20 00:09:02.000000000 +0200 @@ -39,6 +39,7 @@ BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: bison +BuildRequires: curl BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ @@ -78,7 +79,9 @@ # PATCH-FIX-UPSTREAM bnc#902068 [email protected] -- small fixes for TLS-v1.2 Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch # PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 [email protected] -- add Server Name Indication support -Patch26: mod_nss-SNI_support.patch +Patch26: 0001-SNI-check-with-NameVirtualHosts.patch +Patch27: update-ciphers.patch +Patch28: mod_nss-reverse_proxy_send_SNI.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -120,10 +123,12 @@ %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch %patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch -%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch +%patch26 -p1 -b .SNI_support.rpmpatch +%patch27 -p1 -b .update-ciphers.rpmpatch +%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch # keep this last, otherwise we get fuzzyness from above -%if 0%{?suse_version} >= 1300 +%if "%{apache_branch}" != "2.2" %patch9 -p1 -b .http24 %endif @@ -185,8 +190,51 @@ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert -%clean -rm -rf $RPM_BUILD_ROOT +%check +set +x +mkdir -p %{apache_test_module_dir} +# create test configuration +cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf +NSSEngine on +NSSNickname Server-Cert +NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d +NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 +NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 +<Directory /tmp/apache2-mod_nss_test/htdocs> + Require local +</Directory> +EOF +# create test certificate +mkdir -p %{apache_test_module_dir}/mod_nss.d +# bend gencert to use ServerName of apache test instance +cp %{buildroot}%{_sbindir}/gencert . +sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert +./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1 +# create test document +mkdir -p %{apache_test_module_dir}/htdocs +cat << EOF > %{apache_test_module_dir}/htdocs/index.html +HTTPS HELLO +EOF +exit_code=0 +# run apache test instance +%apache_test_module_start_apache -m nss -i mod_nss-test.conf +# get test document +%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt +echo +echo 'Testing /index.html output' +grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1 +if [ $exit_code -eq 0 ]; then + echo 'SUCCESS' +else + echo 'FAILED, error_log:' + cat %{apache_test_module_dir}/error_log +fi +echo +# stop apache test instance +%apache_test_module_stop_apache +set -x +exit $exit_code %post umask 077 ++++++ 0001-SNI-check-with-NameVirtualHosts.patch ++++++ >From 1b4116cce21ab58e7a1b9f6ff46de0adce6b9ff0 Mon Sep 17 00:00:00 2001 From: standa <[email protected]> Date: Thu, 25 Jun 2015 17:14:56 +0200 Subject: [PATCH] SNI check with NameVirtualHosts --- docs/mod_nss.html | 14 ++++- mod_nss.c | 3 ++ mod_nss.h | 21 ++++++++ nss_engine_config.c | 11 ++++ nss_engine_init.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++------ nss_engine_kernel.c | 51 ++++++++++++++++++ nss_util.c | 72 ++++++++++++++++++++++++- 7 files changed, 303 insertions(+), 18 deletions(-) Index: mod_nss-1.0.8/docs/mod_nss.html =================================================================== --- mod_nss-1.0.8.orig/docs/mod_nss.html +++ mod_nss-1.0.8/docs/mod_nss.html @@ -195,7 +195,9 @@ following line to httpd.conf (location r </code><br> This has Apache load the mod_nss configuration file, <code>nss.conf</code>. It is here that you will setup your VirtualServer entries to and -configure your SSL servers.<br> +configure your SSL servers. If you have a certificate with the Subject +Alternative Names then you will set up these names like ServerAlias for your virtual host.<br> + <h1><a name="Generation"></a>Certificate Generation</h1> A ksh script, <code>gencert</code>, is included to automatically generate a self-signed CA plus one server certificate. This is fine for @@ -1079,6 +1081,16 @@ components of the client certificate, th <br> <code>NSSRequire<br> </code><br> +<big><big>NSSSNI</big></big><br> +<br> +Enables or disables Server Name Identification(SNI) extension check for +SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header. +<br> +<br> +<span style="font-weight: bold;">Example</span><br> +<br> +<code>NSSSNI off</code><br> +<br> <big><big>NSSProxyEngine</big></big><br> <br> Enables or disables mod_nss HTTPS support for mod_proxy.<br> Index: mod_nss-1.0.8/mod_nss.c =================================================================== --- mod_nss-1.0.8.orig/mod_nss.c +++ mod_nss-1.0.8/mod_nss.c @@ -85,6 +85,9 @@ static const command_rec nss_config_cmds SSL_CMD_SRV(FIPS, FLAG, "FIPS 140-1 mode " "(`on', `off')") + SSL_CMD_SRV(SNI, FLAG, + "SNI" + "(`on', `off')") SSL_CMD_ALL(CipherSuite, TAKE1, "Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable " "(`[+-]XXX,...,[+-]XXX' - see manual)") Index: mod_nss-1.0.8/mod_nss.h =================================================================== --- mod_nss-1.0.8.orig/mod_nss.h +++ mod_nss-1.0.8/mod_nss.h @@ -308,6 +308,7 @@ struct SSLSrvConfigRec { const char *ocsp_name; BOOL ocsp; BOOL enabled; + BOOL sni; BOOL proxy_enabled; const char *vhost_id; int vhost_id_len; @@ -343,6 +344,20 @@ typedef struct PRInt32 version; /* protocol version valid for this cipher */ } cipher_properties; +typedef struct { + enum { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* pool and hash which will contain ServerName and NSSNickname */ +apr_pool_t *mp; +apr_hash_t *ht; + /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it * is the last version without this define. This is used for more than just @@ -384,6 +399,7 @@ void *nss_config_perdir_merge(apr_pool_t void *nss_config_server_create(apr_pool_t *p, server_rec *s); void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv); const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int); +const char *nss_cmd_NSSSNI(cmd_parms *, void *, int); const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); @@ -471,6 +487,9 @@ apr_file_t *nss_util_ppopen(server_rec void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, const char * const *); +char *searchHashVhostNick(char *vhost_id); +char *searchHashVhostNick_match(char *vhost_id); +void addHashVhostNick(char *vhost_id, char *nickname); /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request * to allow an SSL renegotiation to take place. */ int nss_io_buffer_fill(request_rec *r); Index: mod_nss-1.0.8/nss_engine_config.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_config.c +++ mod_nss-1.0.8/nss_engine_config.c @@ -135,6 +135,7 @@ static SSLSrvConfigRec *nss_config_serve sc->ocsp_name = NULL; sc->fips = UNSET; sc->enabled = UNSET; + sc->sni = TRUE; sc->proxy_enabled = UNSET; sc->vhost_id = NULL; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */ @@ -214,6 +215,7 @@ void *nss_config_server_merge(apr_pool_t cfgMerge(ocsp_name, NULL); cfgMergeBool(fips); cfgMergeBool(enabled); + cfgMergeBool(sni); cfgMergeBool(proxy_enabled); cfgMergeBool(proxy_ssl_check_peer_cn); @@ -321,6 +323,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *c return NULL; } +const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->sni = flag ? TRUE : FALSE; + + return NULL; +} + const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c +++ mod_nss-1.0.8/nss_engine_init.c @@ -28,6 +28,8 @@ static SECStatus ownHandshakeCallback(PR static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); +PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, + PRUint32 sniNameArrSize, void *arg); /* * Global variables defined in this file. @@ -222,11 +224,10 @@ static void nss_init_SSLLibrary(server_r NSS_Shutdown(); ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration"); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Please check access rights for user:%s!!!", mc->user); nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); - if (mc->nInitCount == 1) - nss_die(); - else - return; + nss_die(); } if (fipsenabled) { @@ -325,6 +326,8 @@ int nss_init_Module(apr_pool_t *p, apr_p int fipsenabled = FALSE; int threaded = 0; struct semid_ds status; + char *split_vhost_id = NULL; + char *last1; mc->nInitCount++; @@ -381,6 +384,12 @@ int nss_init_Module(apr_pool_t *p, apr_p */ sc->vhost_id = nss_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); + + if (sc->server->nickname != NULL && sc->vhost_id != NULL) { + split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1); + ap_str_tolower(split_vhost_id); + addHashVhostNick(split_vhost_id, (char *)sc->server->nickname); + } /* Fix up stuff that may not have been set */ if (sc->fips == UNSET) { @@ -534,7 +543,7 @@ int nss_init_Module(apr_pool_t *p, apr_p ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); - CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); @@ -547,7 +556,7 @@ int nss_init_Module(apr_pool_t *p, apr_p /* * Read the server certificate and key */ - nss_init_ConfigureServer(s, p, ptemp, sc, clist); + nss_init_ConfigureServer(s, p, ptemp, sc, clist); } if (clist) { @@ -1132,6 +1141,12 @@ static void nss_init_certificate(server_ SECStatus secstatus; PK11SlotInfo* slot = NULL; + CERTCertNicknames *certNickDNS = NULL; + char **nnptr = NULL; + int nn = 0; + apr_array_header_t *names = NULL; + apr_array_header_t *wild_names = NULL; + int i, j; if (nickname == NULL) { return; @@ -1198,17 +1213,52 @@ static void nss_init_certificate(server_ *KEAtype = NSS_FindCertKEAType(*servercert); + /* get ServerAlias entries to hash */ + names = s->names; + if (names) { + char **name = (char **)names->elts; + for (i = 0; i < names->nelts; ++i) { + ap_str_tolower(name[i]); + addHashVhostNick(name[i], (char *)nickname); + } + } + + /* get ServerAlias entries with wildcards */ + wild_names = s->wild_names; + if (wild_names) { + char **wild_name = (char **)wild_names->elts; + for (j = 0; j < wild_names->nelts; ++j) { + ap_str_tolower(wild_name[j]); + addHashVhostNick(wild_name[j], (char *)nickname); + } + } + + /* get valid DNS names from certificate to hash */ + certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert); + + if (certNickDNS) { + nnptr = certNickDNS->nicknames; + nn = certNickDNS->numnicknames; + + while ( nn > 0 ) { + ap_str_tolower(*nnptr); + addHashVhostNick(*nnptr, (char *)nickname); + nnptr++; + nn--; + } + + } + /* Subject/hostname check */ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); if (secstatus != SECSuccess) { char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Misconfiguration of certificate's CN and virtual name." - " The certificate CN has %s. We expected %s as virtual" - " name.", cert_dns, s->server_hostname); + "Misconfiguration of certificate's CN and virtual name." + " The certificate CN has %s. We expected %s as virtual" + " name.", cert_dns, s->server_hostname); PORT_Free(cert_dns); } - /* * Check for certs that are expired or not yet valid and WARN about it. * No need to refuse working - the client gets a warning. @@ -1233,13 +1283,21 @@ static void nss_init_certificate(server_ break; } - secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); + secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype); if (secstatus != SECSuccess) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "SSL error configuring server: '%s'", nickname); nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); - } + } + + /* SNI */ + if (SSL_SNISocketConfigHook(model, (SSLSNISocketConfig) ownSSLSNISocketConfig, (void*) s) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "SSL_SNISocketConfigHook failed"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } } @@ -1308,6 +1366,7 @@ static void nss_init_server_certs(server nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } + } static void nss_init_proxy_ctx(server_rec *s, @@ -1374,7 +1433,6 @@ void nss_init_Child(apr_pool_t *p, serve /* If any servers have SSL, we want sslenabled set so we * can perform further initialization */ - if (sc->enabled == UNSET) { sc->enabled = FALSE; } @@ -1404,11 +1462,12 @@ void nss_init_Child(apr_pool_t *p, serve nss_init_SSLLibrary(base_server); /* Configure all virtual servers */ - CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); - if (sc->server->servercert == NULL && NSS_IsInitialized()) - nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + if (sc->server->servercert == NULL && NSS_IsInitialized()) { + nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + } } if (clist) { CERT_DestroyCertList(clist); @@ -1741,3 +1800,67 @@ int nss_parse_ciphers(server_rec *s, cha return 0; } + +PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, + PRUint32 sniNameArrSize, void *arg) +{ + server_rec *s = (server_rec *)arg; + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "start function ownSSLSNISocketConfig for SNI"); + + secuPWData *pwdata; + CERTCertificate * cert = NULL; + SECKEYPrivateKey * privKey = NULL; + char *nickName = NULL; + char *vhost = NULL; + apr_pool_t *str_p; + + PORT_Assert(fd && sniNameArr); + if (!fd || !sniNameArr) { + nss_die(); + } + apr_pool_create(&str_p, NULL); + vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len); + + /* rfc6125 - Checking of Traditional Domain Names*/ + ap_str_tolower(vhost); + + nickName = searchHashVhostNick(vhost); + if (nickName == NULL) { + /* search wild_names in serverAlises */ + nickName = searchHashVhostNick_match(vhost); + if (nickName == NULL) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search [val = %s] failed, unrecognized name.", vhost); + nss_die(); + } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search passed [value = %s] for key:%s", nickName, vhost); + + pwdata = SSL_RevealPinArg(fd); + + /* if pwdata is NULL, then we would not get the key and + * return an error status. */ + cert = PK11_FindCertFromNickname(nickName, &pwdata); + if (cert == NULL) { + nss_die(); + } + privKey = PK11_FindKeyByAnyCert(cert, &pwdata); + if (privKey == NULL) { + nss_die(); + } + SSLKEAType certKEA = NSS_FindCertKEAType(cert); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "start configure vhost:%s", vhost); + if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) { + nss_die(); + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "successfull setting vhost with nick:%s", nickName); + SECKEY_DestroyPrivateKey(privKey); + CERT_DestroyCertificate(cert); + apr_pool_destroy(str_p); + return 0; + +} Index: mod_nss-1.0.8/nss_engine_kernel.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_kernel.c +++ mod_nss-1.0.8/nss_engine_kernel.c @@ -71,6 +71,59 @@ int nss_hook_ReadReq(request_rec *r) } /* + * SNI check is default on. In same cases you switch of by NSSSNI off + * sc->sni parameter gets vhost from HTTPS header + */ + SSLSrvConfigRec *sc = mySrvConfig(r->server); + + SECItem *hostInfo = NULL; + hostInfo = SSL_GetNegotiatedHostInfo(ssl); + if (hostInfo != NULL && sc->sni) { + if (ap_is_initial_req(r) && (hostInfo->len != 0)) { + char *servername = NULL; + char *host, *scope_id; + apr_port_t port; + apr_status_t rv; + apr_pool_t *s_p; + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d" + ,(char *) hostInfo->data, hostInfo->len); + + apr_pool_create(&s_p, NULL); + servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "SNI hostInfo servername:%s, lenght:%d" + , servername, (unsigned)strlen(servername)); + + if (!r->hostname) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI, but no hostname" + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } + + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } + + if (strcasecmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host); + + SECITEM_FreeItem(hostInfo, PR_TRUE); + apr_pool_destroy(s_p); + return HTTP_BAD_REQUEST; + } else { + SECITEM_FreeItem(hostInfo, PR_TRUE); + apr_pool_destroy(s_p); + } + } + } + /* * Log information about incoming HTTPS requests */ if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) { Index: mod_nss-1.0.8/nss_util.c =================================================================== --- mod_nss-1.0.8.orig/nss_util.c +++ mod_nss-1.0.8/nss_util.c @@ -13,7 +13,6 @@ * limitations under the License. */ - #include "mod_nss.h" #include "ap_mpm.h" #include "apr_thread_mutex.h" @@ -100,3 +99,47 @@ char *nss_util_readfilter(server_rec *s, return buf; } + +static void initializeHashVhostNick() { + apr_pool_create(&mp, NULL); + ht = apr_hash_make(mp); +} + +char *searchHashVhostNick(char *vhost_id) { + char *searchVal = NULL; + + searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING); + + return searchVal; +} + +char *searchHashVhostNick_match(char *vhost_id) +{ + char *searchValReg = NULL; + apr_hash_index_t *hi; + for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) { + const char *k = NULL; + const char *v = NULL; + + apr_hash_this(hi, (const void**)&k, NULL, (void**)&v); + if (!ap_strcasecmp_match(vhost_id, k)) { + searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING); + return searchValReg; + } + } + return NULL; +} + +void addHashVhostNick(char *vhost_id, char *nickname) { + + if (ht == NULL) { + initializeHashVhostNick(); + } + + if(searchHashVhostNick(vhost_id) == NULL) { + apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING, + apr_pstrdup(mp, nickname)); + } + return; +} + ++++++ mod_nss-reverse_proxy_send_SNI.patch ++++++ Index: mod_nss-1.0.8/nss_engine_io.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200 +++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200 @@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu return APR_SUCCESS; } +static apr_status_t nss_io_filter_handshake(ap_filter_t *f) +{ + conn_rec *c = f->c; + SSLConnRec *sslconn = myConnConfig(c); + + /* + * Enable SNI for backend requests. Make sure we don't do it for + * pure SSLv3 connections + */ + if (sslconn->is_proxy) { + const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); + if (hostname_note) { + if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Error setting SNI extension for SSL Proxy request: %d", + PR_GetError()); + } else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, + "SNI extension for SSL Proxy request set to '%s'", + hostname_note); + } + } + else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, + "Can't set SNI extension: no hostname available"); + } + } + + return APR_SUCCESS; +} + static apr_status_t nss_io_filter_input(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, @@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input( inctx->mode = mode; inctx->block = block; + if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { + return nss_io_filter_error(f, bb, status); + } + if (is_init) { /* protocol module needs to handshake before sending * data to client (e.g. NNTP or FTP) @@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output inctx->mode = AP_MODE_READBYTES; inctx->block = APR_BLOCK_READ; + if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { + return nss_io_filter_error(f, bb, status); + } + while (!APR_BRIGADE_EMPTY(bb)) { apr_bucket *bucket = APR_BRIGADE_FIRST(bb); ++++++ mod_nss.conf.in ++++++ --- /var/tmp/diff_new_pack.XpMPTp/_old 2015-10-20 00:09:03.000000000 +0200 +++ /var/tmp/diff_new_pack.XpMPTp/_new 2015-10-20 00:09:03.000000000 +0200 @@ -216,7 +216,7 @@ # * no rc4, no 3des, no des # * ephemeral is what you want (PFS). # * EC has precedence over RSA -NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha # SSL Protocol: # Cryptographic protocols that provide communication security. ++++++ update-ciphers.patch ++++++ Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c 2015-09-07 09:56:54.148244174 +0200 +++ mod_nss-1.0.8/nss_engine_init.c 2015-09-07 09:58:19.368215557 +0200 @@ -36,15 +36,11 @@ PRInt32 ownSSLSNISocketConfig(PRFileDesc */ char* INTERNAL_TOKEN_NAME = "internal "; +/* When adding or removing ciphers from this table, + remember to adjust the ciphernum constant in mod_nss.h +*/ cipher_properties ciphers_def[ciphernum] = { - /* SSL2 cipher suites */ - {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, - {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, - {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, - {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, - {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, - {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, /* SSL3/TLS cipher suites */ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, @@ -56,9 +52,6 @@ cipher_properties ciphers_def[ciphernum] {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS}, {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, - {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS}, - {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS}, - {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS}, /* TLS 1.0: Exportable 56-bit Cipher Suites. */ {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, Index: mod_nss-1.0.8/mod_nss.h =================================================================== --- mod_nss-1.0.8.orig/mod_nss.h 2015-09-07 09:56:54.148244174 +0200 +++ mod_nss-1.0.8/mod_nss.h 2015-09-07 09:56:56.396269772 +0200 @@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4} /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 59 +#define ciphernum 50 #else -#define ciphernum 28 +#define ciphernum 19 #endif /* Index: mod_nss-1.0.8/nss.conf.in =================================================================== --- mod_nss-1.0.8.orig/nss.conf.in 2015-09-07 09:56:54.139244072 +0200 +++ mod_nss-1.0.8/nss.conf.in 2015-09-07 09:56:54.156244265 +0200 @@ -90,13 +90,13 @@ NSSEngine on # See the mod_nss documentation for a complete list. # SSL 3 ciphers. SSL 2 is disabled by default. -NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha +NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha # SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. # # Comment out the NSSCipherSuite line above and use the one below if you have # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography -#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha +#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
