On 31.10.2014 23:10, Niels Thykier wrote:
> On 2014-10-31 10:28, Timo Aaltonen wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian....@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package libapache2-mod-nss
>>
>> [...]
>>
>>
> 
> 
> Hi Timo,
> 
> Sorry, I had missed that you uploaded libapache2-mod-nss today.
> 
> I have decided to age this package so it only needs 2 days.  That said,
> I got a couple of remarks:
> 
>  * The 1.0.10-1 upload does not mention CVE-2014-3566 in d/changelog
>    despite upstream listing it in their upstream.
>  * We want the full debdiff between unstable and testing, as that is
>    what we are approving.

ok, diff attached


-- 
t
diff --git a/ChangeLog b/ChangeLog
index d40ce8b..97bf4b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-10-16  Rob Crittenden <rcrit...@redhat.com
+    * Add support for enabling TLS v1.2
+    * Don't enable SSL 3 by default (CVE-2014-3566)
+    * Improve protocol testing
+
 2014-02-20  Rob Crittenden <rcrit...@redhat.com
     * Sync with Fedora builds which were basicaly the defacto upstream.
     * Add nss_pcache man page
diff --git a/Makefile.am b/Makefile.am
index 5a94c2f..986048d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-VERSION = 1.0.9
+VERSION = 1.0.10
 
 ## This is the shared library to be built
 lib_LTLIBRARIES = libmodnss.la
diff --git a/README b/README
index 8581698..542e114 100644
--- a/README
+++ b/README
@@ -122,4 +122,4 @@ TESTING
 
  From the source tree run:
 
- % make test
+ % make check
diff --git a/debian/changelog b/debian/changelog
index cd4f1c1..d027154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+libapache2-mod-nss (1.0.10-2) unstable; urgency=medium
+
+  * rules: Don't enable the module by default.
+
+ -- Timo Aaltonen <tjaal...@debian.org>  Tue, 28 Oct 2014 15:11:45 +0200
+
+libapache2-mod-nss (1.0.10-1) unstable; urgency=medium
+
+  * mod_nss-conf.patch: Fix IfModule header so it'll actually load when
+    the module is enabled.
+  * gencert: Revert back to default legacy db's.
+  * Update project homepage and watch file to match.
+
+ -- Timo Aaltonen <tjaal...@debian.org>  Tue, 21 Oct 2014 18:52:59 +0300
+
 libapache2-mod-nss (1.0.9-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/control b/debian/control
index bd6b8e1..c621cc6 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends:
  libnss3-dev,
  pkg-config
 Standards-Version: 3.9.5
-Homepage: http://directory.fedoraproject.org
+Homepage: http://fedorahosted.org/mod_nss
 Vcs-Git: git://anonscm.debian.org/pkg-fedora-ds/libapache2-mod-nss.git
 Vcs-Browser: 
http://anonscm.debian.org/gitweb/?p=pkg-fedora-ds/libapache2-mod-nss.git
 
diff --git a/debian/copyright b/debian/copyright
index b0bd62a..818e21e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,6 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 UPstream-name: mod_nss
-Source: http://directory.fedoraproject.org/sources/
+Source: http://fedorahosted.org/mod_nss
 
 Files: *
 Copyright: 2001-2004 The Apache Software Foundation
diff --git a/debian/libapache2-mod-nss.postinst 
b/debian/libapache2-mod-nss.postinst
index dccc887..c586db3 100644
--- a/debian/libapache2-mod-nss.postinst
+++ b/debian/libapache2-mod-nss.postinst
@@ -4,7 +4,7 @@ set -e
 CERTDIR=/etc/apache2/nssdb
 
 if [ "$1" = configure ]; then
-    if [ ! -e $CERTDIR/key4.db ]; then
+    if [ ! -e $CERTDIR/key3.db ]; then
         /usr/share/libapache2-mod-nss/gencert \
                $CERTDIR > $CERTDIR/install.log 2>&1
         echo "libapache2-mod-nss certificate database generated."
diff --git a/debian/patches/mod_nss-conf.patch 
b/debian/patches/mod_nss-conf.patch
index bb1d4aa..d3a6480 100644
--- a/debian/patches/mod_nss-conf.patch
+++ b/debian/patches/mod_nss-conf.patch
@@ -1,7 +1,7 @@
 --- a/nss.conf.in
 +++ b/nss.conf.in
 @@ -1,3 +1,4 @@
-+<IfModule mod_nss>
++<IfModule mod_nss.c>
  #
  # This is the Apache server configuration file providing SSL support using.
  # the mod_nss plugin.  It contains the configuration directives to instruct
diff --git a/debian/patches/mod_nss-gencert.patch 
b/debian/patches/mod_nss-gencert.patch
index 0da316d..c2b2f4d 100644
--- a/debian/patches/mod_nss-gencert.patch
+++ b/debian/patches/mod_nss-gencert.patch
@@ -1,6 +1,6 @@
 --- a/gencert.in
 +++ b/gencert.in
-@@ -83,14 +83,13 @@ fi
+@@ -83,12 +83,11 @@ fi
  
  DEST=$1
  
@@ -13,65 +13,8 @@
 -echo "is httptest"
 +echo "Generating new server certificate and key database."
  echo "#####################################################################"
--$CERTUTIL -N -d $DEST -f $DEST/pw.txt
-+$CERTUTIL -N -d sql:$DEST -f $DEST/pw.txt
+ $CERTUTIL -N -d $DEST -f $DEST/pw.txt
  
- echo ""
- echo "#####################################################################"
-@@ -102,7 +101,7 @@ let CERTSERIAL=CERTSERIAL+1
- # y 10 y  -> basic constraints: CA cert
- # 5 6 7 9 n  -> SSL, S/MIME, Object signing CA
- echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \
--$CERTUTIL -S -d $DEST -n cacert \
-+$CERTUTIL -S -d sql:$DEST -n cacert \
-             -s "$CA_CERTDN" \
-             -x \
-             -t CTu,CTu,CTu \
-@@ -124,7 +123,7 @@ let CERTSERIAL=CERTSERIAL+1
- # 0 2 9 n  -> Key usage: Key Encipherment, Digital Signature
- # 0 9 n  -> SSL Client
- echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
--$CERTUTIL -S -d $DEST -n alpha \
-+$CERTUTIL -S -d sql:$DEST -n alpha \
-             -s "$ALPHA_CERTDN" \
-             -c cacert \
-             -t u,pu,u \
-@@ -145,7 +144,7 @@ let CERTSERIAL=CERTSERIAL+1
- # 0 2 9 n  -> Key usage: Key Encipherment, Digital Signature
- # 0 9 n  -> SSL Client
- echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
--$CERTUTIL -S -d $DEST -n beta \
-+$CERTUTIL -S -d sql:$DEST -n beta \
-             -s "$BETA_CERTDN" \
-             -c cacert \
-             -t u,pu,u \
-@@ -162,7 +161,7 @@ echo "##################################
- echo "Generating server certificate request"
- echo "#####################################################################"
- (ps -elf; date; netstat -a) > $DEST/noise
--$CERTUTIL -R -d $DEST \
-+$CERTUTIL -R -d sql:$DEST \
-             -s "$SERVER_CERTDN" \
-             -o $DEST/tmpcertreq \
-             -g $KEYSIZE \
-@@ -175,7 +174,7 @@ echo "Generating server certificate"
- echo "#####################################################################"
- let CERTSERIAL=CERTSERIAL+1
- echo -e "2\n9\nn\n1\n9\nn\n" | \
--$CERTUTIL -C -d $DEST \
-+$CERTUTIL -C -d sql:$DEST \
-             -c cacert \
-             -i $DEST/tmpcertreq \
-             -o $DEST/tmpcert.der \
-@@ -191,7 +190,7 @@ echo ""
- echo "#####################################################################"
- echo "Importing server certificate into server cert DB"
- echo "#####################################################################"
--$CERTUTIL -A -d $DEST -n Server-Cert \
-+$CERTUTIL -A -d sql:$DEST -n Server-Cert \
-             -t u,u,u \
-             -i $DEST/tmpcert.der \
-             -f $DEST/pw.txt
 @@ -205,8 +204,4 @@ echo "##################################
  rm $DEST/pw.txt
  rm $DEST/noise
diff --git a/debian/rules b/debian/rules
index 7a0cdaf..7b44508 100755
--- a/debian/rules
+++ b/debian/rules
@@ -26,6 +26,9 @@ override_dh_install:
 # too many fedoraisms in the tests to bother
 override_dh_auto_test:
 
+override_dh_apache2:
+       dh_apache2 -e
+
 gentarball: UV=$(shell dpkg-parsechangelog|awk '/^Version:/ {print $$2}'|sed 
's/-.*$$//')
 gentarball:
        git archive --format=tar upstream --prefix=$(SOURCE)-$(UV)/ | xz --best 
> ../$(SOURCE)_$(UV).orig.tar.xz
diff --git a/debian/watch b/debian/watch
index 3e6d5a1..28d189d 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
 #git=git://git.fedorahosted.org/mod_nss.git
 version=3
-http://directory.fedoraproject.org/sources/mod_nss-(.*).tar.gz
+http://fedorahosted.org/released/mod_nss/mod_nss-(.*).tar.gz
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index b2fda6c..3d7c121 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -470,8 +470,8 @@ Example</span><br>
 <br>
 Enables or disables FIPS 140 mode. This replaces the standard
 internal PKCS#11 module with a FIPS-enabled one. It also forces the
-enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the
-FIPS ones. You may still select which ciphers you would like
+enabled protocols to TLSv1.2, TLSv1.1 and TLS v1.0 and disables all ciphers
+but the FIPS ones. You may still select which ciphers you would like
 limited to those that are FIPS-certified. Any non-FIPS that are
 included in the NSSCipherSuite entry are automatically disabled.
 The allowable ciphers are:<br>
@@ -572,7 +572,7 @@ Available ciphers are:<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1<br>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br>
       </td>
     </tr>
     <tr>
@@ -580,106 +580,106 @@ Available ciphers are:<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_null_md5<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_null_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc2_40_md5</td>
       <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_128_md5</td>
       <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_128_sha</td>
       <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_40_md5</td>
       <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fortezza<br>
       </td>
       <td style="vertical-align: 
top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fortezza_rc4_128_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fortezza_null<br>
       </td>
       <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fips_des_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fips_3des_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_des_56_sha</td>
       <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_56_sha</td>
       <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_aes_128_sha<br>
       </td>
       <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_aes_256_sha<br>
       </td>
       <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
   </tbody>
 </table>
@@ -699,127 +699,127 @@ Additionally there are a number of ECC ciphers:<br>
     <tr>
       <td>ecdh_ecdsa_null_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_rc4_128_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_3des_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_aes_128_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_aes_256_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_null_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_rc4_128_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_3des_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_aes_128_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_aes_256_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_null_sha</td>
       <td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_128_sha</td>
       <td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_3des_sha</td>
       <td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_aes_128_sha</td>
       <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_aes_256_sha</td>
       <td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>echde_rsa_null</td>
       <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_rc4_128_sha</td>
       <td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_3des_sha</td>
       <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_aes_128_sha</td>
       <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_aes_256_sha</td>
       <td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_null_sha</td>
       <td>TLS_ECDH_anon_WITH_NULL_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_rc4_128sha</td>
       <td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_3des_sha</td>
       <td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_aes_128_sha</td>
       <td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_aes_256_sha</td>
       <td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1.0/TLSv1.1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
   </tbody>
 </table>
@@ -843,15 +843,16 @@ Options are:<br>
   <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
   <li><code>TLSv1.0</code></li>
   <li><code>TLSv1.1</code></li>
+  <li><code>TLSv1.2</code></li>
   <li><code>All</code></li>
 </ul>
 Note that this differs from mod_ssl in that you can't add or subtract
 protocols.<br>
 <br>
 If no NSSProtocol is specified, mod_nss will default to allowing the use of
-the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the
-minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol
-allowed.
+the TLSv1.0, TLSv1.1 and TLSv1.2 protocols, where TLSv1.0 will be set to
+be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum
+protocol allowed.
 <br>
 If values for NSSProtocol are specified, mod_nss will set both the minimum
 and the maximum allowed protocols based upon these entries allowing for the
@@ -1030,7 +1031,7 @@ syntax is identical to NSSProtocol.<br>
 </code><br>
 <big><big>NSSProxyCipherSuite</big></big><br>
 <br>
-Specifies the SSL ciphers available for proxy connections. They syntax
+Specifies the SSL ciphers available for proxy connections. The syntax
 is identical to NSSCipherSuite.<br>
 <br>
 <span style="font-weight: bold;">Example</span><br>
@@ -1118,7 +1119,7 @@ was compiled against.<br>
     <tr>
       <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
       </code></td>
-      <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, or TLSv1.1<br>
+      <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1 or 
TLSv1.2<br>
       </td>
     </tr>
     <tr>
diff --git a/gencert.8 b/gencert.8
index f2017c3..191375a 100644
--- a/gencert.8
+++ b/gencert.8
@@ -26,7 +26,7 @@ A tool used to generate a self\-signed CA as well as server 
and user certificate
 .PP
 This is used to generate a default NSS database for the mod_nss Apache module. 
It does not test to see if an existing database already exists, so use with 
care.
 .PP
-\fBgencert\fP will generate a new NSS database and set an empty database 
password.
+\fBgencert\fP will generate a new NSS database with the password "httptest".
 .PP
 It generates a self\-signed CA with the subject "CN=Certificate Shack, 
O=example.com, C=US"
 .PP
diff --git a/mod_nss.c b/mod_nss.c
index 8ccc604..0f74892 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds[] = {
                 "(`[+-]XXX,...,[+-]XXX' - see manual)")
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable the various SSL protocols"
-                "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)")
+                "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see 
manual)")
     SSL_CMD_ALL(VerifyClient, TAKE1,
                 "SSL Client Authentication "
                 "(`none', `optional', `require'")
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds[] = {
                 "(`on', `off')")
     SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
                "SSL Proxy: enable or disable SSL protocol flavors "
-               "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)")
+               "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see 
manual)")
     SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
                "SSL Proxy: colon-delimited list of permitted SSL ciphers "
                "(`XXX:...:XXX' - see manual)")
diff --git a/nss.conf.in b/nss.conf.in
index c941ecf..79f6511 100644
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -118,7 +118,7 @@ NSSCipherSuite 
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa
 #   Since all protocol ranges are completely inclusive, and no protocol in the
 #   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
 #   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
-NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
 
 #   SSL Certificate Nickname:
 #   The nickname of the RSA server certificate you are going to use.
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 32b095a..d74f002 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -616,13 +616,13 @@ static void nss_init_ctx_protocol(server_rec *s,
                                   apr_pool_t *ptemp,
                                   modnss_ctx_t *mctx)
 {
-    int ssl2, ssl3, tls, tls1_1;
+    int ssl2, ssl3, tls, tls1_1, tls1_2;
     char *protocol_marker = NULL;
     char *lprotocols = NULL;
     SECStatus stat;
     SSLVersionRange enabledVersions;
 
-    ssl2 = ssl3 = tls = tls1_1 = 0;
+    ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
 
     /*
      * Since this routine will be invoked individually for every thread
@@ -640,24 +640,24 @@ static void nss_init_ctx_protocol(server_rec *s,
 
     if (mctx->sc->fips) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
-            "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1",
+            "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and 
TLSv1.2",
             protocol_marker);
-        tls = tls1_1 = 1;
+        tls = tls1_1 = tls1_2 = 1;
     } else {
         if (mctx->auth.protocols == NULL) {
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",
+                "%s value not set; using: TLSv1.0, TLSv1.1 and TLSv1.2",
                 protocol_marker);
-            ssl3 = tls = tls1_1 = 1;
+            tls = tls1_1 = tls1_2 = 1;
         } else {
             lprotocols = strdup(mctx->auth.protocols);
             ap_str_tolower(lprotocols);
 
             if (strstr(lprotocols, "all") != NULL) {
 #ifdef WANT_SSL2
-                ssl2 = ssl3 = tls = tls1_1 = 1;
+                ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 1;
 #else
-                ssl3 = tls = tls1_1 = 1;
+                ssl3 = tls = tls1_1 = tls1_2 = 1;
 #endif
             } else {
                 char *protocol_list = NULL;
@@ -702,6 +702,11 @@ static void nss_init_ctx_protocol(server_rec *s,
                                      "%s:  Enabling TLSv1.1",
                                      protocol_marker);
                         tls1_1 = 1;
+                    } else if (strcmp(token, "tlsv1.2") == 0) {
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling TLSv1.2",
+                                     protocol_marker);
+                        tls1_2 = 1;
                     } else {
                         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
                                      "%s:  Unknown protocol '%s' not 
supported",
@@ -738,12 +743,12 @@ static void nss_init_ctx_protocol(server_rec *s,
      * cannot be excluded from this range. NSS will automatically negotiate
      * to utilize the strongest acceptable protocol for a connection starting
      * with the maximum specified protocol and downgrading as necessary to the
-     * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+     * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
      */
     if (stat == SECSuccess) {
         /* Set minimum protocol version (lowest -> highest)
          *
-         *     SSL 3.0 -> TLS 1.0 -> TLS 1.1
+         *     SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
          */
         if (ssl3 == 1) {
             enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
@@ -760,6 +765,11 @@ static void nss_init_ctx_protocol(server_rec *s,
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                          "%s:  [TLS 1.1] (minimum)",
                          protocol_marker);
+        } else if (tls1_2 == 1) {
+            enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.2] (minimum)",
+                         protocol_marker);
         } else {
             /* Set default minimum protocol version to SSL 3.0 */
             enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
@@ -770,9 +780,14 @@ static void nss_init_ctx_protocol(server_rec *s,
 
         /* Set maximum protocol version (highest -> lowest)
          *
-         *     TLS 1.1 -> TLS 1.0 -> SSL 3.0
+         *     TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
          */
-        if (tls1_1 == 1) {
+        if (tls1_2 == 1) {
+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.2] (maximum)",
+                         protocol_marker);
+        } else if (tls1_1 == 1) {
             enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                          "%s:  [TLS 1.1] (maximum)",
@@ -788,10 +803,10 @@ static void nss_init_ctx_protocol(server_rec *s,
                          "%s:  [SSL 3.0] (maximum)",
                          protocol_marker);
         } else {
-            /* Set default maximum protocol version to TLS 1.1 */
-            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
+            /* Set default maximum protocol version to TLS 1.2 */
+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                         "%s:  [TLS 1.1] (default maximum)",
+                         "%s:  [TLS 1.2] (default maximum)",
                          protocol_marker);
         }
 
@@ -808,11 +823,7 @@ static void nss_init_ctx_protocol(server_rec *s,
 
     mctx->ssl2 = ssl2;
     mctx->ssl3 = ssl3;
-    if (tls1_1 == 1) {
-        mctx->tls = tls1_1;
-    } else {
-        mctx->tls = tls;
-    }
+    mctx->tls = tls || tls1_1 || tls1_2;
 }
 
 static void nss_init_ctx_session_cache(server_rec *s,
diff --git a/nss_engine_vars.c b/nss_engine_vars.c
index 8ecf43a..15fc9b4 100644
--- a/nss_engine_vars.c
+++ b/nss_engine_vars.c
@@ -192,9 +192,14 @@ char *nss_var_lookup(apr_pool_t *p, server_rec *s, 
conn_rec *c, request_rec *r,
             return othermod_var_lookup(p, s, c, r, var);
         }
 
-        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) 
-                 && sslconn && sslconn->ssl)
+        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+                 && sslconn && sslconn->ssl) {
             result = nss_var_lookup_ssl(p, c, var+4);
+#ifdef VAR_DEBUG
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                "%s: %s", var, result);
+#endif
+        }
         else if (strcEQ(var, "REMOTE_ADDR"))
             result = c->client_ip;
         else if (strcEQ(var, "HTTPS")) {
@@ -747,6 +752,9 @@ static char *nss_var_lookup_protocol_version(apr_pool_t *p, 
conn_rec *c)
                 case SSL_LIBRARY_VERSION_TLS_1_1:
                     result = "TLSv1.1";
                     break;
+                case SSL_LIBRARY_VERSION_TLS_1_2:
+                    result = "TLSv1.2";
+                    break;
             }
         }
     }
diff --git a/test/README b/test/README
new file mode 100644
index 0000000..bd29b1f
--- /dev/null
+++ b/test/README
@@ -0,0 +1,39 @@
+Overview
+--------
+Some basic Apache tests using a local instance of Apache that goes into
+the work subdirectory.
+
+suite1.tmpl defines the basic configuration for the tests.
+
+This tries to load libmodnss.so from the parent directory so you must do
+a 'make' first before trying to run the tests.
+
+Run the tests
+-------------
+./setup.sh
+nosetests -v test.py
+
+Adding tests
+------------
+
+1. Create a new Location in suite1.tmpl with a local configuration to test
+   against.
+
+2. Add a call to this location in test.py
+
+Here are the things that can be tested for:
+
+expected = HTTP response code or SSLError() exception
+protocol = 
+cipher = OpenSSL cipher name
+
+
+3. If you make a change to the mod_nss code you'll need to either copy
+   the new module to work/httpd/lib or rm -rf work and re-run setup.sh
+   otherwise you'll be testing against old code.
+   
+When testing with NSSRequire I sometimes found it difficult to figure out
+why a request was being rejected. I added a new compile-time define,
+VAR_DEBUG. If this is set then whenever a SSL_ variable is looked up the
+result is logged. This is way too much for a running server but great for
+debugging tests.
diff --git a/test/createinstance.sh b/test/createinstance.sh
index 1eaa644..fac0a7d 100755
--- a/test/createinstance.sh
+++ b/test/createinstance.sh
@@ -13,6 +13,7 @@ mkdir -p $target
 
 cd $target
 mkdir alias
+mkdir bin
 mkdir conf
 mkdir conf.d
 mkdir logs
@@ -24,6 +25,11 @@ mkdir lib
 # Create the content
 mkdir content/rc4_cipher
 mkdir content/acl
+mkdir content/protocolssl2
+mkdir content/protocolssl3
+mkdir content/protocoltls1
+mkdir content/protocoltls11
+mkdir content/protocoltls12
 
 cat > content/index.html << EOF
 <html>
@@ -34,6 +40,11 @@ cp content/index.html content/acl/aclS01.html
 cp content/index.html content/acl/aclS02.html
 cp content/index.html content/acl/aclS03.html
 cp content/index.html content/secret-test.html
+cp content/index.html content/protocolssl2/index.html
+cp content/index.html content/protocolssl3/index.html
+cp content/index.html content/protocoltls1/index.html
+cp content/index.html content/protocoltls11/index.html
+cp content/index.html content/protocoltls12/index.html
 
 ln -s /etc/httpd/modules modules
 
diff --git a/test/setup.sh b/test/setup.sh
index 693d603..32f2b8e 100755
--- a/test/setup.sh
+++ b/test/setup.sh
@@ -20,6 +20,7 @@ fi
 ./createinstance.sh ${test_root}
 
 cp ../.libs/libmodnss.so ${test_root}/lib
+cp ../nss_pcache ${test_root}/bin
 
 ../gencert ${test_root}/alias
 echo internal:httptest > ${test_root}/conf/password.conf
diff --git a/test/suite1.tmpl b/test/suite1.tmpl
index 999c4d7..8c9e7a3 100644
--- a/test/suite1.tmpl
+++ b/test/suite1.tmpl
@@ -1,3 +1,17 @@
+# Global SSL configuration
+NSSPassPhraseDialog  file:$SERVER_ROOT/conf/password.conf
+
+NSSPassPhraseHelper $SERVER_ROOT/bin/nss_pcache
+
+NSSSessionCacheSize 10000
+NSSSessionCacheTimeout 100
+NSSSession3CacheTimeout 86400
+
+Listen 0.0.0.0:$SERVER_PORT
+Listen 0.0.0.0:8001
+
+LogLevel debug
+
 <VirtualHost *:$SERVER_PORT>
 
 NSSEngine on
@@ -51,15 +65,46 @@ NSSUserName SSL_CLIENT_S_DN_UID
 <Location "/secret-test-impossible.html">
     NSSRequire %{SSL_CIPHER_USEKEYSIZE} > 4000
 </Location>
+
+<Location "/protocolssl3">
+    NSSRequire %{SSL_PROTOCOL} eq "SSLv3"
+</Location>
+
+<Location "/protocoltls1">
+    NSSRequire %{SSL_PROTOCOL} eq "TLSv1"
+</Location>
+
+<Location "/protocoltls11">
+    NSSRequire %{SSL_PROTOCOL} eq "TLSv1.1"
+</Location>
+
+<Location "/protocoltls12">
+    NSSRequire %{SSL_PROTOCOL} eq "TLSv1.2"
+</Location>
 </VirtualHost>
 
-# SSL configuration
-NSSPassPhraseDialog  file:$SERVER_ROOT/conf/password.conf
+#
+# For testing protocol handling
+#
+<VirtualHost *:8001>
 
-NSSPassPhraseHelper /usr/sbin/nss_pcache
+NSSEngine on
+NSSFIPS off
+NSSOCSP off
+NSSRenegotiation on
 
-NSSSessionCacheSize 10000
-NSSSessionCacheTimeout 100
-NSSSession3CacheTimeout 86400
+NSSCipherSuite 
+rc4,+rc4export,+rc2,+rc2export,+des,+desede3,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_null_md5,+rsa_des_56_sha,+rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,+fips_des_sha,+fips_3des_sha
 
-Listen 0.0.0.0:$SERVER_PORT
+NSSProtocol TLSv1.2
+
+NSSNickname Server-Cert
+
+NSSCertificateDatabase $SERVER_ROOT/alias
+
+NSSVerifyClient none
+
+# A bit redundant since the initial handshake should fail if no TLSv1.2
+<Location "/protocoltls12">
+    NSSRequire %{SSL_PROTOCOL} eq "TLSv1.2"
+</Location>
+</VirtualHost>
diff --git a/test/test.py b/test/test.py
index e7136e6..93e8518 100644
--- a/test/test.py
+++ b/test/test.py
@@ -1,5 +1,6 @@
 from test_config import Declarative, write_template_file, restart_apache
 from test_config import stop_apache
+import ssl
 import requests.exceptions
 
 class test_suite1(Declarative):
@@ -135,4 +136,92 @@ class test_suite1(Declarative):
             expected=403,
         ),
 
+        # Only SSLv3-TLSv1.1 enabled on 8000
+        dict(
+            desc='Requires TLS v1.2, no support',
+            request=('/protocoltls12/index.html', {}),
+            expected=403,
+        ),
+
+        dict(
+            desc='Try SSLv2 on default server',
+            request=('/protocoltls12/index.html',
+                    {'ssl_version': ssl.PROTOCOL_SSLv2}
+            ),
+            expected=requests.exceptions.SSLError(),
+        ),
+
+        dict(
+            desc='Try SSLv23 client on SSLv3 location',
+            request=('/protocolssl3/index.html',
+                    {'ssl_version': ssl.PROTOCOL_SSLv23}
+            ),
+            expected=403, # connects as TLSv1
+        ),
+
+        dict(
+            desc='Try TLSv1 client on SSLv3 location',
+            request=('/protocoltls1/index.html',
+                    {'ssl_version': ssl.PROTOCOL_TLSv1}
+            ),
+            expected=200,
+        ),
+
+        dict(
+            desc='Try TLSv1 client on TLSv1.1 location',
+            request=('/protocoltls11/index.html',
+                    {'ssl_version': ssl.PROTOCOL_TLSv1}
+            ),
+            expected=403,
+        ),
+
+        dict(
+            desc='Try SSLv23 client on TLSv1 location',
+            request=('/protocoltls1/index.html',
+                    {'ssl_version': ssl.PROTOCOL_SSLv23}
+            ),
+            expected=200,
+        ),
+
+        dict(
+            desc='Try SSLv23 client on 1.2-only location',
+            request=('/protocoltls12/index.html',
+                    {'ssl_version': ssl.PROTOCOL_SSLv23}
+            ),
+            expected=403,
+        ),
+
+        dict(
+            desc='Requires TLSv1.2 on VH that provides it',
+            request=('/protocoltls12/index.html', {'port': 8001}),
+            expected=200,
+        ),
+
+        dict(
+            desc='Try SSLv2 client on 1.2-only VH',
+            request=('/protocoltls12/index.html',
+                    {'port': 8001,
+                     'ssl_version': ssl.PROTOCOL_SSLv2}
+            ),
+            expected=requests.exceptions.SSLError(),
+        ),
+
+        dict(
+            desc='Try SSLv3 client on 1.2-only VH',
+            request=('/protocoltls12/index.html',
+                    {'port': 8001,
+                     'ssl_version': ssl.PROTOCOL_SSLv3}
+            ),
+            expected=requests.exceptions.SSLError(),
+        ),
+
+        dict(
+            desc='Try TLSv1 client on 1.2-only VH',
+            request=('/protocoltls12/index.html',
+                    {'port': 8001,
+                     'ssl_version': ssl.PROTOCOL_TLSv1}
+            ),
+            expected=requests.exceptions.SSLError(),
+        ),
+
     ]
diff --git a/test/test_config.py b/test/test_config.py
index 9990a92..838ebd7 100644
--- a/test/test_config.py
+++ b/test/test_config.py
@@ -29,11 +29,11 @@ import test_request
 # Utility functions to assist in creating Apache configuration based
 # on test suite
 
-PORT=8000
+DEF_PORT=8000
 FQDN = socket.gethostname()
 
 default_vars = dict(
-    SERVER_PORT = PORT,
+    SERVER_PORT = DEF_PORT,
     SERVER_NAME = FQDN,
     TEST_ROOT = '%s/work/httpd' % os.getcwd(),
     SERVER_ROOT = '%s/work/httpd' % os.getcwd(),
@@ -82,7 +82,7 @@ def restart_apache():
     p = subprocess.Popen(['./start'],
                          close_fds=True)
     os.chdir(cwd)
-    test_util.wait_for_open_ports(FQDN, PORT)
+    test_util.wait_for_open_ports(FQDN, DEF_PORT)
 
 EXPECTED = """Expected %r to raise %s.
   options = %r
@@ -134,7 +134,8 @@ class Declarative(object):
         session = requests.Session()
         session.mount('https://', test_request.MyAdapter())
         verify = dict(verify = options)
-        request = session.get('https://%s:%d%s' % (FQDN, PORT, uri), **verify)
+        port = options.get('port', DEF_PORT)
+        request = session.get('https://%s:%d%s' % (FQDN, port, uri), **verify)
 
         return request
 
@@ -178,7 +179,7 @@ class Declarative(object):
             client_cipher = request.raw._pool._get_conn().client_cipher
             if protocol != client_cipher[1]:
                 raise AssertionError(
-                    'Expected cipher %s, got %s' % (cipher, client_cipher[1])
+                    'Expected protocol %s, got %s' % (protocol, 
client_cipher[1])
                 )
         if expected != request.status_code:
                 raise AssertionError(
diff --git a/test/test_request.py b/test/test_request.py
index 40d8024..bac2a2d 100644
--- a/test/test_request.py
+++ b/test/test_request.py
@@ -141,7 +141,8 @@ class MyVerifiedHTTPSConnection(HTTPSConnection):
             match_hostname(self.sock.getpeercert(), self.host)
 
     def close(self):
-        self.client_cipher = self.sock.cipher()
+        if self.sock:
+            self.client_cipher = self.sock.cipher()
         HTTPSConnection.close(self)
 
 class MyAdapter(requests.adapters.HTTPAdapter):
@@ -177,7 +178,7 @@ class MyAdapter(requests.adapters.HTTPAdapter):
 s = requests.Session()
 s.mount('https://', MyAdapter())
 try:
-    r = s.get('https://darlene.greyoak.com:8000/', verify={'verify': False, 
'ssl_version': ssl.PROTOCOL_SSLv23, 'ciphers': 'HIGH'})
+    r = s.get('https://test.example.com:8000/', verify={'verify': False, 
'ssl_version': ssl.PROTOCOL_SSLv23, 'ciphers': 'HIGH'})
     cipher = r.raw._pool._get_conn().client_cipher
 except requests.exceptions.SSLError, e:
     print e.message
@@ -185,6 +186,6 @@ else:
     print r.status_code
     print cipher
 
-#request = requests.get('https://darlene.greyoak.com:8000/', verify=False)
+#request = requests.get('https://test.example.com:8000/', verify=False)
 #print request.status_code
 """

Reply via email to