Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2018-03-29 11:57:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Thu Mar 29 11:57:32 2018 rev:30 rq:592034 version:1.0.17 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2018-03-20 22:00:50.444643599 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2018-03-29 11:57:36.982029928 +0200 @@ -1,0 +2,10 @@ +Tue Mar 27 21:16:15 UTC 2018 - [email protected] + +- Update to 1.0.17 + * Add TLSv1.3 support + * Update documentation for TLS 1.3 + * Add TLS 1.3 support to the cipher tests + * PEP-8 fixups + * Change the default certificate database format to SQLite. + +------------------------------------------------------------------- Old: ---- mod_nss-1.0.16.tar.gz New: ---- mod_nss-1.0.17.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.aJMz8n/_old 2018-03-29 11:57:37.658005527 +0200 +++ /var/tmp/diff_new_pack.aJMz8n/_new 2018-03-29 11:57:37.658005527 +0200 @@ -25,7 +25,7 @@ %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version: 1.0.16 +Version: 1.0.17 Release: 0 Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 ++++++ mod_nss-1.0.16.tar.gz -> mod_nss-1.0.17.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/ChangeLog new/mod_nss-1.0.17/ChangeLog --- old/mod_nss-1.0.16/ChangeLog 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/ChangeLog 2018-03-27 22:40:30.000000000 +0200 @@ -1,3 +1,15 @@ +2018-03-27 Rob Crittenden <[email protected]> + * PEP-8 fixups + * Add TLS 1.3 support to the cipher tests + * Update documentation for TLSv1.3 + * Become 1.0.17 + +2018-03-05 Vitezslav Cizek <[email protected]> + * Change the default certificate database format to SQLite. + +2018-02-16 Christian Heimes <[email protected]> + * Add TLSv1.3 support + 2018-01-19 Rob Crittenden <[email protected]> * Fix some merge issues in the ciphers (that'll teach me to test BEFORE making the tag) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/Makefile.am new/mod_nss-1.0.17/Makefile.am --- old/mod_nss-1.0.16/Makefile.am 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/Makefile.am 2018-03-27 22:40:30.000000000 +0200 @@ -22,7 +22,7 @@ ## Set the includes and libraries needed AM_CPPFLAGS = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@ -LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4 +LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4 -lnssutil3 EXTRA_CPPFLAGS=@extra_cppflags@ install-libLTLIBRARIES: libmodnss.la @@ -102,8 +102,8 @@ rm -rf work; \ nosetests -v test_cipher.py; \ if [ `id -u` != 0 ]; then \ - ./setup.sh -s 1; \ - nosetests -v test.py; \ + ./setup.sh -s 1 dbm:; \ + DBPREFIX=dbm: nosetests -v test.py; \ sleep 5; \ rm -rf work; \ ./setup.sh -s 1 sql:; \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/configure.ac new/mod_nss-1.0.17/configure.ac --- old/mod_nss-1.0.16/configure.ac 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/configure.ac 2018-03-27 22:40:30.000000000 +0200 @@ -1,5 +1,5 @@ # Required initializer -AC_INIT([mod_nss],[1.0.16]) +AC_INIT([mod_nss],[1.0.17]) m4_include([acinclude.m4]) @@ -249,34 +249,53 @@ AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_128_GCM_SHA256, gcm=$enableval, gcm=no) if test "$gcm" = yes; then extra_cppflags="$extra_cppflags -DENABLE_GCM" - echo "ENABLE_GCM=1" > test/variable.py + echo "ENABLE_GCM = 1" > test/variable.py else - echo "ENABLE_GCM=0" > test/variable.py + echo "ENABLE_GCM = 0" > test/variable.py fi AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_256_GCM_SHA384, sha384=$enableval, sha384=no) if test "$sha384" = yes; then extra_cppflags="$extra_cppflags -DENABLE_SHA384" - echo "ENABLE_SHA384=1" >> test/variable.py + echo "ENABLE_SHA384 = 1" >> test/variable.py else - echo "ENABLE_SHA384=0" >> test/variable.py + echo "ENABLE_SHA384 = 0" >> test/variable.py fi AX_CHECK_DEFINE(nss3/sslproto.h, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, chacha20=yes, chacha20=no) if test "$chacha20" = yes; then extra_cppflags="$extra_cppflags -DENABLE_CHACHA20" - echo "ENABLE_CHACHA20=1" >> test/variable.py + echo "ENABLE_CHACHA20 = 1" >> test/variable.py else - echo "ENABLE_CHACHA20=0" >> test/variable.py + echo "ENABLE_CHACHA20 = 0" >> test/variable.py fi CPPFLAGS="$CPPFLAGS $nspr_inc" AX_CHECK_DEFINE(nss3/ssl.h, SSL_ENABLE_SERVER_DHE, server_dhe=yes, server_dhe=no) if test "$server_dhe" = yes; then extra_cppflags="$extra_cppflags -DENABLE_SERVER_DHE" - echo "ENABLE_SERVER_DHE=1" >> test/variable.py + echo "ENABLE_SERVER_DHE = 1" >> test/variable.py else - echo "ENABLE_SERVER_DHE=0" >> test/variable.py + echo "ENABLE_SERVER_DHE = 0" >> test/variable.py +fi + +# TLS 1.3 is available since NSS 3.28 +have_tls13=no +AC_MSG_CHECKING(for TLS 1.3 support) +AC_RUN_IFELSE([AC_LANG_PROGRAM([ +#include <nss3/nss.h> +],[ +#if (((NSS_VMAJOR == 3) && (NSS_VMINOR >= 28)) || (NSS_VMAJOR > 3)) +return 1; +#endif +])], [have_tls13=no], [have_tls13=yes]) +if test "$have_tls13" = yes; then + extra_cppflags="$extra_cppflags -DNSS_SUPPORTS_TLS_1_3" + echo "ENABLE_TLS13 = 1" >> test/variable.py + AC_MSG_RESULT(yes) +else + echo "ENABLE_TLS13 = 0" >> test/variable.py + AC_MSG_RESULT(no) fi # Substitute values diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/docs/mod_nss.html new/mod_nss-1.0.17/docs/mod_nss.html --- old/mod_nss-1.0.16/docs/mod_nss.html 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/docs/mod_nss.html 2018-03-27 22:40:30.000000000 +0200 @@ -50,8 +50,7 @@ Refer to the README file included with the distribution.<br> <br> To build you'll need <a href="http://www.mozilla.org/projects/nspr/";>NSPR</a> -4.4.1 or above and <a href="http://www.mozilla.org/projects/security/pki/nss/";>NSS</a> 3.9.2 -or above. +4.4.1 or above and <a href="http://www.mozilla.org/projects/security/pki/nss/";>NSS</a> 3.9.2 or above. TLS 1.3 support was introduced in NSS 3.28. It may work with earlier versions but these are recommended (or tested). These can be retrieved from <a href="http://www.mozilla.org/";>http://www.mozilla.org/</a>. The --with-nspr and --with-nss options require that the package be @@ -221,17 +220,17 @@ [ Lots of output removed ] </pre> You should now have the following files:<br> -<pre>/etc/httpd/nss/cert8.db -/etc/httpd/nss/key3.db -/etc/httpd/nss/secmod.db +<pre>/etc/httpd/nss/cert9.db +/etc/httpd/nss/key4.db +/etc/httpd/nss/pkcs11.txt </pre> These 3 files make up an NSS certificate database.<br> <br> -If you have a sql: prefix on the path, like sql:/etc/httpd/nss, then it -will generate an SQLite NSS database consisting of the following files:<br> -<pre>/etc/httpd/nss/cert9.db -/etc/httpd/nss/key4.db -/etc/httpd/nss/pkcs11.txt</pre> +If you have a dbm: prefix on the path, like dbm:/etc/httpd/nss, then it +will generate an Berkeley DB NSS database consisting of the following files:<br> +<pre>/etc/httpd/nss/cert8.db +/etc/httpd/nss/key3.db +/etc/httpd/nss/secmod.db</pre> <h1><a name="Startup"></a>Server Startup</h1> @@ -383,10 +382,12 @@ <font size="+2">NSSCertificateDatabase</font><br> <br> Specifies the location of the NSS certificate database to be used. An -NSS certificate database consists of 3 files: cert8.db, key3.db and -secmod.db. cert8.db stores certificates and Certificate Revocation -Lists (CRLs), key3.db stores keys and secmod.db stores information +NSS certificate database consists of 3 files: cert9.db, key4.db and +pkcs11.txt. cert9.db stores certificates and Certificate Revocation +Lists (CRLs), key4.db stores keys and pkcs11.txt stores information about available PKCS#11 modules.<br> +Before version 3.35, NSS used a Berkeley DB format by default. +It consisted of files cert8.db, key3.db and secmod.db.<br> <br> This directive specifies a path, not a filename. To use a sqlite NSS database include the prefix sql: in the path.<br> @@ -398,16 +399,16 @@ <br> <big><big>NSSDBPrefix</big></big><br> <br> -Normally a certificate database consists of 3 files: cert8.db, key3.db -and secmod.db. This directive allows you to add a named prefix to the -filenames of cert8.db and key3.db so you can store multiple databases +Normally a certificate database consists of 3 files: cert9.db, key4.db +and pkcs11.txt. This directive allows you to add a named prefix to the +filenames of cert9.db and key4.db so you can store multiple databases in one directory. <br> <br> <span style="font-weight: bold;">Example</span><br> <br> <code>NSSDBPrefix my-prefix-</code><br> <br> -You would then need: my-prefix-cert8.db, my-prefix-key3.db and secmod.db<br> +You would then need: my-prefix-cert9.db, my-prefix-key4.db and secmod.db<br> <br> In order to work with files with a prefix using the NSS command-line tools use the -P flag.<br> @@ -497,10 +498,10 @@ <br> Enables or disables FIPS 140 mode. This replaces the standard internal PKCS#11 module with a FIPS-enabled one. It also forces the -enabled protocols to TLSv1.2, TLSv1.1 and TLSv1.0 and disables all ciphers -but the FIPS ones. You may still select which ciphers you would like -limited to those that are FIPS-certified. Any non-FIPS that are -included in the NSSCipherSuite entry are automatically disabled. +enabled protocols to TLSv1.3, TLSv1.2, TLSv1.1 and TLSv1.0 and disables +all ciphers but the FIPS ones. You may still select which ciphers you +would like limited to those that are FIPS-certified. Any non-FIPS that +are included in the NSSCipherSuite entry are automatically disabled. The allowable ciphers are (with ecc-enabled set):<br> <ul> <li>rsa_3des_sha</li> @@ -756,6 +757,27 @@ </td> <td valign="top">TLSv1.2</td> </tr> +<tr> + <td valign="top">aes_128_gcm_sha_256<br> + </td> + <td valign="top">TLS_AES_128_GCM_SHA256<br> + </td> + <td valign="top">TLSv1.3</td> +</tr> +<tr> + <td valign="top">aes_256_gcm_sha_384<br> + </td> + <td valign="top">TLS_AES_256_GCM_SHA384<br> + </td> + <td valign="top">TLSv1.3</td> +</tr> +<tr> + <td valign="top">chacha20_poly1305_sha_256<br> + </td> + <td valign="top">TLS_CHACHA20_POLY1305_SHA256<br> + </td> + <td valign="top">TLSv1.3</td> +</tr> </tbody> </table> @@ -1017,15 +1039,16 @@ <li><code>TLSv1.0</code></li> <li><code>TLSv1.1</code></li> <li><code>TLSv1.2</code></li> + <li><code>TLSv1.3</code></li> <li><code>All</code></li> </ul> Note that this differs from mod_ssl in that you can't add or subtract protocols.<br> <br> If no NSSProtocol is specified, mod_nss will default to allowing the use of -the TLSv1.0, TLSv1.1 and TLSv1.2 protocols, where TLSv1.0 will be set to -be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum -protocol allowed. +the TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 protocols, where TLSv1.0 will be +set to be the minimum protocol allowed, and TLSv1.3 will be set to be the +maximum protocol allowed. <br> If values for NSSProtocol are specified, mod_nss will set both the minimum and the maximum allowed protocols based upon these entries allowing for the @@ -1338,7 +1361,7 @@ <tr> <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br> </code></td> - <td style="vertical-align: top;">SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2<br> + <td style="vertical-align: top;">SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3<br> </td> </tr> <tr> @@ -1553,14 +1576,14 @@ <br> <h1><a name="Database_Management"></a>Database Management</h1> -NSS stores it's certificates and keys in a set of files referred to as -the "certificate database." The files by default (with NSS 3.x) are -named cert8.db, key3.db and secmod.db. See the NSS documentation at <a href="http://www.mozilla.org/projects/security/pki/nss/";>http://www.mozilla.org/projects/security/pki/nss/</a> +NSS stores its certificates and keys in a set of files referred to as +the "certificate database." The files by default (with NSS >= 3.35) are +named cert9.db, key4.db and pkcs11.txt. See the NSS documentation at <a href="http://www.mozilla.org/projects/security/pki/nss/";>http://www.mozilla.org/projects/security/pki/nss/</a> for more information on these specific files.<p> -By default the NSS databases use the Berkeley Database format (cert8 and -key3). To use the sqlite format (cert9 and key4) either include sql: in -all references to the database (-d sql:/path/to/database) or -<code>export NSS_DEFAULT_DB_TYPE="sql"</code>. +Before version 3.35 the NSS databases used the Berkeley Database format by default +(cert8 and key3). To use the old format either include dbm: in +all references to the database (-d dbm:/path/to/database) or +<code>export NSS_DEFAULT_DB_TYPE="dbm"</code>. </p><p> For more details see <a href="https://wiki.mozilla.org/NSS_Shared_DB";>https://wiki.mozilla.org/NSS_Shared_DB</a><br> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/mod_nss.spec new/mod_nss-1.0.17/mod_nss.spec --- old/mod_nss-1.0.16/mod_nss.spec 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/mod_nss.spec 2018-03-27 22:40:30.000000000 +0200 @@ -26,7 +26,7 @@ URL: http://directory.fedora.redhat.com/ Source: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildPreReq: httpd-devel,apr-devel +BuildRequires: httpd-devel,apr-devel,nss-devel,flex,byacc # Without Autoreq: 0, rpmbuild finds all sorts of crazy # dependencies that we don't care about, and refuses to install Autoreq: 0 @@ -56,7 +56,7 @@ # configure requires nspr, nss, ldapsdk, adminutil # if can't find apxs, use --with-apxs=/path/to/apxs -./configure --with-apr-config --with-nspr-inc=%{nsprincdir} --with-nspr-lib=%{nsprlibdir} --with-nss-inc=%{nssincdir} --with-nss-lib=%{nsslibdir} +./configure --with-apr-config --with-nspr-inc=%{nsprincdir} --with-nspr-lib=%{nsprlibdir} --with-nss-inc=%{nssincdir} --with-nss-lib=%{nsslibdir} --enable-ecc CFLAGS="$flag $mycflags" make %install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/nss.conf.in new/mod_nss-1.0.17/nss.conf.in --- old/mod_nss-1.0.16/nss.conf.in 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/nss.conf.in 2018-03-27 22:40:30.000000000 +0200 @@ -122,14 +122,14 @@ # Server Certificate Database: # The NSS security database directory that holds the certificates and -# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# keys. The database consists of 3 files: cert9.db, key4.db and pkcs11.txt # Provide the directory that these files exist. NSSCertificateDatabase @apache_conf@ # Database Prefix: # In order to be able to store multiple NSS databases in one directory # they need unique names. This option sets the database prefix used for -# cert8.db and key3.db. +# cert9.db and key4.db. #NSSDBPrefix my-prefix- # Client Authentication (Type): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/nss_engine_cipher.c new/mod_nss-1.0.17/nss_engine_cipher.c --- old/mod_nss-1.0.16/nss_engine_cipher.c 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/nss_engine_cipher.c 2018-03-27 22:40:30.000000000 +0200 @@ -123,6 +123,14 @@ {"ecdhe_ecdsa_chacha20_poly1305_sha_256", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "ECDHE-ECDSA-CHACHA20-POLY1305", SSL_kEECDH|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256}, {"dhe_rsa_chacha20_poly1305_sha_256", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "DHE-RSA-CHACHA20-POLY1305", SSL_kDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256}, #endif +#ifdef NSS_SUPPORTS_TLS_1_3 + /* Special TLS 1.3 cipher suites that really just specify AEAD + * TLS 1.3 ciphers don't specify key exchange and authentication. + */ + {"aes_128_gcm_sha_256", TLS_AES_128_GCM_SHA256, "TLS-AES-128-GCM-SHA256", SSL_AES128GCM|SSL_AEAD, TLSV1_3, SSL_HIGH, 128, 128, NULL}, + {"aes_256_gcm_sha_384", TLS_AES_256_GCM_SHA384, "TLS-AES-256-GCM-SHA384", SSL_AES256GCM|SSL_AEAD, TLSV1_3, SSL_HIGH, 256, 256, NULL}, + {"chacha20_poly1305_sha_256", TLS_CHACHA20_POLY1305_SHA256, "TLS-CHACHA20-POLY1305_SHA256", SSL_CHACHA20POLY1305|SSL_AEAD, TLSV1_3, SSL_HIGH, 256, 256}, +#endif }; #define CIPHERNUM sizeof(ciphers_def) / sizeof(cipher_properties) @@ -170,11 +178,11 @@ rv = parse_nss_ciphers(s, ciphers, cipher_list); } else { rv = parse_openssl_ciphers(s, ciphers, cipher_list); - if (rv == 0 && 0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2)) { + if (rv == 0 && 0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2|TLSV1_3)) { rv = parse_nss_ciphers(s, ciphers, cipher_list); } } - if (0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2)) { + if (0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2|TLSV1_3)) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "no cipher match"); } @@ -406,6 +414,8 @@ protocol |= TLSV1; } else if (!strcmp(cipher, "TLSv1.2")) { protocol |= TLSV1_2; + } else if (!strcmp(cipher, "TLSv1.3")) { + protocol |= TLSV1_3; } else if (!strcmp(cipher, "HIGH")) { strength |= SSL_HIGH; } else if (!strcmp(cipher, "MEDIUM")) { @@ -493,7 +503,7 @@ cipher = ciphers; } - if (found && 0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2)) + if (found && 0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2|TLSV1_3)) return 1; /* no matching ciphers */ return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/nss_engine_cipher.h new/mod_nss-1.0.17/nss_engine_cipher.h --- old/mod_nss-1.0.16/nss_engine_cipher.h 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/nss_engine_cipher.h 2018-03-27 22:40:30.000000000 +0200 @@ -86,6 +86,7 @@ #define SSLV3 0x00000002L #define TLSV1 SSLV3 #define TLSV1_2 0x00000004L +#define TLSV1_3 0x00000005L /* the table itself is defined in nss_engine_cipher.c */ #if 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/nss_engine_init.c new/mod_nss-1.0.17/nss_engine_init.c --- old/mod_nss-1.0.16/nss_engine_init.c 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/nss_engine_init.c 2018-03-27 22:40:30.000000000 +0200 @@ -191,9 +191,9 @@ } /* Strip the known prefixes */ - if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) + if (strncasecmp(mc->pCertificateDatabase, SQLDB, 4) == 0) dbdir = (char *)mc->pCertificateDatabase + 4; - else if (strncasecmp(mc->pCertificateDatabase, "dbm:", 4) == 0) + else if (strncasecmp(mc->pCertificateDatabase, LEGACY, 4) == 0) dbdir = (char *)mc->pCertificateDatabase + 4; else dbdir = (char *)mc->pCertificateDatabase; @@ -767,6 +767,9 @@ modnss_ctx_t *mctx) { int ssl3, tls, tls1_1, tls1_2; +#ifdef NSS_SUPPORTS_TLS_1_3 + int tls1_3 = 0; +#endif char *protocol_marker = NULL; char *lprotocols = NULL; SECStatus stat; @@ -789,16 +792,27 @@ } if (mctx->auth.protocols == NULL) { +#ifdef NSS_SUPPORTS_TLS_1_3 + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s value not set; using: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3", + protocol_marker); + tls = tls1_1 = tls1_2 = tls1_3 = 1; +#else ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "%s value not set; using: TLSv1.0, TLSv1.1 and TLSv1.2", + "%s value not set; using: TLSv1.0, TLSv1.1, and TLSv1.2", protocol_marker); tls = tls1_1 = tls1_2 = 1; +#endif } else { lprotocols = strdup(mctx->auth.protocols); ap_str_tolower(lprotocols); if (strstr(lprotocols, "all") != NULL) { +#ifdef NSS_SUPPORTS_TLS_1_3 + ssl3 = tls = tls1_1 = tls1_2 = tls1_3 = 1; +#else ssl3 = tls = tls1_1 = tls1_2 = 1; +#endif } else { char *protocol_list = NULL; char *saveptr = NULL; @@ -846,6 +860,13 @@ "%s: Enabling TLSv1.2", protocol_marker); tls1_2 = 1; +#ifdef NSS_SUPPORTS_TLS_1_3 + } else if (strcmp(token, "tlsv1.3") == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: Enabling TLSv1.3", + protocol_marker); + tls1_3 = 1; +#endif } else { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "%s: Unknown protocol '%s' not supported", @@ -861,12 +882,21 @@ * if FIPS mode is enabled with no TLS protocols, * enable ALL TLS protocols. */ +#ifdef NSS_SUPPORTS_TLS_1_3 + if ((mctx->sc->fips) && (tls == 0) && (tls1_1 == 0) && (tls1_2 == 0) && (tls1_3 == 0)) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "%s: FIPS mode no valid protocols set, enabling TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3", + protocol_marker); + tls = tls1_1 = tls1_2 = tls1_3 = 1; + } +#else if ((mctx->sc->fips) && (tls == 0) && (tls1_1 == 0) && (tls1_2 == 0)) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "%s: FIPS mode no valid protocols set, enabling TLSv1.0, TLSv1.1 and TLSv1.2", + "%s: FIPS mode no valid protocols set, enabling TLSv1.0, TLSv1.1, and TLSv1.2", protocol_marker); tls = tls1_1 = tls1_2 = 1; } +#endif } stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); @@ -893,7 +923,7 @@ if (stat == SECSuccess) { /* Set minimum protocol version (lowest -> highest) * - * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 + * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3 */ if (ssl3 == 1) { enabledVersions.min = SSL_LIBRARY_VERSION_3_0; @@ -915,6 +945,13 @@ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s: [TLS 1.2] (minimum)", protocol_marker); +#ifdef NSS_SUPPORTS_TLS_1_3 + } else if (tls1_3 == 1) { + enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_3; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.3] (minimum)", + protocol_marker); +#endif } else { /* Set default minimum protocol version to SSL 3.0 */ enabledVersions.min = SSL_LIBRARY_VERSION_3_0; @@ -925,9 +962,18 @@ /* Set maximum protocol version (highest -> lowest) * - * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0 + * TLS 1.3 -> TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0 */ +#ifdef NSS_SUPPORTS_TLS_1_3 + if (tls1_3 == 1) { + enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_3; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: [TLS 1.3] (maximum)", + protocol_marker); + } else if (tls1_2 == 1) { +#else if (tls1_2 == 1) { +#endif enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s: [TLS 1.2] (maximum)", @@ -962,12 +1008,19 @@ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "%s: SSL/TLS protocol initialization failed.", protocol_marker); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Enabled versions: min 0x%04x, max 0x%04x", + enabledVersions.min, enabledVersions.max); nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } mctx->ssl3 = ssl3; +#ifdef NSS_SUPPORTS_TLS_1_3 + mctx->tls = tls || tls1_1 || tls1_2 || tls1_3; +#else mctx->tls = tls || tls1_1 || tls1_2; +#endif ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%sabling TLS Session Tickets", mctx->sc->session_tickets == PR_TRUE ? "En" : "Dis"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/nss_engine_vars.c new/mod_nss-1.0.17/nss_engine_vars.c --- old/mod_nss-1.0.16/nss_engine_vars.c 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/nss_engine_vars.c 2018-03-27 22:40:30.000000000 +0200 @@ -776,6 +776,11 @@ case SSL_LIBRARY_VERSION_TLS_1_2: result = "TLSv1.2"; break; +#ifdef NSS_SUPPORTS_TLS_1_3 + case SSL_LIBRARY_VERSION_TLS_1_3: + result = "TLSv1.3"; + break; +#endif } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/msupn.py new/mod_nss-1.0.17/test/msupn.py --- old/mod_nss-1.0.16/test/msupn.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/msupn.py 2018-03-27 22:40:30.000000000 +0200 @@ -1,14 +1,17 @@ from pyasn1.codec.der import encoder from pyasn1.type import univ, char, tag + def fill_sequence(seq, *vals): for i in range(len(vals)): seq.setComponentByPosition(i, vals[i]) + class SequenceImplicitlyTagged0(univ.Sequence): tagSet = univ.Sequence.tagSet.tagImplicitly( tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) + class UTF8StringTagged0(char.GeneralString): tagSet = char.UTF8String.tagSet.tagExplicitly( tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/test.py new/mod_nss-1.0.17/test/test.py --- old/mod_nss-1.0.16/test/test.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/test.py 2018-03-27 22:40:30.000000000 +0200 @@ -16,22 +16,19 @@ # Other older python we use the urllib3 bundled copy from urllib3.packages.ssl_match_hostname import CertificateError + class test_suite1(Declarative): @classmethod def setUpClass(cls): write_template_file('suite1.tmpl', 'work/httpd/conf/test.conf', - {'DBPREFIX': os.environ.get('DBPREFIX', ''), - 'SNI': 'off', - 'PRESERVEHOST': 'Off', - } - ) + {'DBPREFIX': os.environ.get('DBPREFIX', ''), + 'SNI': 'off', + 'PRESERVEHOST': 'Off'}) # Generate a single VH to do negative SNI testing write_template_file('sni.tmpl', 'work/httpd/conf.d/sni1.conf', - {'DBPREFIX': os.environ.get('DBPREFIX', ''), - 'SNINAME': 'www1.example.com', - 'SNINUM': 1, - } - ) + {'DBPREFIX': os.environ.get('DBPREFIX', ''), + 'SNINAME': 'www1.example.com', + 'SNINUM': 1}) restart_apache() @classmethod @@ -66,12 +63,12 @@ cipher='AES128-SHA', ), -# dict( -# desc='Default protocol check', -# request=('/', {}), -# expected=200, -# protocol='TLSv1.0', -# ), + # dict( + # desc='Default protocol check', + # request=('/', {}), + # expected=200, + # protocol='TLSv1.0', + # ), dict( desc='client-side cipher check', @@ -96,8 +93,7 @@ desc='Basic client auth, valid certificate', request=('/acl/aclS01.html', { 'key_file': 'work/httpd/alpha.key', - 'cert_file': 'work/httpd/alpha.crt',} - ), + 'cert_file': 'work/httpd/alpha.crt'}), expected=200, ), @@ -111,8 +107,7 @@ desc='NSSRequire auth, valid certificate', request=('/acl/aclS02.html', { 'key_file': 'work/httpd/alpha.key', - 'cert_file': 'work/httpd/alpha.crt',} - ), + 'cert_file': 'work/httpd/alpha.crt'}), expected=200, ), @@ -120,8 +115,7 @@ desc='NSSRequire auth, not allowed certificate', request=('/acl/aclS02.html', { 'key_file': 'work/httpd/beta.key', - 'cert_file': 'work/httpd/beta.crt',} - ), + 'cert_file': 'work/httpd/beta.crt'}), expected=403, ), @@ -135,8 +129,7 @@ desc='FakeBasicAuth, valid certificate', request=('/acl/aclS03.html', { 'key_file': 'work/httpd/alpha.key', - 'cert_file': 'work/httpd/alpha.crt',} - ), + 'cert_file': 'work/httpd/alpha.crt'}), expected=200, ), @@ -144,8 +137,7 @@ desc='FakeBasicAuth, not allowed user', request=('/acl/aclS03.html', { 'key_file': 'work/httpd/beta.key', - 'cert_file': 'work/httpd/beta.crt',} - ), + 'cert_file': 'work/httpd/beta.crt'}), expected=401, ), @@ -153,8 +145,7 @@ desc='FakeBasicAuth, certificate with colon', request=('/acl/aclS03.html', { 'key_file': 'work/httpd/colon.key', - 'cert_file': 'work/httpd/colon.crt',} - ), + 'cert_file': 'work/httpd/colon.crt'}), expected=403, ), @@ -180,40 +171,36 @@ dict( desc='Try SSLv23 client on SSLv3 location', request=('/protocolssl3/index.html', - {'ssl_version': ssl.PROTOCOL_SSLv23} - ), - expected=403, # connects as TLSv1 + {'ssl_version': ssl.PROTOCOL_SSLv23}), + expected=403, # connects as TLSv1 ), dict( desc='Try TLSv1 client on SSLv3 location', request=('/protocoltls1/index.html', - {'ssl_version': ssl.PROTOCOL_TLSv1} - ), + {'ssl_version': ssl.PROTOCOL_TLSv1}), expected=requests.exceptions.SSLError(), ), dict( desc='Try TLSv1 client on TLSv1.1 location', request=('/protocoltls11/index.html', - {'ssl_version': ssl.PROTOCOL_TLSv1} - ), + {'ssl_version': ssl.PROTOCOL_TLSv1}), expected=requests.exceptions.SSLError(), ), -# dict( -# desc='Try SSLv23 client on TLSv1 location', -# request=('/protocoltls1/index.html', -# {'ssl_version': ssl.PROTOCOL_SSLv23} -# ), -# expected=200, -# ), + # dict( + # desc='Try SSLv23 client on TLSv1 location', + # request=('/protocoltls1/index.html', + # {'ssl_version': ssl.PROTOCOL_SSLv23} + # ), + # expected=200, + # ), dict( desc='Try SSLv23 client on 1.2-only location', request=('/protocoltls12/index.html', - {'ssl_version': ssl.PROTOCOL_SSLv23} - ), + {'ssl_version': ssl.PROTOCOL_SSLv23}), expected=403, ), @@ -226,18 +213,16 @@ dict( desc='Try SSLv3 client on 1.2-only VH', request=('/protocoltls12/index.html', - {'port': 8001, - 'ssl_version': ssl.PROTOCOL_SSLv3} - ), + {'port': 8001, + 'ssl_version': ssl.PROTOCOL_SSLv3}), expected=requests.exceptions.SSLError(), ), dict( desc='Try TLSv1 client on 1.2-only VH', request=('/protocoltls12/index.html', - {'port': 8001, - 'ssl_version': ssl.PROTOCOL_TLSv1} - ), + {'port': 8001, + 'ssl_version': ssl.PROTOCOL_TLSv1}), expected=requests.exceptions.SSLError(), ), @@ -250,8 +235,7 @@ dict( desc='SNI request when SNI is disabled', request=('/index.html', - {'host': 'www1.example.com', 'port': 8000} - ), + {'host': 'www1.example.com', 'port': 8000}), expected=requests.exceptions.SSLError(), expected_str='doesn\'t match', ), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/test_cipher.py new/mod_nss-1.0.17/test/test_cipher.py --- old/mod_nss-1.0.16/test/test_cipher.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/test_cipher.py 2018-03-27 22:40:30.000000000 +0200 @@ -4,7 +4,9 @@ from nose.tools import make_decorator # This file is auto-generated by configure -from variable import ENABLE_SHA384, ENABLE_GCM, ENABLE_SERVER_DHE, ENABLE_CHACHA20 +from variable import ( + ENABLE_SHA384, ENABLE_GCM, ENABLE_SERVER_DHE, + ENABLE_CHACHA20, ENABLE_TLS13) # Things to be aware of if some tests fail: # @@ -22,49 +24,67 @@ ciphernum = 0 -CIPHERS_NOT_IN_NSS = ['ECDH-RSA-AES128-SHA256', - 'ECDH-ECDSA-AES128-GCM-SHA256', - 'ECDH-ECDSA-AES128-SHA256', - 'ECDH-RSA-AES128-GCM-SHA256', - 'EXP-DES-CBC-SHA', - 'ECDH-RSA-AES256-GCM-SHA384', - 'ECDH-ECDSA-AES256-SHA384', - 'ECDH-RSA-AES256-SHA384', - 'ECDH-ECDSA-AES256-GCM-SHA384', - 'EXP-EDH-RSA-DES-CBC-SHA', - 'ECDH-ECDSA-AES128-SHA', - 'ECDH-RSA-AES128-SHA', - 'CAMELLIA256-SHA256', - 'CAMELLIA128-SHA256', - 'ECDHE-ECDSA-CAMELLIA128-SHA256', - 'ECDHE-RSA-CAMELLIA256-SHA384', - 'ECDHE-ECDSA-CAMELLIA256-SHA384', - 'ECDHE-RSA-CAMELLIA128-SHA256', - 'DHE-RSA-CAMELLIA128-SHA256', - 'DHE-RSA-CAMELLIA256-SHA256', +CIPHERS_NOT_IN_NSS = [ + 'ECDH-RSA-AES128-SHA256', + 'ECDH-ECDSA-AES128-GCM-SHA256', + 'ECDH-ECDSA-AES128-SHA256', + 'ECDH-RSA-AES128-GCM-SHA256', + 'EXP-DES-CBC-SHA', + 'ECDH-RSA-AES256-GCM-SHA384', + 'ECDH-ECDSA-AES256-SHA384', + 'ECDH-RSA-AES256-SHA384', + 'ECDH-ECDSA-AES256-GCM-SHA384', + 'EXP-EDH-RSA-DES-CBC-SHA', + 'ECDH-ECDSA-AES128-SHA', + 'ECDH-RSA-AES128-SHA', + 'CAMELLIA256-SHA256', + 'CAMELLIA128-SHA256', + 'ECDHE-ECDSA-CAMELLIA128-SHA256', + 'ECDHE-RSA-CAMELLIA256-SHA384', + 'ECDHE-ECDSA-CAMELLIA256-SHA384', + 'ECDHE-RSA-CAMELLIA128-SHA256', + 'DHE-RSA-CAMELLIA128-SHA256', + 'DHE-RSA-CAMELLIA256-SHA256', ] -CIPHERS_NOT_IN_OPENSSL = ['ECDH-RSA-NULL-SHA', - 'ECDH-RSA-AES128-SHA', - 'ECDH-RSA-DES-CBC3-SHA', - 'ECDH-ECDSA-AES128-SHA', - 'ECDH-ECDSA-NULL-SHA', - 'ECDH-RSA-AES256-SHA', - 'ECDH-ECDSA-DES-CBC3-SHA', - 'ECDH-ECDSA-AES256-SHA', +CIPHERS_NOT_IN_OPENSSL = [ + 'ECDH-RSA-NULL-SHA', + 'ECDH-RSA-AES128-SHA', + 'ECDH-RSA-DES-CBC3-SHA', + 'ECDH-ECDSA-AES128-SHA', + 'ECDH-ECDSA-NULL-SHA', + 'ECDH-RSA-AES256-SHA', + 'ECDH-ECDSA-DES-CBC3-SHA', + 'ECDH-ECDSA-AES256-SHA', ] -OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA:-SRP:-AESCCM:-AESCCM8" +OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA" \ + ":-SRP:-AESCCM:-AESCCM8" if ENABLE_SERVER_DHE == 0: OPENSSL_CIPHERS_IGNORE += ':-DH' + def openssl_CHACHA20(): """Check to see if CHACHA20 is available in OpenSSL""" (out, err, rc) = run([openssl, 'ciphers', 'CHACHA20']) return rc == 0 + +def openssl_tls13(): + """Check to see if TLS 1.3 is available in OpenSSL""" + (out, err, rc) = run([openssl, 'ciphers', 'tls1_3']) + return rc == 0 + OPENSSL_CHACHA20 = openssl_CHACHA20() +OPENSSL_TLS13 = openssl_tls13() + +tls13_ciphers = [ + 'TLS-AES-128-GCM-SHA256', + 'TLS-AES-256-GCM-SHA384', + 'TLS-CHACHA20-POLY1305_SHA256', +] + def assert_equal_openssl(ciphers): nss_ciphers = ciphers + ":-EXP:-LOW:-RC4:-EDH" @@ -97,10 +117,13 @@ ossl_list = t # OpenSSL 1.0.2 doesn't support CHACHA20 but NSS might. + # OpenSSL 1.1.0.g doesn't support TLS 1.3 yet but 1.1.1 will. n = list() for c in nss_list: if not OPENSSL_CHACHA20 and ENABLE_CHACHA20 and 'CHACHA20' in c: continue + if not OPENSSL_TLS13 and ENABLE_TLS13 and c in tls13_ciphers: + continue if c in CIPHERS_NOT_IN_OPENSSL: continue n.append(c) @@ -113,13 +136,16 @@ else: diff = '' - assert nss_list == ossl_list, '%r != %r. Difference %r' % (':'.join(nss_list), ':'.join(ossl_list), diff) + assert nss_list == ossl_list, '%r != %r. Difference %r' % ( + ':'.join(nss_list), ':'.join(ossl_list), diff) + def assert_no_NULL(nss_ciphers): (nss, err, rc) = run([exe, "--o", nss_ciphers]) assert rc == 0 assert('NULL' not in nss) + class test_ciphers(object): @classmethod def setUpClass(cls): @@ -308,15 +334,18 @@ assert_no_NULL("DEFAULT:aRSA") def test_SYSTEM_DEFAULT(self): - # I've added in !DHE here which differs from F-23 default - assert_equal_openssl("!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!DHE") + # I've added in !DHE here which differs from F-23 default + assert_equal_openssl("!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:" + "!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:" + "!IDEA:!DES:!DHE") def test_cipher_reorder(self): # re-ordering not allowed but shouldn't blow up either assert_equal_openssl("3DES:AES:+3DES:SHA256") def test_nss_subtraction(self): - (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"]) + (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha," + "-rsa_rc4_128_md5"]) assert rc == 0 assert_equal(out, 'rsa_rc4_128_sha') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/test_config.py new/mod_nss-1.0.17/test/test_config.py --- old/mod_nss-1.0.16/test/test_config.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/test_config.py 2018-03-27 22:40:30.000000000 +0200 @@ -29,17 +29,18 @@ # Utility functions to assist in creating Apache configuration based # on test suite -DEF_PORT=8000 +DEF_PORT = 8000 FQDN = socket.gethostname() default_vars = dict( - DBPREFIX = '', - SERVER_PORT = DEF_PORT, - SERVER_NAME = FQDN, - TEST_ROOT = '%s/work/httpd' % os.getcwd(), - SERVER_ROOT = '%s/work/httpd' % os.getcwd(), + DBPREFIX='', + SERVER_PORT=DEF_PORT, + SERVER_NAME=FQDN, + TEST_ROOT='%s/work/httpd' % os.getcwd(), + SERVER_ROOT='%s/work/httpd' % os.getcwd(), ) + def template_str(txt, vars): val = string.Template(txt).substitute(vars) @@ -51,17 +52,20 @@ return val + def template_file(infilename, vars): """Read a file and perform template substitutions""" with open(infilename) as f: return template_str(f.read(), vars) + def write_template_file(infilename, outfilename, vars): """Read a file and perform template substitutions""" replacevars = dict(default_vars.items() + vars.items()) with open(outfilename, 'w') as f: f.write('%s\n' % template_file(infilename, replacevars)) + def stop_apache(): """Stop the Apache process""" cwd = os.getcwd() @@ -71,6 +75,7 @@ p = subprocess.Popen(['./stop'], close_fds=True) + def restart_apache(): """Restart the Apache process""" cwd = os.getcwd() @@ -93,6 +98,7 @@ options = %r %s: %s""" + class Declarative(object): """A declarative-style test suite @@ -134,7 +140,7 @@ def make_request(self, uri, options): session = requests.Session() session.mount('https://', test_request.MyAdapter()) - verify = dict(verify = options) + verify = dict(verify=options) port = options.get('port', DEF_PORT) host = options.get('host', FQDN) request = session.get('https://%s:%d%s' % (host, port, uri), **verify) @@ -145,7 +151,7 @@ expected_str=None, content=None): # TODO: need way to set auth, etc. (uri, options) = request - if not 'verify' in options: + if 'verify' not in options: options['verify'] = 'work/httpd/alias/ca.pem' if isinstance(expected, Exception): self.check_exception(nice, uri, options, expected, expected_str) @@ -183,7 +189,7 @@ request = self.make_request(uri, options) has_sni = options.get('sni', False) - if content and not content in request.content: + if content and content not in request.content: raise AssertionError( 'Expected %s not in %s' % (content, request.content) ) @@ -201,9 +207,11 @@ raise AssertionError('Cannot do protocol tests in SNI') if protocol != client_cipher[1]: raise AssertionError( - 'Expected protocol %s, got %s' % (protocol, client_cipher[1]) + 'Expected protocol %s, got %s' % + (protocol, client_cipher[1]) ) if expected != request.status_code: raise AssertionError( - 'Expected status %s, got %s' % (expected, request.status_code) + 'Expected status %s, got %s' % + (expected, request.status_code) ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/test_request.py new/mod_nss-1.0.17/test/test_request.py --- old/mod_nss-1.0.16/test/test_request.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/test_request.py 2018-03-27 22:40:30.000000000 +0200 @@ -9,20 +9,26 @@ from requests.packages.urllib3.util import get_host from requests.packages.urllib3.util.timeout import Timeout from requests.packages.urllib3.contrib import pyopenssl -from requests.packages.urllib3.connectionpool import HTTPConnectionPool, HTTPSConnectionPool, VerifiedHTTPSConnection +from requests.packages.urllib3.connectionpool import ( + HTTPConnectionPool, HTTPSConnectionPool, VerifiedHTTPSConnection) try: - from requests.packages.urllib3.contrib.pyopenssl import DEFAULT_SSL_CIPHER_LIST + from requests.packages.urllib3.contrib.pyopenssl import ( + DEFAULT_SSL_CIPHER_LIST) except ImportError: try: from urllib3.util.ssl_ import DEFAULT_CIPHERS DEFAULT_SSL_CIPHER_LIST = DEFAULT_CIPHERS except ImportError: - DEFAULT_SSL_CIPHER_LIST = 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5' + DEFAULT_SSL_CIPHER_LIST = ( + 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' + 'TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:' + 'DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:' + 'RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5') # Don't bend over backwards for ssl support, assume it is there. import ssl -try: # Python 3 +try: # Python 3 from http.client import HTTPConnection, HTTPException from http.client import HTTP_PORT, HTTPS_PORT from http.client import HTTPSConnection @@ -37,10 +43,12 @@ except ImportError: try: # Older python where the backport from pypi is installed - from backports.ssl_match_hostname import match_hostname, CertificateError + from backports.ssl_match_hostname import ( + match_hostname, CertificateError) except ImportError: # Other older python we use the urllib3 bundled copy - from urllib3.packages.ssl_match_hostname import match_hostname, CertificateError + from urllib3.packages.ssl_match_hostname import ( + match_hostname, CertificateError) SAVE_DEFAULT_SSL_CIPHER_LIST = DEFAULT_SSL_CIPHER_LIST @@ -73,12 +81,16 @@ else: return HTTPConnectionPool(host, port=port, **kw) + class MyHTTPSConnectionPool(HTTPSConnectionPool): def __init__(self, host, port=None, strict=False, timeout=Timeout.DEFAULT_TIMEOUT, maxsize=1, block=False, headers=None, key_file=None, cert_file=None, - cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt', ssl_version=ssl.PROTOCOL_SSLv23, ciphers=None): + cert_reqs='CERT_REQUIRED', + ca_certs='/etc/ssl/certs/ca-certificates.crt', + ssl_version=ssl.PROTOCOL_SSLv23, + ciphers=None): super(HTTPSConnectionPool, self).__init__(host, port, strict, timeout, maxsize, @@ -100,12 +112,12 @@ log.info("Starting new HTTPS connection (%d): %s" % (self.num_connections, self.host)) - #if not ssl: # Platform-specific: Python compiled without +ssl - # if not HTTPSConnection or HTTPSConnection is object: - # raise SSLError("Can't connect to HTTPS URL because the SSL " - # "module is not available.") + # if not ssl: # Platform-specific: Python compiled without +ssl + # if not HTTPSConnection or HTTPSConnection is object: + # raise SSLError("Can't connect to HTTPS URL because the SSL " + # "module is not available.") - # return HTTPSConnection(host=self.host, port=self.port) + # return HTTPSConnection(host=self.host, port=self.port) connection = MyVerifiedHTTPSConnection(host=self.host, port=self.port) connection.sni = self.sni @@ -115,6 +127,7 @@ connection.set_ciphers(self.ciphers) return connection + class MyVerifiedHTTPSConnection(VerifiedHTTPSConnection): """ Based on httplib.HTTPSConnection but wraps the socket with @@ -123,7 +136,7 @@ cert_reqs = None ca_certs = None client_cipher = None - is_verified = True # squelch warning + is_verified = True # squelch warning sni = False assert_hostname = None assert_fingerprint = None @@ -174,6 +187,7 @@ self.client_cipher = self.sock.cipher() super(MyVerifiedHTTPSConnection, self).close() + class MyAdapter(requests.adapters.HTTPAdapter): def get_connection(self, url, proxies=None): @@ -201,14 +215,17 @@ if 'key_file' in verify: conn.key_file = verify['key_file'] conn.sni = verify.get('sni', False) - else: # huh? Do nothing + else: # huh? Do nothing pass """ s = requests.Session() s.mount('https://', MyAdapter()) try: - r = s.get('https://test.example.com:8000/', verify={'verify': False, 'ssl_version': ssl.PROTOCOL_SSLv23, 'ciphers': 'HIGH'}) + r = s.get('https://test.example.com:8000/', + verify={'verify': False, + 'ssl_version': ssl.PROTOCOL_SSLv23, + 'ciphers': 'HIGH'}) cipher = r.raw._pool._get_conn().client_cipher except requests.exceptions.SSLError, e: print e.message diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/test_util.py new/mod_nss-1.0.17/test/test_util.py --- old/mod_nss-1.0.16/test/test_util.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/test_util.py 2018-03-27 22:40:30.000000000 +0200 @@ -2,7 +2,9 @@ import time import subprocess -def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): + +def host_port_open(host, port, socket_type=socket.SOCK_STREAM, + socket_timeout=None): for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type): af, socktype, proto, canonname, sa = res try: @@ -30,6 +32,7 @@ return False + def wait_for_open_ports(host, ports, timeout=0): """ Wait until the specified port(s) on the remote host are open. Timeout @@ -47,13 +50,15 @@ if port_open: break - if timeout and time.time() > op_timeout: # timeout exceeded + if timeout and time.time() > op_timeout: # timeout exceeded raise socket.timeout() time.sleep(1) + def shell_quote(string): return "'" + string.replace("'", "'\\''") + "'" + def run(args): """ Execute a command and return stdin, stdout and the process return code. @@ -71,7 +76,7 @@ try: p = subprocess.Popen(args, stdout=p_out, stderr=p_err, close_fds=True) - stdout,stderr = p.communicate(None) + stdout, stderr = p.communicate(None) except KeyboardInterrupt: p.wait() raise @@ -82,7 +87,7 @@ def assert_equal(got, expected): if got.strip() != expected.strip(): raise AssertionError( - "assert_deepequal: expected != got. " \ + "assert_deepequal: expected != got. " "expected = %r got = %r" % (expected, got) ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/test/testsni.py new/mod_nss-1.0.17/test/testsni.py --- old/mod_nss-1.0.16/test/testsni.py 2018-01-19 21:44:16.000000000 +0100 +++ new/mod_nss-1.0.17/test/testsni.py 2018-03-27 22:40:30.000000000 +0200 @@ -4,22 +4,19 @@ import requests.exceptions import os + class test_suite1(Declarative): @classmethod def setUpClass(cls): write_template_file('suite1.tmpl', 'work/httpd/conf/test.conf', - {'DBPREFIX': os.environ.get('DBPREFIX', ''), - 'SNI': 'on', - 'PRESERVEHOST': 'Off', - } - ) - for i in range(1,26): + {'DBPREFIX': os.environ.get('DBPREFIX', ''), + 'SNI': 'on', + 'PRESERVEHOST': 'Off'}) + for i in range(1, 26): write_template_file('sni.tmpl', 'work/httpd/conf.d/sni%d.conf' % i, - {'DBPREFIX': os.environ.get('DBPREFIX', ''), - 'SNINAME': 'www%d.example.com' % i, - 'SNINUM': i, - } - ) + {'DBPREFIX': os.environ.get('DBPREFIX', ''), + 'SNINAME': 'www%d.example.com' % i, + 'SNINUM': i}) restart_apache() @classmethod @@ -81,10 +78,9 @@ request=('/acl/aclS01.html', { 'host': 'www10.example.com', 'sni': True, 'key_file': 'work/httpd/alpha.key', - 'cert_file': 'work/httpd/alpha.crt',} - ), + 'cert_file': 'work/httpd/alpha.crt'}), expected=200, - content='sni10', + content='sni10', ), dict(
