Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-03-31 13:03:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-01-23 01:16:32.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-03-31 13:03:47.000000000 +0200 @@ -1,0 +2,68 @@ +Thu Mar 17 16:27:13 UTC 2016 - [email protected] + +- use a whitelist approach for keeping directives in the migration + script (bsc#961907) + * modify mod_nss_migrate.pl + +------------------------------------------------------------------- +Wed Mar 16 14:45:24 UTC 2016 - [email protected] + +- fix test: add NSSPassPhraseDialog, point it to plain file + +------------------------------------------------------------------- +Mon Mar 14 12:27:37 UTC 2016 - [email protected] + +- update to 1.0.13 + Update default ciphers to something more modern and secure + Check for host and netstat commands in gencert before trying to use them + Add server support for DHE ciphers + Extract SAN from server/client certificates into env + Fix memory leaks and other coding issues caught by clang analyzer + Add support for Server Name Indication (SNI) (#1010751) + Add support for SNI for reverse proxy connections + Add RenegBufferSize? option + Add support for TLS Session Tickets (RFC 5077) + Fix logical AND support in OpenSSL cipher compatibility + Correctly handle disabled ciphers (CVE-2015-5244) + Implement a slew more OpenSSL cipher macros + Fix a number of illegal memory accesses and memory leaks + Support for SHA384 ciphers if they are available in NSS + Add compatibility for mod_ssl-style cipher definitions (#862938) + Add TLSv1.2-specific ciphers + Completely remove support for SSLv2 + Add support for sqlite NSS databases (#1057650) + Compare subject CN and VS hostname during server start up + Add support for enabling TLS v1.2 + Don't enable SSL 3 by default (CVE-2014-3566) + Fix CVE-2013-4566 + Move nss_pcache to /usr/libexec + Support httpd 2.4+ +- drop almost all our patches (upstream) + * 0001-SNI-check-with-NameVirtualHosts.patch + * mod_nss-CVE-2013-4566-NSSVerifyClient.diff + * mod_nss-PK11_ListCerts_2.patch + * mod_nss-add_support_for_enabling_TLS_v1.2.patch + * mod_nss-array_overrun.patch + * mod_nss-cipherlist_update_for_tls12-doc.diff + * mod_nss-cipherlist_update_for_tls12.diff + * mod_nss-clientauth.patch + * mod_nss-compare_subject_CN_and_VS_hostname.patch + * mod_nss-gencert.patch + * mod_nss-httpd24.patch + * mod_nss-lockpcache.patch + * mod_nss-negotiate.patch + * mod_nss-no_shutdown_if_not_init_2.patch + * mod_nss-overlapping_memcpy.patch + * mod_nss-pcachesignal.h + * mod_nss-proxyvariables.patch + * mod_nss-reseterror.patch + * mod_nss-reverse_proxy_send_SNI.patch + * mod_nss-reverseproxy.patch + * mod_nss-sslmultiproxy.patch + * mod_nss-tlsv1_1.patch + * mod_nss-wouldblock.patch + * update-ciphers.patch +- add automake and libtool to BuildRequires +- temporarily comment out %check + +------------------------------------------------------------------- Old: ---- 0001-SNI-check-with-NameVirtualHosts.patch mod_nss-1.0.8.tar.gz mod_nss-CVE-2013-4566-NSSVerifyClient.diff mod_nss-PK11_ListCerts_2.patch mod_nss-add_support_for_enabling_TLS_v1.2.patch mod_nss-array_overrun.patch mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff mod_nss-clientauth.patch mod_nss-compare_subject_CN_and_VS_hostname.patch mod_nss-gencert.patch mod_nss-httpd24.patch mod_nss-lockpcache.patch mod_nss-negotiate.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-overlapping_memcpy.patch mod_nss-pcachesignal.h mod_nss-proxyvariables.patch mod_nss-reseterror.patch mod_nss-reverse_proxy_send_SNI.patch mod_nss-reverseproxy.patch mod_nss-sslmultiproxy.patch mod_nss-tlsv1_1.patch mod_nss-wouldblock.patch update-ciphers.patch New: ---- mod_nss-1.0.13.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:48.000000000 +0200 +++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:48.000000000 +0200 @@ -20,7 +20,7 @@ Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers -Version: 1.0.8 +Version: 1.0.13 Release: 0.4.8 Url: https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz @@ -38,6 +38,7 @@ PreReq: mozilla-nss-tools BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 +BuildRequires: automake BuildRequires: bison BuildRequires: curl BuildRequires: findutils @@ -45,43 +46,13 @@ BuildRequires: gcc-c++ BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel +BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig -# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout -# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch. -#Patch1: mod_nss-conf.patch -Patch2: mod_nss-gencert.patch -Patch3: mod_nss-wouldblock.patch -Patch4: mod_nss-negotiate.patch -Patch5: mod_nss-reverseproxy.patch -Patch6: mod_nss-pcachesignal.h -Patch7: mod_nss-reseterror.patch -Patch8: mod_nss-lockpcache.patch -# Fix build with apache 2.4 -Patch9: mod_nss-httpd24.patch - -Patch10: mod_nss-proxyvariables.patch -Patch11: mod_nss-tlsv1_1.patch -Patch12: mod_nss-array_overrun.patch -Patch13: mod_nss-clientauth.patch -Patch14: mod_nss-no_shutdown_if_not_init_2.patch -Patch15: mod_nss-PK11_ListCerts_2.patch -Patch16: mod_nss-sslmultiproxy.patch -Patch17: mod_nss-overlapping_memcpy.patch -Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff -Patch19: mod_nss-cipherlist_update_for_tls12.diff -Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff + Patch23: mod_nss-bnc863518-reopen_dev_tty.diff -# PATCH-FIX-UPSTREAM bnc#897712 [email protected] -- check for the misconfiguration of certificate's CN and virtual name -Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch -# PATCH-FIX-UPSTREAM bnc#902068 [email protected] -- small fixes for TLS-v1.2 -Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch -# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 [email protected] -- add Server Name Indication support -Patch26: 0001-SNI-check-with-NameVirtualHosts.patch -Patch27: update-ciphers.patch -Patch28: mod_nss-reverse_proxy_send_SNI.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 @@ -101,36 +72,7 @@ %prep %setup -q -n mod_nss-%{version} -##%patch1 -p1 -b .conf.rpmpatch -%patch2 -p1 -b .gencert.rpmpatch -%patch3 -p1 -b .wouldblock.rpmpatch -%patch4 -p1 -b .negotiate.rpmpatch -%patch5 -p1 -b .reverseproxy.rpmpatch -%patch6 -p1 -b .pcachesignal.h.rpmpatch -%patch7 -p1 -b .reseterror.rpmpatch -%patch8 -p1 -b .lockpcache.rpmpatch -%patch10 -p1 -b .proxyvariables.rpmpatch -%patch11 -p1 -b .tlsv1_1.rpmpatch -%patch12 -p1 -b .array_overrun.rpmpatch -%patch13 -p1 -b .clientauth.rpmpatch -%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch -%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch -%patch16 -p1 -b .sslmultiproxy.rpmpatch -%patch17 -p1 -b .overlapping_memcpy.rpmpatch -%patch18 -p0 -b .CVE-2013-4566.rpmpatch -%patch19 -p0 -b .ciphers.rpmpatch -%patch20 -p0 -b .ciphers.doc.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch -%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch -%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch -%patch26 -p1 -b .SNI_support.rpmpatch -%patch27 -p1 -b .update-ciphers.rpmpatch -%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch - -# keep this last, otherwise we get fuzzyness from above -%if %{apache_branch} >= 204 -%patch9 -p1 -b .http24 -%endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -150,7 +92,7 @@ cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE4} . chmod 644 ./nss.conf.in -#autoreconf -fvi +autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ @@ -193,11 +135,18 @@ %check set +x mkdir -p %{apache_test_module_dir} +# create password file including internal token to suppress +# apache 'builtin dialog', see NSSPassPhraseDialog below +# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html) +cat << EOF > %{apache_test_module_dir}/password.conf +internal:httptest +EOF # create test configuration cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf NSSEngine on NSSNickname Server-Cert NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d +NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 ++++++ mod_nss-1.0.8.tar.gz -> mod_nss-1.0.13.tar.gz ++++++ ++++ 51602 lines of diff (skipped) ++++++ mod_nss-bnc863518-reopen_dev_tty.diff ++++++ --- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:49.000000000 +0200 +++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:49.000000000 +0200 @@ -1,54 +1,8 @@ -diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_pphrase.c ./nss_engine_pphrase.c ---- ../mod_nss-1.0.8-o/nss_engine_pphrase.c 2014-07-24 12:23:30.000000000 +0200 -+++ ./nss_engine_pphrase.c 2014-07-24 13:54:23.000000000 +0200 -@@ -181,199 +181,218 @@ - * that may be done. - */ - static PRBool nss_check_password(unsigned char *cp) - { - int len; - unsigned char *end, ch; - - len = strlen((char *)cp); - if (len < 8) { - return PR_TRUE; - } - end = cp + len; - while (cp < end) { - ch = *cp++; - if (!((ch >= 'A') && (ch <= 'Z')) && - !((ch >= 'a') && (ch <= 'z'))) { - /* pass phrase has at least one non alphabetic in it */ - return PR_TRUE; - } - } - return PR_TRUE; - } - - /* - * Password callback so the user is not prompted to enter the password - * after the server starts. - */ - static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg) - { - return NULL; - } - - /* - * Password callback to prompt the user for a password. This requires - * twiddling with the tty. Alternatively, if the file password.conf - * exists then it may be used to store the token password(s). - */ - static char *nss_get_password(FILE *input, FILE *output, - PK11SlotInfo *slot, - PRBool (*ok)(unsigned char *), - pphrase_arg_t *parg) - { - char *pwdstr = NULL; - char *token_name = NULL; - int tmp; - FILE *pwd_fileptr; - char *ptr; +Index: nss_engine_pphrase.c +=================================================================== +--- nss_engine_pphrase.c.orig 2016-03-14 12:33:49.139529734 +0100 ++++ nss_engine_pphrase.c 2016-03-14 12:40:42.603094487 +0100 +@@ -228,6 +228,7 @@ static char *nss_get_password(FILE *inpu char line[1024]; unsigned char phrase[200]; int infd = fileno(input); @@ -56,103 +10,10 @@ int isTTY = isatty(infd); token_name = PK11_GetTokenName(slot); - - if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE || - parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) { - /* Try to get the passwords from the password file if it exists. - * THIS IS UNSAFE and is provided for convenience only. Without this - * capability the server would have to be started in foreground mode. - */ - if ((*parg->mc->pphrase_dialog_path != '\0') && - ((pwd_fileptr = fopen(parg->mc->pphrase_dialog_path, "r")) != NULL)) { - while(fgets(line, 1024, pwd_fileptr)) { - if (PL_strstr(line, token_name) == line) { - tmp = PL_strlen(line) - 1; - while((line[tmp] == ' ') || (line[tmp] == '\n')) - tmp--; - line[tmp+1] = '\0'; - ptr = PL_strchr(line, ':'); - if (ptr == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Malformed password entry for token %s. Format should be token:password", token_name); - continue; - } - for(tmp=1; ptr[tmp] == ' '; tmp++) {} - pwdstr = strdup(&(ptr[tmp])); - } - } - fclose(pwd_fileptr); - } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to open password file %s", parg->mc->pphrase_dialog_path); - nss_die(); - } - } - - /* For SSL_PPTYPE_DEFER we only want to authenticate passwords found - * in the password file. - */ - if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) && - (pwdstr == NULL)) { - return NULL; - } - - /* This purposely comes after the file check because that is more - * authoritative. - */ - if (parg->mc->nInitCount > 1) { - char buf[1024]; - apr_status_t rv; - apr_size_t nBytes = 1024; - struct sembuf sb; - - /* lock the pipe */ - sb.sem_num = 0; - sb.sem_op = -1; - sb.sem_flg = SEM_UNDO; - if (semop(parg->mc->semid, &sb, 1) == -1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to reserve semaphore resource"); - } - - snprintf(buf, 1024, "RETR\t%s", token_name); - rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to write to pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); - nss_die(); - } - - /* The helper just returns a token pw or "", so we don't have much - * to check for. - */ - memset(buf, 0, sizeof(buf)); - rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); - sb.sem_op = 1; - if (semop(parg->mc->semid, &sb, 1) == -1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to free semaphore resource"); - /* perror("semop free resource id"); */ - } - - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); - nss_die(); - } - - /* Just return what we got. If we got this far and we don't have a - * PIN then I/O is already shut down, so we can't do anything really - * clever. - */ - pwdstr = strdup(buf); - } - - /* If we got a password we're done */ +@@ -327,6 +328,24 @@ static char *nss_get_password(FILE *inpu if (pwdstr) return pwdstr; -- -+ + + /* It happens that stdin is not opened with O_RDONLY. Better make sure + * it is and re-open /dev/tty. + */ @@ -174,50 +35,3 @@ for (;;) { /* Prompt for password */ if (isTTY) { - if (parg->retryCount > 0) { - fprintf(output, "Password incorrect. Please try again.\n"); - } - fprintf(output, "%s", prompt); - echoOff(infd); - } - fgets((char*) phrase, sizeof(phrase), input); - if (isTTY) { - fprintf(output, "\n"); - echoOn(infd); - } - /* stomp on newline */ - phrase[strlen((char*)phrase)-1] = 0; - - /* Validate password */ - if (!(*ok)(phrase)) { - /* Not weird enough */ - if (!isTTY) return 0; - fprintf(output, "Password must be at least 8 characters long with one or more\n"); - fprintf(output, "non-alphabetic characters\n"); - continue; - } - if (PK11_IsFIPS() && strlen(phrase) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "The FIPS security policy requires that a password be set."); - nss_die(); - } else - return (char*) PORT_Strdup((char*)phrase); - } - } - - /* - * Turn the echoing off on a tty. - */ - static void echoOff(int fd) - { - if (isatty(fd)) { - struct termios tio; - tcgetattr(fd, &tio); - tio.c_lflag &= ~ECHO; - tcsetattr(fd, TCSAFLUSH, &tio); - } - } - - /* - * Turn the echoing on on a tty. - */ ++++++ mod_nss_migrate.pl ++++++ --- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:49.000000000 +0200 +++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:49.000000000 +0200 @@ -6,7 +6,7 @@ use Getopt::Std; BEGIN { -# $NSSDir = cwd(); + #$NSSDir = cwd(); $NSSDir = "/etc/apache2/mod_nss.d"; $SSLCACertificatePath = ""; @@ -18,21 +18,34 @@ $passphrase = 0; } -%skip = ( "SSLRandomSeed" => "", - "SSLSessionCache" => "", - "SSLMutex" => "", - "SSLCertificateChainFile" => "", - "SSLVerifyDepth" => "" , - "SSLCryptoDevice" => "" , - "LoadModule" => "" , - ); +# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13 +%keep = ( "SSLCipherSuite" => "", + "SSLEngine" => "", + "SSLFIPS" => "", + "SSLOptions" => "", + "SSLPassPhraseDialog" => "", + "SSLProtocol" => "", + "SSLProxyCipherSuite" => "", + "SSLProxyEngine" => "", + "SSLProxyCheckPeerCN" => "", + "SSLProxyProtocol" => "", + "SSLRandomSeed" => "", + "SSLRenegBufferSize" => "", + "SSLRequire" => "", + "SSLRequireSSL" => "", + "SSLSessionCacheTimeout" => "", + "SSLSessionTickets" => "", + "SSLStrictSNIVHostCheck" => "", + "SSLUserName" => "", + "SSLVerifyClient" => "", +); -%insert = ( "NSSSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); +%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",); getopts('chr:w:' , \%opt ); sub usage() { - print STDERR "Usage: mod_nss_migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n"; + print STDERR "Usage: migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n"; print STDERR "\t-c converts the certificates\n"; print STDERR "This conversion script is not aware of apache's configuration blocks\n"; print STDERR "and nestable conditional directives. Please check the output of the\n"; @@ -40,27 +53,22 @@ exit(); } -usage() if ( $opt{h} || !$opt{r} || !$opt{w} ) ; - - +usage() if ($opt{h} || !$opt{r} || !$opt{w}); print STDERR "input: $opt{r} output: $opt{w}\n"; open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n"; open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n"; - -print NSS "## This is a conversion of mod_ssl specific options by /usr/sbin/mod_nss_migrate.pl\n"; +print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n"; print NSS "## Most of the comments in the original .conf file have been omitted here, as\n"; print NSS "## the comments may not be valid for mod_nss, too.\n"; print NSS "## \n"; print NSS "## Please read through this configuration and verify the individual options!\n\n"; - while (<SSL>) { my $comment = 0; - # write through even if in comment before comments are stripped below. if(/(ServerName|ServerAlias)/) { print NSS $_; @@ -68,9 +76,8 @@ } # skip blank lines and comments - if (/^#/ || /^\s*#/ || /^\s*$/) { -# do not copy them; they may not be useful anyway. -# print NSS $_; + if (/^\s*#/ || /^\s*$/) { + print NSS $_; next; } @@ -93,19 +100,15 @@ next; } - if ($stmt eq "SSLCipherSuite") { - print NSS "## original SSLCipherSuite config line: $_"; - print NSS "NSSCipherSuite ", get_ciphers($val), "\n\n"; - next; - } elsif ($stmt eq "SSLEngine" ) { - print NSS "##$_"; - print NSS "NSSEngine $value\n\n"; - next; - } elsif ($stmt eq "SSLProtocol" ) { + # we support OpenSSL cipher strings now, keeping the string as is + #if ($stmt eq "SSLCipherSuite") { + #print NSS "NSSCipherSuite ", get_ciphers($val), "\n"; + #print NSS "NSSProtocol SSLv3,TLSv1\n"; + #$comment = 1; + if ($stmt eq "SSLProtocol" ) { print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n"; print NSS "##$_"; print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n"; - print NSS "## You may also specify SSLv3 at the beginning of the range. Not done here:\n"; print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n"; next; } elsif ($stmt eq "SSLCACertificatePath") { @@ -129,27 +132,29 @@ $SSLCARevocationFile = $value; $comment = 1; } elsif ($stmt eq "SSLPassPhraseDialog") { - print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; + print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n"; $passphrase = 1; $comment = 1; } - if (exists($skip{$stmt})) { - print NSS "# Skipping, not applicable in mod_nss\n"; - print NSS "##$_"; - next; - } - - # Fix up any remaining directive names - s/SSL/NSS/; - if (exists($insert{$stmt})) { - print NSS "$_"; + #print NSS "$_"; print NSS $insert{$stmt}; next; } + if (m/^\s*SSL/) { + if (!exists($keep{$stmt})) { + print NSS "# Skipping, not applicable in mod_nss\n"; + print NSS "##$_"; + next; + } else { + # Fix up any remaining directive names + s/^(\s*)SSL/\1NSS/; + } + } + # Fall-through to print whatever is left if ($comment) { print NSS "##$_"; @@ -157,11 +162,11 @@ } else { print NSS $_; } - } if ($passphrase == 0) { - print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n"; + # NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.9'. + print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n"; } close(NSS); @@ -179,15 +184,15 @@ if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") { my $subject = get_cert_subject($SSLCertificateFile); print STDERR "Importing certificate $subject as \"Server-Cert\".\n"; - run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo "); - run_command("pk12util -i server.p12 -d $NSSDir -W foo "); + run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo"); + run_command("pk12util -i server.p12 -d $NSSDir -W foo"); } if ($SSLCACertificateFile ne "") { my $subject = get_cert_subject($SSLCACertificateFile); if ($subject ne "") { print STDERR "Importing CA certificate $subject\n"; - run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile "); + run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile"); } } @@ -202,7 +207,7 @@ my $subject = get_cert_subject("$SSLCACertificatePath/$file"); if ($subject ne "") { print STDERR "Importing CA certificate $subject\n"; - run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file "); + run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file"); } } } @@ -258,7 +263,7 @@ my $str = shift; %cipher_list = ( - "rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:", + "rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:", "rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:", "rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:", "rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:", @@ -281,21 +286,21 @@ for ($i = 0; $i < $NUM_CIPHERS; $i++) { $selected[$i] = 0; } - + # Don't need to worry about the ordering properties of "+" because # NSS always chooses the "best" cipher anyway. You can't specify # preferred order. - + # -1: this cipher is completely out # 0: this cipher is currently unselected, but maybe added later # 1: this cipher is selected - + @s = split(/:/, $str); - + for ($i = 0; $i <= $#s; $i++) { $j = 0; $val = 1; - + # ! means this cipher is disabled forever if ($s[$i] =~ /^!/) { $val = -1; @@ -306,10 +311,10 @@ } elsif ($s[$i] =~ /^+/) { ($s[$i] =~ s/^+//); } - + for $cipher (sort keys %cipher_list) { $match = 0; - + # For embedded + we do an AND for all options if ($s[$i] =~ m/(\w+\+)+/) { @sub = split(/^\+/, $s[$i]); @@ -324,22 +329,22 @@ $match = 1; } } - + if ($match && $selected[$j] != -1) { $selected[$j] = $val; } $j++; } } - + # NSS doesn't honor the order of a cipher list, it uses the "strongest" # cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and # the NSS ciphers not available in OpenSSL. $str = "SSLv2:SSLv3"; @s = split(/:/, $str); - + $ciphersuite = ""; - + for ($i = 0; $i <= $#s; $i++) { $j = 0; for $cipher (sort keys %cipher_list) { @@ -354,9 +359,9 @@ $j++; } } - + $ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha"; - + return $ciphersuite; } @@ -385,7 +390,7 @@ sub run_command { my @args = shift; my $status = 0; - + $status = 0xffff & system(@args); return if ($status == 0);
