pax_global_header 0000666 0000000 0000000 00000000064 12704231257 0014515 g ustar 00root root 0000000 0000000 52 comment=fe74ab673869dfcf6a8b9163b78f96af7e17cf09
mod_nss-1.0.14/ 0000775 0000000 0000000 00000000000 12704231257 0013242 5 ustar 00root root 0000000 0000000 mod_nss-1.0.14/.gitignore 0000664 0000000 0000000 00000000467 12704231257 0015241 0 ustar 00root root 0000000 0000000 configure
config.h
config.h.in
Makefile
Makefile.in
.deps/
.libs/
*.la
*.lo
*.o
version.m4
aclocal.m4
autom4te.cache/
config.guess
config.log
config.status
config.sub
depcomp
install-sh
ltmain.sh
missing
ylwrap
libtool
# Python compilation
*.pyc
py-compile
# Generated files
gencert
nss.conf
test/variable.py
mod_nss-1.0.14/AUTHORS 0000664 0000000 0000000 00000000434 12704231257 0014313 0 ustar 00root root 0000000 0000000 The following people have contributed to mod_nss, in alphabetical order:
Vitezslav Cizek
Rob Crittenden
Wolter Eldering
Kai Engert
Oden Eriksson
Matthew Harmsen
Noriko Hosoi
Christian Heimes
Tomas Hoger
Jack Magne
Rich Megginson
Robert Relyea
Joshua Roys
Stanislav Tokos
Ulf Weltman
mod_nss-1.0.14/COPYING 0000664 0000000 0000000 00000000000 12704231257 0014263 0 ustar 00root root 0000000 0000000 mod_nss-1.0.14/ChangeLog 0000664 0000000 0000000 00000031430 12704231257 0015015 0 ustar 00root root 0000000 0000000 2016-04-15 Rob Crittenden
* Become 1.0.14
2016-03-31 Rob Crittenden
* Created valgrind suppression files to ease debugging
2016-03-30 Rob Crittenden
* Implement SSL_PPTYPE_FILTER to call executables to get
the key password pins. Can be used to prompt with systemd.
2016-03-30 Vitezslav Cizek
* Improvements to migrate.pl
2016-03-17 Rob Crittenden
* OpenSSL ciphers stopped parsing at +, CVE-2016-3099
2016-03-04 Rob Crittenden
* Fix a number of issues discovered by clang-analyzer
* Become 1.0.13
2016-03-02 Rob Crittenden
* Extract SAN from server/client certificates into env
* Fix memory leak when renegotiating a cipher
2016-02-29 Rob Crittenden
* Fix test for DH cipher directive
* Check for test and netstat before trying to use them
* Don't ignore NSSProtocol when NSSFIPS is enabled
Based on patch by Matthew Harmsen
2016-02-24 Rob Crittenden
* Use proper shell syntax to avoid creating /0
2016-02-15 Rob Crittenden
* tests: Centralize the openssl ciphers flags when comparing
2016-02-10 Rob Crittenden
* Basic test case for DHE cipher negotiation
2016-02-09 Rob Crittenden
* Remove -DH from test strings, duplicate test, fix test
2016-02-08 Christian Heimes
* Add server support for DHE ciphers.
Similar patch was provided by Vitezslav Cizek
Heavily modified by Rob Crittenden
2016-01-18 Rob Crittenden
* Drop the check that NSSProxyNickname be required
* Add basic reverse proxy test case
2016-01-14 Rob Crittenden
* Don't send SSL alert on SNI lookup failure
* Fail for colons in credentials with FakeBasicAuth
* Always call SSL_ShutdownServerSessionIDCache() in ModuleKill
2015-11-18 Rob Crittenden
* Document some python dependencies needed by make check
* Add cipher test for ECDH+aRSA
* Quote gcm and sha384 config values when comparing them
2015-10-02 Rob Crittenden
* Integrate patch from Stanislav Tokos to set the SNI hostname
on reverse proxy requests.
* Cleanup a bunch of trailing whitespace spread across all the
source files.
* Become 1.0.12
2015-10-01 Rob Crittenden
* Add compatibility for Apache 2.2 and older versions of NSS.
Tested on RHEL 6.5.
* Replace some PR_Free calls with more correct PORT_Free.
* Initialize session_tickets as FALSE instead of UNSET.
* Modernize the autotools configuration, generate config.h
* Get the version from config.h to get the proper mod_nss version
for reporting at runtime. It previously displayed the version
of Apache where the mod_nss version should have gone.
2015-09-25 Rob Crittenden
* Add support for SNI
* Display hints if there are issues initializing NSS
2015-09-24 Rob Crittenden
* Fix bad memory access and memory leak in CGI variables
* Add optional support for some SHA384 ciphers
* Add the SECURE_RENEG environment variable
2015-09-21 Rob Crittenden
* Fix a bunch of issues related to OpenSSL cipher parsing
2015-08-27 Rob Crittenden
* Fix a bunch of compiler warnings
* Permanently disabled openssl ciphers could be enabled (CVE-2015-5244)
2015-07-28 Matthew Harmsen
* Add 'v' to refererences of protocols (e.g. SSLv3) (#1066236)
2015-07-27 Rob Crittenden
* Add RenegBufferSize option (#1214366)
* Add support for TLS Session Tickets (RFC 5077)
* Fix logical AND support in OpenSSL cipher compatibility (CVE-2015-3276)
2014-12-10 Rob Crittenden
* Become 1.0.11
2014-11-12 Rob Crittenden
* Add compatability for mod_ssl-style cipher definitions (#862938)
* Add Camelia ciphers
* Remove Fortezza ciphers
* Add TLSv1.2-specific ciphers
2014-11-12 Rob Crittenden
* Initialize ciphers to all disabled before renegotiation
(#1165408)
2014-11-06 Rob Crittenden
* Completely remove support for SSLv2
2014-10-28 Rob Crittenden
* Add support for sqlite NSS databases (#1057650)
2014-10-22 Stanislav Tokos
* Compare subject CN and VS hostname during server start up
2014-10-16 Rob Crittenden
* Add support for enabling TLS v1.2
* Don't enable SSL 3 by default (CVE-2014-3566)
* Improve protocol testing
2014-02-20 Rob Crittenden
* Sync with Fedora builds which were basicaly the defacto upstream.
* Add nss_pcache man page
* Fix CVE-2013-4566
* Move nss_pcache to /usr/libexec
* Fix argument handling in nss_pcache
* Support httpd 2.4+
2013-10-11 Tomas Hoger
* Documentation formatting fixes
2013-10-11 Rob Crittenden
* Only clear the SSL Session Cache when shutting the server down.
2013-10-11 Matthew Harmsen
* Add support for TLS v1.1
2013-07-02 Matthew Harmsen
* Add man page for nss_pcache, update man page for gencert
2011-10-09 Rob Crittenden
* Fix static array overrun when generating arg list for nss_pcache
2011-06-14 Rob Crittenden
* Always copy in client certificate and fix FakeBasicAuth
* When NSSOptions +FakeBasicAuth is set for a directory, and a
certificate is not provided with which the BasicAuth can be Faked,
and the client provides an Authorization header, the FakeBasicAuth
code in mod_nss may not properly reject an attempt to spoof.
* No need to shut things down if NSS isn't initialized.
2011-03-02 Rob Crittenden
* Add semaphore lock around retrieving token PINs to avoid overruns.
2011-02-03 Rob Crittenden
* Add man page for gencert
2011-01-12 Rob Crittenden
* Don't use memcpy as it may operate on overlapping memory (#669118)
Patch ported from mod_ssl by Stephen Gallagher
2010-09-22 Rob Crittenden
* Only call PK11_ListCerts once and pass it when configuring each
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers. (#635324)
* Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering
2010-09-17 Rob Crittenden
* Fix endless read loop in some situations when handling POST data
(#620856)
This was discovered in the dogtag TPS subsystem. I haven't been able
to duplicate it outside of that but it is trivial inside. This seems
to fix it and brings the code closer to what mod_ssl does here as well.
2010-05-14 Rob Crittenden
* Ignore SIGHUP in nss_pcache (#591889).
Contributed by Joshua Roys
2010-05-13 Rob Crittenden
* Compare CN value of remote host with requested host in reverse proxy.
* Add configuration option to disable this, defaulting to on. (#591224)
Based on patch from Joshua Roys
2010-03-22 Rob Crittenden
* Update list of errors we translate
2010-03-02 Rob Crittenden
* Add controls for managing SSL renegotiation
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert
2008-07-21 Rob Crittenden
* mod_nss 1.0.8
2008-07-02 Rob Crittenden
* Don't allow blank passwords if FIPS is enabled. This is not
allowed by the NSS FIPS 140-2 security policy.
2008-05-16 Rob Crittenden
* No need to link with softokn3
* Fix FIPS mode
* There seem to be a problem in NSS_Shutdown() that makes subsequent
logins appear to succeed but they actually are skipped causing keys
and certs to not be available.
* Also switch an error message to a warning related to FIPS ciphers.
2008-05-09 Rob Crittenden
* NSS has been modified to not allow a fork after an NSS_Init() in the
soft token. It apparently always did this for hardware tokens as it is
part of the PKCS#11 spec.
* This moves the initialization code into the child process init
function.
2008-01-03 Rob Crittenden
* See if the certificate has a version before trying to decode it into
a CGI variable.
2007-10-18 Rob Crittenden
* If mod_ssl isn't loaded then register the hooks to mod_proxy so we
can do at least secure proxy in front of an unsecure host.
2007-06-07 Rob Crittenden
* The error message was wrong if NSSPassPhraseHelper pointed to a
non-existant file.
* Don't require a password file AND NSSPassPhraseHelper. Only
the helper is required.
2007-06-01 Rob Crittenden
* mod_nss 1.0.7
* Stop processing tokens when a login fails so we can correctly
report the failure.
* Fix an off-by-one error in nss_pcache that prevented 1 character
passwords (not a huge problem but a bug none-the-less).
* Bring in some updates based on diffs from 2.0.59 to 2.2.4
* Do explicit TRUE/FALSE tests with sc->enabled to see if SSL is
enabled.
* Don't depend on the fact that TRUE == 1
* Remove some dead code
* Minor update to the buffer code that buffers POST data during a
renegotation
* Optimize setting environment variables by using a switch statement.
* Fix typo in cipher echde_rsa_null (transposed h and d).
* The way I was using to detect the model being used was incorrect. Now
use the # of threads available. Guaranteed to be 0 for prefork and > 0
for worker (threaded)
2006-10-27 Rob Crittenden
* mod_nss 1.0.6
* If NSSEngine is off then simply don't initialize NSS at all.
* Add support for setting a default OCSP responder.
2006-10-17 Rob Crittenden
* mod_nss 1.0.5
* Fix for a minor problem introduced with 1.0.4. NSS_Shutdown() was being
called during module unload even if SSL wasn't enabled causing an error
to display in the log.
2006-10-11 Rob Crittenden
* mod_nss 1.0.4
* Merged in some changes from mod_ssl:
* new env variables SSL_{SERVER,CLIENT}_V_REMAIN that contains number
of days until certificate expires
* Attempt to buffer POST data in a SSL renegotiation.
* And some changes specific to mod_nss:
* Better way to distinguish Apache 2.0.x versus Apache 2.2.x. The old
way broke when 2.0.56 was introduced.
* Fix crash bug if the stored token password doesn't match the
database password
* Add new NSSPassPhraseDialog method, defer, where only the tokens
that are found in the file pointed to by this directive are
initialized.
* Fix race condition in initializing the NSS session cache that could
cause a core on startup.
* Update nss.conf.in to contain LogLevel and its own log files
* A missing initialization when built with ECC support that could
cause the server to not start
2006-06-21 Rob Crittenden
* mod_nss 1.0.3
* Final ECC support
* Compiles on Solaris with the Forte Workshop compiler (tested with 6.2
and 11).
* A number of compilation warnings were addressed
* gencert now uses bash instead of ksh
2006-03-02 Rob Crittenden
* Experimental Eliptical Curve Cryptopgraphy (ECC) added. Requires a
version of NSS also build with ECC support. Available in the CVS tip.
2006-01-31 Rob Crittenden
* mod_nss 1.0.2
* Add support for Apache 2.2 (contributed by Oden Eriksson)
2006-09-20 Rob Crittenden
* mod_nss 1.0.0
* Support for SSLv2, SSLv3, TLSv1
* OCSP and CRLs
* Client certificate authentication
* Can run concurrently with mod_ssl
mod_nss-1.0.14/INSTALL 0000664 0000000 0000000 00000036600 12704231257 0014300 0 ustar 00root root 0000000 0000000 Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2011 Free Software Foundation,
Inc.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
Basic Installation
==================
Briefly, the shell commands `./configure; make; make install' should
configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or simply `-C') that saves
the results of its tests to speed up reconfiguring. Caching is
disabled by default to prevent problems with accidental use of stale
cache files.
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you don't want to keep, you
may remove or edit it.
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You need `configure.ac' if
you want to change it or regenerate `configure' using a newer version
of `autoconf'.
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.
2. Type `make' to compile the package.
3. Optionally, type `make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
4. Type `make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the `make install' phase executed with root
privileges.
5. Optionally, type `make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior `make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type `make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide `make
distcheck', which can by used by developers to test that all other
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the `configure' script does not know about. Run `./configure --help'
for details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'. This
is known as a "VPATH" build.
With a non-GNU `make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use `make distclean' before
reconfiguring for another architecture.
On MacOS X 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple `-arch' options to the
compiler but only a single `-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the `lipo' tool if you have problems.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the
default for these options is expressed in terms of `${prefix}', so that
specifying just `--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to `configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
`make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, `make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
`${prefix}'. Any directories that were specified during `configure',
but not in terms of `${prefix}', must each be overridden at install
time for the entire installation to be relocated. The approach of
makefile variable overrides for each directory variable is required by
the GNU Coding Standards, and ideally causes no recompilation.
However, some platforms have known limitations with the semantics of
shared libraries that end up requiring recompilation when using this
method, particularly noticeable in packages that use GNU Libtool.
The second method involves providing the `DESTDIR' variable. For
example, `make install DESTDIR=/alternate/directory' will prepend
`/alternate/directory' before all installation names. The approach of
`DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of `${prefix}'
at `configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of `make' will be. For these packages, running `./configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with `make V=1'; while running `./configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with `make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
CC is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX `make' updates targets which have the same time stamps as
their prerequisites, which makes it generally unusable when shipped
generated files such as `configure' are involved. Use GNU `make'
instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its `' header file. The option `-nodtk' can be used as
a workaround. If GNU CC is not installed, it is therefore recommended
to try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
in your `PATH', put it _after_ `/usr/bin'.
On Haiku, software installed for all users goes in `/boot/common',
not `/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features `configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, `configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share,
you can create a site shell script called `config.site' that gives
default values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
an Autoconf bug. Until the bug is fixed you can use this workaround:
CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
`configure' Invocation
======================
`configure' recognizes the following options to control how it
operates.
`--help'
`-h'
Print a summary of all of the options to `configure', and exit.
`--help=short'
`--help=recursive'
Print a summary of the options unique to this package's
`configure', and exit. The `short' variant lists options used
only in the top level, while the `recursive' variant lists options
also present in any nested packages.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names::
for more details, including other options available for fine-tuning
the installation locations.
`--no-create'
`-n'
Run the configure checks, but stop before creating any output
files.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.
mod_nss-1.0.14/LICENSE 0000664 0000000 0000000 00000026135 12704231257 0014256 0 ustar 00root root 0000000 0000000 Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
mod_nss-1.0.14/Makefile.am 0000664 0000000 0000000 00000007413 12704231257 0015303 0 ustar 00root root 0000000 0000000 ## This is the shared library to be built
lib_LTLIBRARIES = libmodnss.la
bin_PROGRAMS = nss_pcache test_cipher
nss_pcache_SOURCES = nss_pcache.c
test_cipher_SOURCES = test_cipher.c nss_engine_cipher.c
test_cipher_CFLAGS = $(AM_CFLAGS) $(CFLAGS) $(EXTRA_CPPFLAGS)
man8_MANS = \
gencert.8 \
nss_pcache.8 \
$(NULL)
install-data-hook:
@for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
## Define the source file for the module
libmodnss_la_SOURCES = mod_nss.c nss_engine_config.c nss_engine_init.c nss_engine_io.c nss_engine_kernel.c nss_engine_log.c nss_engine_pphrase.c nss_engine_vars.c nss_expr.c nss_expr_eval.c nss_expr_parse.y nss_expr_scan.l nss_util.c nss_engine_rand.c nss_engine_cipher.c
libmodnss_la_LDFLAGS = -module -avoid-version
## Set the includes and libraries needed
AM_CPPFLAGS = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4
EXTRA_CPPFLAGS=@extra_cppflags@
install-libLTLIBRARIES: libmodnss.la
@APXS@ -i -a -n nss libmodnss.la
if [ -d @apache_conf@/../conf.d ]; then \
if [ ! -f @apache_conf@/../conf.d/nss.conf ]; then \
$(INSTALL_DATA) nss.conf @apache_conf@/../conf.d/nss.conf; \
fi \
else \
if [ ! -f @apache_conf@/nss.conf ]; then \
$(INSTALL_DATA) nss.conf @apache_conf@/nss.conf; \
fi \
fi
if [ -d @apache_conf@/../conf.d ]; then \
if [ -f @apache_conf@/../conf.d/ssl.conf ]; then \
mv @apache_conf@/../conf.d/ssl.conf @apache_conf@/../conf.d/ssl.conf.old; \
fi \
else \
if [ -f @apache_conf@/ssl.conf ]; then \
mv @apache_conf@/ssl.conf @apache_conf@/ssl.conf.old; \
fi \
fi
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
$(mkinstalldirs) $(apache_bin)
@list='$(bin_PROGRAMS)'; for p in $$list; do \
if test -f $$p; then \
echo " $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(apache_bin)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
$(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(apache_bin)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
else :; fi; \
done
@echo ""
@echo "********************** NOTE **************************"
@echo "To create a certificate database with a self-signed"
@echo "certificate, use the gencert program that comes with"
@echo "mod_nss."
@echo "********************** NOTE **************************"
@echo ""
nss_expr_scan.c: nss_expr_scan.l nss_expr_parse.h
$(LEX) -Pnss_expr_yy -s -B nss_expr_scan.l
sed -e '/$$Header:/d' nss_expr_scan.c && rm -f lex.nss_expr_yy.c
nss_expr_parse.c nss_expr_parse.h: nss_expr_parse.y
$(YACC) -d nss_expr_parse.y
sed -e 's;yy;nss_expr_yy;g' \
-e '/#if defined(c_plusplus) || defined(__cplusplus)/,/#endif/d' \
nss_expr_parse.c && rm -f y.tab.c
sed -e 's;yy;nss_expr_yy;g' \
nss_expr_parse.h && rm -f y.tab.h
LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS) $(EXTRA_CPPFLAGS)
LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
MAINTAINERCLEANFILES = \
*~ \
Makefile.in \
aclocal.m4 \
config.guess \
config.sub \
configure \
depcomp \
install-sh \
ltmain.sh \
missing \
ylwrap
EXTRA_DIST = *.h *.8 LICENSE test docs
check:
cd test; \
rm -rf work; \
nosetests -v test_cipher.py; \
if [ `id -u` != 0 ]; then \
./setup.sh -s 1; \
nosetests -v test.py; \
sleep 5; \
rm -rf work; \
./setup.sh -s 1 sql:; \
DBPREFIX=sql: nosetests -v test.py; \
cd ..; \
else \
echo "Skipping live tests as they cannot be run as root"; \
fi
checksni:
cd test; \
rm -rf work; \
./setup.sh -s 25; \
nosetests -v testsni.py; \
cd ..
.PHONY: all test clean
mod_nss-1.0.14/NEWS 0000664 0000000 0000000 00000000000 12704231257 0013727 0 ustar 00root root 0000000 0000000 mod_nss-1.0.14/NOTICE 0000664 0000000 0000000 00000001371 12704231257 0014150 0 ustar 00root root 0000000 0000000 This product includes software developed by
The Apache Software Foundation (http://www.apache.org/).
Portions of this software were developed at the National Center
for Supercomputing Applications (NCSA) at the University of
Illinois at Urbana-Champaign.
This software contains code derived from the RSA Data Security
Inc. MD5 Message-Digest Algorithm, including various
modifications by Spyglass Inc., Carnegie Mellon University, and
Bell Communications Research, Inc (Bellcore).
Regular expression support is provided by the PCRE library package,
which is open source software, written by Philip Hazel, and copyright
by the University of Cambridge, England. The original software is
available from
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
mod_nss-1.0.14/README 0000664 0000000 0000000 00000012760 12704231257 0014130 0 ustar 00root root 0000000 0000000 SYNOPSIS
This Apache module provides strong cryptography for the Apache 2.4 webserver
via the Secure Sockets Layer (v3) and Transport Layer Security (TLS
v1) protocols by the help of the SSL/TLS implementation library NSS
This module is based heavily on the mod_ssl package. In fact, it's more
a conversion than anything else.
BUILDING
To build this you'll need NSPR 4.9.+ and NSS 3.14.+. It may work with earlier
versions but these are recommended (or tested). These can be retrieved from
http://www.mozilla.org/. The --with-nspr and --with-nss tags require that
the package be installed in the same parent directory (e.g. /opt/nspr,
/usr/local/nspr, etc). It will look in this parent for include/, lib/, etc.
If --with-nss or --with-nspr are not passed configure will look for the
mozilla-[nss|nspr]-devel packages and use the libraries with that if found.
It is strongly recommended that the mozilla.org version be used instead.
Build and install those packages somewhere then configure the module with
something like:
% autoreconf -ivf
% ./configure --with-apxs[=/path/to/apxs/] --with-nspr=/path/to/nspr/ --with-nss=/path/to/nss/
% gmake all install
You only need to use =/path/to/apxs if apxs isn't in your path or if you
want to install into a specific Apache installation.
This will install a sample configuration file nss.conf. You'll need to do
some hand-editing as well to tell Apache to read this file.
To httpd.conf add (anywhere is fine):
Include conf/nss.conf
You'll need to change the default ports in nss.conf from 443 to
something else if you aren't starting the server as root.
CONFIGURING NSS
You'll need to create an NSS database and get a server certificate installed.
A script, gencerts, is included to help get things going with a self-signed
certificate. This is a *BAD* idea and you shouldn't use this. It is for
demonstration purposes only. As a matter of policy, users should not get
used to accepting a SSL certifiate signed by an unknown or untrusted
issuer.
The result of the gencert script is an NSS database that contains a
self-signed CA, a server certificate (nickname Server-Cert) and a
client certificate (alpha). The client certificate is generated to make
testing client authentication simpler.
You can store the token passwords in a file so you aren't prompted during
startup (so you can do unattended starts, for example). To do this, set
the file that will store the token passwords in the NSSPassPhraseDialog
attribute in nss.conf ala:
NSSPassPhraseDialog file:/path/to/password.conf
The format of the file for a non-hardware token is tokenname:password.
A sample for the internal software token is like:
internal:netscape
BUILT-IN ROOT CAs
NSS provides a list of built-in CA's (VeriSign, Thawte, etc). This takes the
form of a shared library, libnssckbi.so. If this library is placed in the
same directory as the certificate database then it will be loaded
automatically when the server starts.
DOCUMENTATION
See docs/mod_nss.html for additional information.
For NSS documentation, see http://www.mozilla.org/projects/security/pki/nss/
REQUESTING A CERTIFICATE
You can use the provided gencert utility as a template for generating a
CA and a sample user and server certificate. Alterntaively, the NSS
command-line tools may be used to generate a certificate request
suitable for submission to a local CA or a commerical CA like Verisign,
and install the issued certificate into your local database. A sample
request may look something like this. This assumes that your certificate
database directory (NSSCertificateDatabase) is set to /etc/httpd/alias
Step 1 Create the database. This assumes you want your certificate database
in /etc/httpd/alias
% cd /etc/httpd
% mkdir alias
% cd alias
% certutil -N -d .
Step 2 Generate a PKCS#10 certificate request
% certutil -R -d . -s "CN=test.example.com, O=Example, c=US" -o certreq.txt -a
The file certreq.txt contains an ASCII representation of the certificate
request and may be submitted to a CA for approval.
Step 3 The CA has issued your certificate. In this example, you have the
PKCS#7 (ASCII) copy in the file cert.txt. You have a copy of the CA
certificate chain in ca.txt.
% certutil -A -d . -n Server-Cert -t "u,u,u" -a < cert.txt
% certutil -A -d . -n "My CA" -t "CTu,CTu,CTu" -a < ca.txt
Step 4 Verify that the certificate and CA are installed correctly
% certutil -V -u V -d . -n Server-Cert
TESTING
A few simple scripts are provided to stand up an in-tree Apache instance
against which some basic tests can be run to validate that the in-tree
library works.
The following dependencies are needed to run the tests:
python-nose
python-requests
python-ndg_httpsclient
From the source tree run:
% make check
The tests are run twice. Once with the old-style database and once
using the sqlite database format. See
https://wiki.mozilla.org/NSS_Shared_DB
This is controlled by the environment variable DBPREFIX which needs
to be set to sql: when using the newer format for the tests.
A test for the OpenSSL-compatibility is also executed. It tries to
compare the output of `openssl ciphers ` with the
equivalent from mod_nss. This may vary by release of OpenSSL and
what ciphers are available in NSS.
The test suite requires python >= 2.7.10 and
python-requests > 2.7.0.
There is a very small SNI suite included as well. To run it you
need to add www[1..25].example.com to your /etc/hosts pointing
to your IP address. Then run:
% make checksni
mod_nss-1.0.14/TODO 0000664 0000000 0000000 00000000133 12704231257 0013727 0 ustar 00root root 0000000 0000000 - Once NSS fully supports the SNI TLS extension, add that.
- Add support for OCSP stapling
mod_nss-1.0.14/acinclude.m4 0000664 0000000 0000000 00000006614 12704231257 0015442 0 ustar 00root root 0000000 0000000 # ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_check_define.html
# ===========================================================================
#
# SYNOPSIS
#
# AC_CHECK_DEFINE([symbol], [ACTION-IF-FOUND], [ACTION-IF-NOT])
# AX_CHECK_DEFINE([includes],[symbol], [ACTION-IF-FOUND], [ACTION-IF-NOT])
#
# DESCRIPTION
#
# Complements AC_CHECK_FUNC but it does not check for a function but for a
# define to exist. Consider a usage like:
#
# AC_CHECK_DEFINE(__STRICT_ANSI__, CFLAGS="$CFLAGS -D_XOPEN_SOURCE=500")
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see .
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 8
AU_ALIAS([AC_CHECK_DEFINED], [AC_CHECK_DEFINE])
AC_DEFUN([AC_CHECK_DEFINE],[
AS_VAR_PUSHDEF([ac_var],[ac_cv_defined_$1])dnl
AC_CACHE_CHECK([for $1 defined], ac_var,
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[
#ifdef $1
int ok;
#else
choke me
#endif
]])],[AS_VAR_SET(ac_var, yes)],[AS_VAR_SET(ac_var, no)]))
AS_IF([test AS_VAR_GET(ac_var) != "no"], [$2], [$3])dnl
AS_VAR_POPDEF([ac_var])dnl
])
AU_ALIAS([AX_CHECK_DEFINED], [AX_CHECK_DEFINE])
AC_DEFUN([AX_CHECK_DEFINE],[
AS_VAR_PUSHDEF([ac_var],[ac_cv_defined_$2_$1])dnl
AC_CACHE_CHECK([for $2 defined in $1], ac_var,
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <$1>]], [[
#ifdef $2
int ok;
#else
choke me
#endif
]])],[AS_VAR_SET(ac_var, yes)],[AS_VAR_SET(ac_var, no)]))
AS_IF([test AS_VAR_GET(ac_var) != "no"], [$3], [$4])dnl
AS_VAR_POPDEF([ac_var])dnl
])
AC_DEFUN([AX_CHECK_FUNC],
[AS_VAR_PUSHDEF([ac_var], [ac_cv_func_$2])dnl
AC_CACHE_CHECK([for $2], ac_var,
dnl AC_LANG_FUNC_LINK_TRY
[AC_LINK_IFELSE([AC_LANG_PROGRAM([$1
#undef $2
char $2 ();],[
char (*f) () = $2;
return f != $2; ])],
[AS_VAR_SET(ac_var, yes)],
[AS_VAR_SET(ac_var, no)])])
AS_IF([test AS_VAR_GET(ac_var) = yes], [$3], [$4])dnl
AS_VAR_POPDEF([ac_var])dnl
])# AC_CHECK_FUNC
mod_nss-1.0.14/configure.ac 0000664 0000000 0000000 00000016273 12704231257 0015541 0 ustar 00root root 0000000 0000000 # Required initializer
AC_INIT([mod_nss],[1.0.14])
m4_include([acinclude.m4])
# Automake initialization
AM_INIT_AUTOMAKE
# Add a test for a compiler.
AC_PROG_CC
AM_PROG_CC_C_O
AM_PROG_LIBTOOL
AC_CONFIG_HEADERS([config.h])
# Check for header files
AC_HEADER_STDC
AC_CHECK_HEADERS( \
unistd.h
)
# Check for typedefs, structures, and compiler characteristics.
AC_C_CONST
# Find lex and yacc (or flex and bison)
AC_PROG_YACC
AC_PROG_LEX
AC_DECL_YYTEXT
AC_MSG_CHECKING(for ECC)
AC_ARG_ENABLE(ecc,
[ --enable-ecc enable Elliptical Curve Cyptography (default=no)],
ecc=$enableval, ecc=no)
if test $ecc = yes; then
AC_MSG_RESULT(yes)
extra_cppflags="$extra_cppflags -DNSS_ENABLE_ECC"
else
AC_MSG_RESULT(no)
fi
#AM_CONDITIONAL(ECC, test x$ecc = xyes)
AC_CHECKING(for apr-config)
# check for --with-apr-config
AC_MSG_CHECKING(for --with-apr-config)
AC_ARG_WITH(apr-config, [ --with-apr-config Use apr-config to determine the APR directory],
[
if test -x "$withval"
then
AC_MSG_RESULT([using $withval])
APR_CONFIG=$withval
fi
],
AC_MSG_RESULT(no))
if test -z "$APR_CONFIG" ; then
AC_MSG_CHECKING(for apr-1-config and apr-config)
AC_PATH_PROGS(APR_CONFIG, apr-1-config apr-config, NO_APR_CONFIG, [$PATH:/usr/local/apache/sbin:/usr/sbin])
fi
if test -n "$APR_CONFIG"; then
AC_MSG_RESULT([using $APR_CONFIG. Use --with-apr-config to specify another.])
apr_inc=`$APR_CONFIG --includes`
else
AC_MSG_ERROR([neither apr-config nor apr-1-config were not found. use --with-apr-config to specify it.])
fi
AC_CHECKING(for apxs)
# check for --with-apxs
AC_MSG_CHECKING(for --with-apxs)
AC_ARG_WITH(apxs, [ --with-apxs=PATH Path to apxs],
[
if test -x "$withval"
then
AC_MSG_RESULT([using $withval])
APXS=$withval
else
echo
AC_MSG_ERROR([$withval not found or not executable])
fi
],
AC_MSG_RESULT(no))
# if no apxs found yet, check /usr/local/apache/sbin
# since it's the default Apache location
if test -z "$APXS"; then
AC_MSG_CHECKING(for apxs in /usr/local/apache/sbin and /usr/sbin)
AC_PATH_PROG(APXS, apxs, NO_APXS, [/usr/local/apache/sbin:/usr/sbin:$PATH])
if test -x $APXS; then
AC_MSG_RESULT([found $APXS. Use --with-apxs to specify another.])
else
AC_MSG_RESULT(no)
fi
fi
# and finally
if test -z "$APXS"; then
AC_MSG_ERROR([apxs was not found. use --with-apxs to specify it.])
fi
# Get some variables we need for Makefile.in
apache_inc=`$APXS -q INCLUDEDIR`
apache_conf=`$APXS -q SYSCONFDIR`
apache_prefix=`$APXS -q PREFIX`
apache_bin=`$APXS -q SBINDIR`
extra_cppflags="$extra_cppflags `$APXS -q EXTRA_CPPFLAGS`"
if ! test -f "$apache_inc/apr.h"; then
if test -z "$apr_inc"; then
AC_MSG_ERROR([apr.h is not in your Apache include dir as reported by apxs. Use --with-apr-config to have apr-config tell us where to find it.])
fi
fi
AC_CHECKING(for NSPR)
# check for --with-nspr
AC_MSG_CHECKING(for --with-nspr)
AC_ARG_WITH(nspr, [ --with-nspr=PATH Netscape Portable Runtime (NSPR) directory],
[
if test -e "$withval"/include/nspr.h -a -d "$withval"/lib
then
AC_MSG_RESULT([using $withval])
NSPRDIR=$withval
nspr_inc="-I$NSPRDIR/include"
nspr_lib="-L$NSPRDIR/lib"
else
echo
AC_MSG_ERROR([$withval not found])
fi
],
AC_MSG_RESULT(no))
# check for --with-nspr-inc
AC_MSG_CHECKING(for --with-nspr-inc)
AC_ARG_WITH(nspr-inc, [ --with-nspr-inc=PATH Netscape Portable Runtime (NSPR) include file directory],
[
if test -e "$withval"/nspr.h
then
AC_MSG_RESULT([using $withval])
nspr_inc="-I$withval"
else
echo
AC_MSG_ERROR([$withval not found])
fi
],
AC_MSG_RESULT(no))
# check for --with-nspr-lib
AC_MSG_CHECKING(for --with-nspr-lib)
AC_ARG_WITH(nspr-lib, [ --with-nspr-lib=PATH Netscape Portable Runtime (NSPR) library directory],
[
if test -d "$withval"
then
AC_MSG_RESULT([using $withval])
nspr_lib="-L$withval"
else
echo
AC_MSG_ERROR([$withval not found])
fi
],
AC_MSG_RESULT(no))
# if NSPR is not found yet, try pkg-config
# last resort
if test -z "$nspr_inc" -o -z "$nspr_lib"; then
AC_MSG_CHECKING(for nspr with pkg-config)
AC_PATH_PROG(PKG_CONFIG, pkg-config)
if test -n "$PKG_CONFIG"; then
if $PKG_CONFIG --exists nspr; then
nspr_inc=`$PKG_CONFIG --cflags-only-I nspr`
nspr_lib=`$PKG_CONFIG --libs-only-L nspr`
else
AC_MSG_ERROR([NSPR not found, specify with --with-nspr.])
fi
fi
fi
AC_CHECKING(for NSS)
# check for --with-nss
AC_MSG_CHECKING(for --with-nss)
AC_ARG_WITH(nss, [ --with-nss=PATH Network Security Services (NSS) directory],
[
if test -e "$withval"/include/nss.h -a -d "$withval"/lib
then
AC_MSG_RESULT([using $withval])
NSSDIR=$withval
nss_inc="-I$NSSDIR/include"
nss_lib="-L$NSSDIR/lib"
else
echo
AC_MSG_ERROR([$withval not found])
fi
],
AC_MSG_RESULT(no))
# check for --with-nss-inc
AC_MSG_CHECKING(for --with-nss-inc)
AC_ARG_WITH(nss-inc, [ --with-nss-inc=PATH Network Security Services (NSS) include directory],
[
if test -e "$withval"/nss.h
then
AC_MSG_RESULT([using $withval])
nss_inc="-I$withval"
else
echo
AC_MSG_ERROR([$withval not found])
fi
],
AC_MSG_RESULT(no))
# check for --with-nss-lib
AC_MSG_CHECKING(for --with-nss-lib)
AC_ARG_WITH(nss-lib, [ --with-nss-lib=PATH Network Security Services (NSS) library directory],
[
if test -d "$withval"
then
AC_MSG_RESULT([using $withval])
nss_lib="-L$withval"
else
echo
AC_MSG_ERROR([$withval not found])
fi
],
AC_MSG_RESULT(no))
# if NSS is not found yet, try pkg-config
# last resort
if test -z "$nss_inc" -o -z "$nss_lib"; then
AC_MSG_CHECKING(for nss with pkg-config)
AC_PATH_PROG(PKG_CONFIG, pkg-config)
if test -n "$PKG_CONFIG"; then
if $PKG_CONFIG --exists nss; then
nss_inc=`$PKG_CONFIG --cflags-only-I nss`
nss_lib=`$PKG_CONFIG --libs-only-L nss`
else
AC_MSG_ERROR([NSS not found, specify with --with-nss.])
fi
fi
fi
nspr_dir=`echo "$nspr_lib" | sed 's/\/lib[[/]]*$//' | sed 's/-L//'`
nss_dir=`echo "$nss_lib" | sed 's/\/lib[[/]]*$//' | sed 's/-L//'`
AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_128_GCM_SHA256, gcm=$enableval, gcm=no)
if test "$gcm" = yes; then
extra_cppflags="$extra_cppflags -DENABLE_GCM"
echo "ENABLE_GCM=1" > test/variable.py
else
echo "ENABLE_GCM=0" > test/variable.py
fi
AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_256_GCM_SHA384, sha384=$enableval, sha384=no)
if test "$sha384" = yes; then
extra_cppflags="$extra_cppflags -DENABLE_SHA384"
echo "ENABLE_SHA384=1" >> test/variable.py
else
echo "ENABLE_SHA384=0" >> test/variable.py
fi
CPPFLAGS="$CPPFLAGS $nspr_inc"
AX_CHECK_DEFINE(nss3/ssl.h, SSL_ENABLE_SERVER_DHE, server_dhe=yes, server_dhe=no)
if test "$server_dhe" = yes; then
extra_cppflags="$extra_cppflags -DENABLE_SERVER_DHE"
echo "ENABLE_SERVER_DHE=1" >> test/variable.py
else
echo "ENABLE_SERVER_DHE=0" >> test/variable.py
fi
# Substitute values
AC_SUBST(APXS)
AC_SUBST(apr_inc)
AC_SUBST(apache_inc)
AC_SUBST(apache_conf)
AC_SUBST(apache_prefix)
AC_SUBST(apache_bin)
AC_SUBST(nspr_inc)
AC_SUBST(nspr_lib)
AC_SUBST(nss_inc)
AC_SUBST(nss_lib)
AC_SUBST(nspr_dir)
AC_SUBST(nss_dir)
AC_SUBST(extra_cppflags)
# Write config.status and the Makefile
AC_OUTPUT(Makefile nss.conf gencert)
chmod +x gencert
mod_nss-1.0.14/docs/ 0000775 0000000 0000000 00000000000 12704231257 0014172 5 ustar 00root root 0000000 0000000 mod_nss-1.0.14/docs/mod_nss.html 0000664 0000000 0000000 00000212306 12704231257 0016526 0 ustar 00root root 0000000 0000000
mod_nss
mod_nss
Table of Contents
Introduction
Building
Installation
Certificate Generation
Server Startup
Migration
Configuration Directives
Environment Variables
Database Management
Why is SSLv2 disabled?
Frequently Asked Questions
Sample Use Cases
Introduction
The mod_ssl package was
created in April 1998 by Ralf S.
Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It is licensed under
the Apache 2.0
license.
mod_nss is based directly on the mod_ssl package from Apache
2.0.54. It is a conversion from using OpenSSL calls to using
NSS
calls instead.
Building
Refer to the README file included with the distribution.
To build you'll need NSPR
4.4.1 or above and NSS 3.9.2
or above.
It may work with earlier versions but these are recommended (or
tested). These can be retrieved from http://www.mozilla.org/.
The --with-nspr and --with-nss options require that the package be
installed in the same parent directory (e.g. /opt/nspr,
/usr/local/nspr, etc). It will look in this parent for include/ and
lib/, etc.
To build with ECC support you need NSPR 4.6.2 or higher
and NSS
3.11.2 or higher.
You will also need the NSS and NSPR directories in
your library search
path (either /etc/ld.so.conf or LD_LIBRARY_PATH) to link and run the
module.
Run the configure script. The following mod_nss-specific options are
available:
Option
|
Description
|
--with-nss=[PATH]
|
The file system path to the NSS
installation. The assumption is that this has the layout of: PATH/lib,
PATH/include, etc.
|
--with-nss-inc=PATH
|
The file system path to the NSS
include directory (e.g. /usr/local/include/nss3)
|
--with-nss-lib=PATH
|
The file system path to the NSS
lib directory (e.g. /usr/local/lib)
|
--with-nspr=[PATH]
|
The file system path of the NSPR
installation. The assumption is that this has the layout of: PATH/lib,
PATH/include, etc. |
--with-nspr-inc=PATH
|
The file system path to the NSPR
include directory (e.g. /usr/local/include/nspr4)
|
--with-nspr-lib=PATH
|
The file system path to the NSPR
lib directory (e.g. /usr/local/lib)
|
--with-apxs=[PATH]
|
The location of the apxs binary
of the Apache you want to install the module into.
|
--with-apr-config=[PATH] |
The location of apr-config which
tells us where the APR include files and libraries are located
|
--enable-ecc
|
Enable Elliptical Curve
Cryptography. Disabled by default.
|
If --with-nss or --with-nspr are not passed configure will look
for the [nss|nspr]-devel packages and use the libraries with
that if found.
It is strongly recommended that the mozilla.org version be used.
Build and install those packages somewhere then configure the
module with something like:
% ./configure --with-apxs=/path/to/apxs/
--with-nspr=/path/to/nspr/ --with-nss=/path/to/nss/
% gmake
This will create a sample configuration file nss.conf
.
By default
this is installed during the installation process.
Installation
The make install target uses apxs to install the module into Apache.
This automatically copies the mod_nss shared library to the appropriate
location and updates Apache's httpd.conf so that the module will be
loaded during the next restart.
It also tries to rename ssl.conf
to ssl.conf.old
.
The assumption is that mod_nss is replacing mod_ssl. They can co-exist
as long as they are listening on separate ports.
The mod_nss configuration file, nss.conf
, is copied into
the Apache
configuration directory (as reported by apxs). You may need to make a
manual change to httpd.conf to load this file. If you have a Red
Hat-style Apache installation with a conf.d just move nss.conf there.
It will be automatically loaded. Otherwise you will need to add the
following line to httpd.conf (location relative to httpd.conf):
Include conf/nss.conf
This has Apache load the mod_nss configuration file, nss.conf
.
It is here that you will setup your VirtualServer entries to and
configure your SSL servers. If you have a certificate with Subject
Alternative Names then you can configure separate VirtualServer entries
for eacon one.
Certificate Generation
A ksh script, gencert
, is included to automatically
generate a self-signed CA plus one server certificate. This is fine for
testing purposes but it is strongly recommended that a real server
certificate be obtained from a real CA before moving a mod_nss server
into production. Users should be expected to cancel any request to a
secure server signed by an unknown issuer.
gencert
takes one argument, the path to the location of
the certificate database. A fair amount of output is generated so you
can follow what is going on. For the most part most don't need to
bother with the details.
The certificate database password is httptest.
A sample run is:
# mkdir /etc/httpd/nss
# ./gencert /etc/httpd/nss
#####################################################################
Generating new server certificate and key database. The password
is httptest
#####################################################################
#####################################################################
Generating self-signed client CA certificate
#####################################################################
Generating key. This may take a few moments...
[ Lots of output removed ]
You should now have the following files:
/etc/httpd/nss/cert8.db
/etc/httpd/nss/key3.db
/etc/httpd/nss/secmod.db
These 3 files make up an NSS certificate database.
If you have a sql: prefix on the path, like sql:/etc/httpd/nss, then it
will generate an SQLite NSS database consisting of the following files:
/etc/httpd/nss/cert9.db
/etc/httpd/nss/key4.db
/etc/httpd/nss/pkcs11.txt
Server Startup
Starting a mod_nss server is no different than starting a mod_ssl
server. You will need to authenticate yourself to the security token
(e.g. enter the key password). The sample nss.conf is not included in
an <IfDefine SSL>
so you do not need to use the
startssl argument with apachectl
.
A sample startup might look like:
% apachectl start
Please enter password for "internal" token:
If you have additional hardware tokens you will be prompted for each
token password.
All other output will be written to the Apache log files.
To avoid being prompted for a startup password you can either:
- Use a password file that contains your token passwords. See
NSSPassPhraseDialog for details.
- Exec a program which provides the token password (either by
asking the user or other means.
- Change the internal token password to a blank with:
% modutil -dbdir /path/to/database/directory -changepw "NSS Certificate DB"
Enter the old password then press Enter twice for the new password to
blank it out.
Migration
A perl script, migrate.pl
, is included to help migrate an
existing mod_ssl configuration to work with mod_nss. There is one
optional argument, -c, that will try to convert your existing server
and CA certificates plus any certificate revocation lists (CRLs) into
an NSS certificate database.
The migration script assumes that you are migrating from ssl.conf to
nss.conf. The original file is not changed. All comments, spacing and
other directives are maintained so if there is no ssl.conf it is
possible to migrate httpd.conf to use mod_nss. Simply copy httpd.conf
to ssl.conf, run the update, then copy nss.conf to httpd.conf (after
making a backup, of couse). This multi-step process gives you a chance
to verify that the migration was successful.
Configuration Directives
The following mod_ssl Directives are not applicable to mod_nss:
- SSLSessionCache
- SSLMutex
- SSLCertificateChainFile
- SSLCARevocationPath
- SSLCARevocationFile
- SSLVerifyDepth
- SSLCryptoDevice
NSSPassPhraseDialog
Authentication is required in order to use the private key in an NSS
certificate database. The method of this authentication is specified
with the NSSPassPhraseDialog directive. This directive takes one
argument specifying the method of authentication:
The user will be prompted to enter the
token password for each cryptographic device. This works seemlessly
with any hardware tokens used. The default "device" is the internal
token provided by the NSS Certificate database itself.
The token password(s) may be stored in
an ASCII text file which is read during startup so the server can start
without user intervention. The format of this file is:
token:password
An example for the internal token is:
internal:secret12
The listed program will be executed.
The only argument is the NSS token name to be authenticated.
The return value of the program is ignored. Only what is printed on
stdout is passed along as the password.
A trivial example script is:
#!/bin/sh
echo "secret123"
To prompt using systemd (as root):
#!/bin/sh
exec /bin/systemd-ask-password "Enter SSL pass phrase for $1: "
Example
NSSPassPhraseDialog builtin
NSSPassPhraseDialog file:/etc/httpd/alias/password.conf
NSSPassPhraseDialog exec:/usr/libexec/httpd/httpd-ssl-pass-dialog
NSSPassPhraseHelper
When Apache starts it loads and unloads any modules that aren't
built-in twice. It loads them once so it can verify that the
configuration is ok and then it unloads them and re-loads them again
when the server is actually ready to receive connections. After the
first module load Apache closes access to the terminal so there is no
way to prompt for the NSS token passwords (it would also be annoying to
have to authenticate twice). Because the module is loaded and unloaded
the NSS certificate database needs to be loaded and unloaded as well,
causing any pins entered during the first load to be lost and causing
the server to be unstartable.
The solution is the PassPhraseHelper. This is a stand-alone program
that also opens the NSS certificate database and stores a copy of the
encrypted token password entered during the first load of the NSS
module. When mod_nss needs to open the certificate database during
subsequent reloads it queries the PassPhraseHelper for the token
password.
Example
NSSPassPhraseHelper /path/to/nss_pcache
NSSCertificateDatabase
Specifies the location of the NSS certificate database to be used. An
NSS certificate database consists of 3 files: cert8.db, key3.db and
secmod.db. cert8.db stores certificates and Certificate Revocation
Lists (CRLs), key3.db stores keys and secmod.db stores information
about available PKCS#11 modules.
This directive specifies a path, not a filename. To use a sqlite
NSS database include the prefix sql: in the path.
Example
NSSCertificateDatabase /etc/httpd/conf/nss
NSSCertificateDatabase sql:/etc/httpd/conf/nss
NSSDBPrefix
Normally a certificate database consists of 3 files: cert8.db, key3.db
and secmod.db. This directive allows you to add a named prefix to the
filenames of cert8.db and key3.db so you can store multiple databases
in one directory.
Example
NSSDBPrefix my-prefix-
You would then need: my-prefix-cert8.db, my-prefix-key3.db and secmod.db
In order to work with files with a prefix using the NSS command-line
tools use the -P flag.
NSSSessionCacheSize
Specifies the number of SSL sessions that can be cached.
There is no upper limit.
The default value is 10000.
Example
NSSSessionCacheSize 10000
NSSSessionCacheTimeout
Deprecated.
NSSSession3CacheTimeout
Specifies the number of seconds SSLv3 sessions are cached.
The valid range is 5 - 86400 seconds. A setting outside the valid
range is silently constrained.
The default value is 86400 (24 hours).
Example
NSSSession3CacheTimeout 86400
NSSRandomSeed
Configures sources to seed the NSS Random Number Generator (RNG) at
startup. Currently this only supports seeding the RNG at startup.
The following sources are available:
builtin
: Combines the current system time, the
current process id
and a randomly choosen 128-byte extract of the process stack. This is
not a particularly strong source of entropy.
file:/path/to/source
: Reads from the specified file.
If the number of bytes to read is specified it just reads that amount.
Be aware that some operating systems block on /dev/random if not enough
entropy is available. This means that the server will wait until that
data is available to continue startup. These systems generally offer a
non-blocking device as well, /dev/urandom.
exec:/path/to/program
: Executes the given program and takes
the stdout of it as the entropy. If the bytes argument is included it
reads that many bytes, otherwise it reads until the program exits.
Example
NSSRandomSeed startup builtin
NSSRandomSeed startup /dev/urandom 512
NSSRandomSeed startup /usr/bin/makerandom
NSSSkipPermissionCheck
The NSS database will be checked to ensure that the user configured
to run Apache as has owner or group read access to the database
configured in NSSCertificateDatabase
. This check
can be disabled by setting NSSSkipPermissionCheck
to on
. The default is off
Example
NSSSkipPermissionCheck on
NSSEngine
Enables or disables the SSL protocol. This is usually used within a
VirtualHost tag to enable SSL for a particular virtual host.
SSL is disabled by default.
Example
NSSEngine on
NSSFIPS
Enables or disables FIPS 140 mode. This replaces the standard
internal PKCS#11 module with a FIPS-enabled one. It also forces the
enabled protocols to TLSv1.2, TLSv1.1 and TLSv1.0 and disables all ciphers
but the FIPS ones. You may still select which ciphers you would like
limited to those that are FIPS-certified. Any non-FIPS that are
included in the NSSCipherSuite entry are automatically disabled.
The allowable ciphers are (with ecc-enabled set):
- rsa_3des_sha
- rsa_aes_128_sha
- rsa_aes_256_sha
- aes_128_sha_256
- aes_256_sha_256
- rsa_aes_128_gcm_sha_256
- fips_3des_sha
- ecdh_ecdsa_3des_sha
- ecdh_ecdsa_aes_128_sha
- ecdh_ecdsa_aes_256_sha
- ecdhe_ecdsa_3des_sha
- ecdhe_ecdsa_aes_128_sha
- ecdhe_ecdsa_aes_256_sha
- ecdh_rsa_3des_sha
- ecdh_rsa_aes_128_sha
- ecdh_rsa_aes_256_sha
- ecdhe_rsa_3des_sha
- ecdhe_rsa_aes_128_sha
- ecdhe_rsa_aes_256_sha
- ecdhe_ecdsa_aes_128_sha_256
- ecdhe_rsa_aes_128_sha_256
- ecdhe_ecdsa_aes_128_gcm_sha_256
- ecdhe_rsa_aes_128_gcm_sha_256
FIPS is disabled by default.
Example
NSSFIPS on
NSSOCSP
Enables or disables OCSP
(Online Certificate Status Protocol). This allows the server to check
the validity of a client certificate before accepting it.
OCSP is disabled by default.
Example
NSSOCSP on
NSSCipherSuite
There are two options for configuring the available ciphers. mod_nss
provides its own cipher list, a space-separated list of the SSL ciphers
used, with the prefix +
to enable or -
to disable, using the Cipher Name value in the tables below.
Alternatively the mod_nss-style cipher definitions may be used, http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite.
The support options are: ALL, COMPLEMENTOFALL, DEFAULT, RSA, EDH, NULL,
eNULL, AES, 3DES, DES, RC4, MD5, SHA, SHA1, SHA256, SSLv3, TLSv1,
TLSv12, HIGH, MEDIUM, LOW, EXPORT, EXPORT40 and EXPORT56.
If a cipher string value contains a colon it is considered a mod_ssl-style cipher string.
If a cipher string value contains a comma it is considered a mod_nss-style cipher string.
If it contains neither then mod_nss first tries to apply OpenSSL ciphers then NSS ciphers.
All ciphers are disabled by default.
Available RSA ciphers are:
Cipher Name
|
NSS Cipher definition
|
Protocol
|
rsa_3des_sha
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2
|
rsa_des_sha
|
TLS_RSA_WITH_DES_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_null_md5
|
TLS_RSA_WITH_NULL_MD5
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_null_sha
|
TLS_RSA_WITH_NULL_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_rc2_40_md5 |
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_rc4_128_md5 |
TLS_RSA_WITH_RC4_128_MD5
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_rc4_128_sha |
TLS_RSA_WITH_RC4_128_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_rc4_40_md5 |
TLS_RSA_EXPORT_WITH_RC4_40_MD5
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
fips_des_sha
|
SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
fips_3des_sha
|
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_des_56_sha |
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_rc4_56_sha |
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_aes_128_sha
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
rsa_aes_256_sha
|
TLS_RSA_WITH_AES_256_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
camelia_128_sha
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
camelia_256_sha
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 |
null_sha_256
|
TLS_RSA_WITH_NULL_SHA256
|
TLSv1.2
|
aes_128_sha_256
|
TLS_RSA_WITH_AES_128_CBC_SHA256
|
TLSv1.2 |
aes_256_sha_256
|
TLS_RSA_WITH_AES_256_CBC_SHA256
|
TLSv1.2 |
rsa_aes_128_gcm_sha_256
|
TLS_RSA_WITH_AES_128_GCM_SHA256
|
TLSv1.2 |
The available server-side DHE ciphers are:
Cipher Name
| NSS Cipher definition
| Protocol
|
dhe_rsa_des_sha
| TLS_DHE_RSA_WITH_DES_CBC_SHA
| SSLv3/TLSv1.0/TLSv1.1/TLSv1.2
|
dhe_rsa_3des_sha
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLSv1.0/TLSv1.1/TLSv1.2 |
dhe_rsa_aes_128_sha
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLSv1.0/TLSv1.1/TLSv1.2 |
dhe_rsa_aes_256_sha
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLSv1.0/TLSv1.1/TLSv1.2 |
dhe_rsa_camellia_128_sha
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLSv1.0/TLSv1.1/TLSv1.2 |
dhe_rsa_camellia_256_sha
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLSv1.0/TLSv1.1/TLSv1.2 |
dhe_rsa_aes_128_sha256
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLSv1.2 |
dhe_rsa_aes_256_sha256
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
TLSv1.2 |
dhe_rsa_aes_128_gcm_sha_256
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
TLSv1.2 |
Additionally there are a number of ECC ciphers:
Cipher Name
|
NSS Cipher Definition
|
Protocol
|
ecdh_ecdsa_null_sha |
TLS_ECDH_ECDSA_WITH_NULL_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_ecdsa_rc4_128_sha |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_ecdsa_3des_sha |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_ecdsa_aes_128_sha |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_ecdsa_aes_256_sha |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_ecdsa_null_sha |
TLS_ECDHE_ECDSA_WITH_NULL_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_ecdsa_rc4_128_sha |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_ecdsa_3des_sha |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_ecdsa_aes_128_sha |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_ecdsa_aes_256_sha |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_rsa_null_sha |
TLS_ECDH_RSA_WITH_NULL_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_rsa_128_sha |
TLS_ECDH_RSA_WITH_RC4_128_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_rsa_3des_sha |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_rsa_aes_128_sha |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_rsa_aes_256_sha |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
echde_rsa_null |
TLS_ECDHE_RSA_WITH_NULL_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_rsa_rc4_128_sha |
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_rsa_3des_sha |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_rsa_aes_128_sha |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_rsa_aes_256_sha |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_anon_null_sha |
TLS_ECDH_anon_WITH_NULL_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_anon_rc4_128sha |
TLS_ECDH_anon_WITH_RC4_128_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_anon_3des_sha |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_anon_aes_128_sha |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdh_anon_aes_256_sha |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA |
TLSv1.0/TLSv1.1/TLSv1.2 |
ecdhe_ecdsa_aes_128_sha_256
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
TLSv1.2 |
ecdhe_rsa_aes_128_sha_256
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
TLSv1.2 |
ecdhe_ecdsa_aes_128_gcm_sha_256
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
TLSv1.2 |
ecdhe_rsa_aes_128_gcm_sha_256
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
TLSv1.2 |
Example
NSSCipherSuite
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fips_des_sha, +fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha
NSSCipherSuite ALL
NSSCipherSuite
rsa_3des_sha
NSSCipherSuite RC4-SHA
NSSProtocol
A comma-separated string that lists the basic protocols that the server
can use (and clients may connect with). It doesn't enable a cipher
specifically but allows ciphers for that protocol to be used at all.
Options are:
SSLv3
TLSv1 (legacy only; replaced by TLSv1.0)
TLSv1.0
TLSv1.1
TLSv1.2
All
Note that this differs from mod_ssl in that you can't add or subtract
protocols.
If no NSSProtocol is specified, mod_nss will default to allowing the use of
the TLSv1.0, TLSv1.1 and TLSv1.2 protocols, where TLSv1.0 will be set to
be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum
protocol allowed.
If values for NSSProtocol are specified, mod_nss will set both the minimum
and the maximum allowed protocols based upon these entries allowing for the
inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1
are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes
protocol ranges to accept all protocols inclusively
(TLSv1.1 -> TLSv1.0 -> SSLv3.0), and does not allow exclusion of any protocols
in the middle of a range (e. g. - TLSv1.0).
Finally, NSS will always automatically negotiate the use of the strongest
possible protocol that has been specified which is acceptable to both sides of
a given connection.
SSLv2 is not supported by default at this time.
Example
NSSProtocol SSLv3,TLSv1.0,TLSv1.1
NSSNickname
Specify the nickname to be used for this the server certificate.
Certificates stored in an NSS database are referred to using nicknames
which makes accessing a specific certificate much easier. It is also
possible to specify the certificate DN but it is easier to use a
nickname. If the nickname includes spaces then the value needs to
be enclosed in double quotes.
Example
NSSNickname Server-Cert
NSSNickname "This contains a space"
NOTE: There is nothing magical about the string "Server-Cert." A
nickname can be anything. Historically this was Server-Cert in the
Netscape server products that used NSS.
NSSECCNickname
Similar to NSSNickname but designed for use with ECC certificates. This
allows you to have both an RSA certificate and an ECC certificate
available on the same listening port. This allows newer clients that
support ECC to connect with those ciphers but also allows older clients
to connect with an RSA cipher.
Example
NSSNickname Server-Cert-ECC
NSSEnforceValidCerts
By default mod_nss will not start up if the server
certificate is not valid. This means that if the certificate has
expired or is signed by a CA that is not trusted in the NSS certificate
database the server will not start. If you would like the server to
start anyway you can add this directive to nss.conf and the server will
start with just a warning. Not enforcing a valid server certificate is
not recommended.
Example
NSSEnforceValidCerts on
NSSVerifyClient
Determines whether Client Certificate
Authentication will be requested or required. This may be set in a
per-server or per-directory context. At the server level the
certificate is requested during the initial SSL handshake. In the
per-directry context an SSL renogitation is required and a certificate
requested from the client.
Available options are:
none
: no client certificate
is required or requested
optional
: a client
certificate is requested but if one is not available, the connection
may continue.
require
: a valid client
certificate is required for the connection to continue.
The mod_ssl option option_no_ca
is not supported.
There is no NSSVerifyDepth
directive. NSS always verifies
the entire certificate chain.
Example
NSSVerifyClient require
NSSSessionTickets
Enables or disables support for TLS Session tickets (RFC 5077).
The default is off.
Example
NSSSessionTickets on
NSSUserName
Defines the field in the client certificate which will set the user
field in the request. The option FakeBasicAuth (see NSSOptions) must
also be set for this to work.
Example
NSSUserName SSL_CLIENT_S_DN_UID
NSSOptions
Control various options in a per-server or per-directory context.
- FakeBasicAuth: When this option is enabled and NSSUserName is set
then the certificate attribute defined in NSSUserName is used to
populate the value of r->user in the Apache request object. This
equates to the environmant variable REMOTE_USER.
- StdEnvVars: A standard set of SSL environment variables is
created.
- CompatEnvVars: A no-op. In previous versions of mod_ssl this
would set additional environment variables for backwards compatibility
with older Apache SSL implementations.
- ExportCertData: Several additional environment variables are
created,
SSL_CLIENT_CERT
, SSL_CLIENT_CERT_CHAIN[0..n]
and
SSL_SERVER_CERT
. This provides additional
certificate information on the client and server to the environment,
plus every CA certificate in the client certificate.
- StrictRequire: Absolutely forces the connection to be forbidden
when NSSRequireSSL or NSSRequire aren't met.
- OptRenegotiate: Allows the SSL connection to be renegotiated
using a different configuration. This is designed for a per-directory
and is relatively expensive to do. For example, it can be used to force
very strong ciphers in particular directories.
All options are disabled by default.
Example:
NSSOptions +FakeBasicAuth
<Files ~ "\.(cgi|shtml)$">
NSSOptions +StdEnvVars
<Files>
NSSRequireSSL
The request is forbidden unless the connection is using SSL. Only
available in a per-directory context. This takes no arguments.
Example
NSSRequireSSL
NSSRequire
Provides a regular expression-based access-control mechanism. Access
may be restricted (or allowed) based on any number of variables such as
components of the client certificate, the remote IP address, etc.
Example
NSSRequire
NSSRenegBufferSize
Configure the amount of memory that will be used for buffering the
request body if a per-location SSL renegotiation is required due
to changed access control requirements. The value is in bytes.
The default is 128K.
If set to 0 then no buffering is done.
Example
NSSRenegBufferSize 262144
NSSSNI
Enables or disables Server Name Identification (SNI) extension check for
TLS. This option is enabled by default. To disable SNI, set this to off
in the default name-based VirtualHost.
Example
NSSSNI off
NSSStrictSNIVHostCheck
Configures whether a non-SNI client is allowed to access a name-based
VirtualHost. If set to on in the default name-based VirtualHost
then clients that are SNI unaware cannot access any virtual host. If set
to on in any other VirtualHost then SNI unaware clients cannot access
this particular virtual host.
Example
NSSStrictSNIVHostCheck off
NSSProxyEngine
Enables or disables mod_nss HTTPS support for mod_proxy.
Example
NSSProxyEngine on
NSSProxyProtocol
Specifies the SSL protocols that may be used in proxy connections. The
syntax is identical to NSSProtocol.
Example
NSSProxyProtocol SSLv3
NSSProxyCipherSuite
Specifies the SSL ciphers available for proxy connections. The syntax
is identical to NSSCipherSuite.
Example
NSSProxyCipherSuite
+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5
NSSProxyNickname
The nickname of the client certificate to send if the remote server
requests client authentication.
Example
NSSProxyNickname beta
NSSProxyCheckPeerCN
Compare the CN value of the peer certificate with the hostname being
requested. If this is set to on, the default, then the request will
fail if they do not match. If this is set to off then this comparison
is not done. Note that this test is your only protection against a
man-in-the-middle attack so leaving this as on is strongly recommended.
Example
NSSProxyCheckPeerCN on
Environment Variables
Quite a few environment variables (for CGI and SSI) may be set
depending on the NSSOptions configuration. It can be expensive to set
these so it is recommended that they only be set when they will be used
(e.g. don't set them on a per-server basis). Here is a list of the
variables along with the option used to set them.
Always Set
Name
|
Description
|
HTTPS
|
Set to "on" if HTTPS is being
used
|
+StdEnvVars
Name
|
Description
|
SSL_VERSION_INTERFACE
|
The version of mod_nss the
server is running
|
SSL_VERSION_LIBRARY
|
The version of NSS that mod_nss
was compiled against.
|
SSL_PROTOCOL
|
SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2
|
SSL_CIPHER
|
The cipher the connection is
using
|
SSL_CIPHER_EXPORT
|
true if the cipher is an export
cipher, false otherwise
|
SSL_CIPHER_USEKEYSIZE
|
Number if bits the cipher is
using
|
SSL_CIPHER_ALGKEYSIZE
|
Max number of bits possible in
the cipher
|
SSL_CLIENT_VERIFY
|
NONE if no client auth, SUCCESS
or FAILED if SSLVerifyCert is set
|
SSL_CLIENT_V_START
|
Client certificate validity
start time
|
SSL_CLIENT_V_END
|
Client certificate validity end
time |
SSL_CLIENT_V_REMAIN
|
Number of days that the
certificate is valid
|
SSL_CLIENT_M_VERSION
|
X.509 version of the client
certificate
|
SSL_CLIENT_M_SERIAL
|
Serial number of the client
certificate
|
SSL_CLIENT_A_KEY |
Algorithm used for client key
|
SSL_CLIENT_A_SIG |
Algorithm used for the signature
of the client key |
SSL_CLIENT_S_DN |
Distinguished Name (DN) of the
client certificate |
SSL_CLIENT_S_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email]
|
Components of the client
certificate. Only those that exist in the certificate are created.
|
SSL_CLIENT_SAN_[DNS, IPAddr, Email, OTHER_msUPN]_[0..n]
|
A subset of Subject Alternate Names. Each entry is appended with a unique sequential number.
|
SSL_CLIENT_I_DN
|
Distinguished Name (DN) of the
client certificate issuer
|
SSL_CLIENT_I_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the client issuer
certificate. Only those that exist in the certificate are created |
SSL_SERVER_DN
|
Distinguished Name (DN) of the
server certificate
|
SSL_SERVER_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the server
certificate. Only those that exist in the certificate are created |
SSL_SERVER_I_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] |
Components of the server issuer
certificate. Only those that exist in the certificate are created |
SSL_SERVER_M_VERSION
|
X.509 version of the server
certificate |
SSL_SERVER_M_SERIAL
|
Serial number of the server
certificate |
SSL_SERVER_V_START
|
Server certificate validity
start time |
SSL_SERVER_V_END
|
Server certificate validity end
time |
SSL_SERVER_A_KEY
|
Algorithm used for server key |
SSL_SERVER_A_SIG
|
Algorithm used for the signature
of the server key |
SSL_SESSION_ID
|
SSL Session ID
|
SSL_SERVER_SAN_[DNS, IPAddr, Email, OTHER_msUPN]_[0..n]
|
A subset of Subject Alternate Names. Each entry is appended with a unique sequential number.
|
+ExportCertData
Name
|
Description
|
SSL_SERVER_CERT
|
The server certificate in PEM
format.
|
SSL_CLIENT_CERT
|
The client certificate in PEM
format (if available)
|
SSL_CLIENT_CERT_CHAIN_[0..n]
|
Each certificate in the client
certificate chain in PEM format (including the client certificate
itself).
|
Database Management
NSS stores it's certificates and keys in a set of files referred to as
the "certificate database." The files by default (with NSS 3.x) are
named cert8.db, key3.db and secmod.db. See the NSS documentation at http://www.mozilla.org/projects/security/pki/nss/
for more information on these specific files.
By default the NSS databases use the Berkeley Database format (cert8 and
key3). To use the sqlite format (cert9 and key4) either include sql: in
all references to the database (-d sql:/path/to/database) or
export NSS_DEFAULT_DB_TYPE="sql"
.
For more details see
https://wiki.mozilla.org/NSS_Shared_DB
The NSS database also stores any Certificate Revocation Lists (CRLs).
Several NSS tools are available for managing certificates, keys,
PKCS#11 modules and CRLs. These come with the NSS distribution. Here is
a brief overview:
Tool
|
Description
|
certutil
|
Generate Certificate Signing
Requests, install certificates and manage certificate trust flags.
|
crlutil
|
Manage certificate revocation
lists (CRLs). |
modutil
|
Manage the database of PKCS11
modules (secmod.db). Add modules and modify the properties of
existing modules (such as whether a module is the default provider of
some crypto service). |
pk12util |
Import and export keys and
certificates in PKCS12 format. |
Here are some quick, useful commands. This assumes that the NSPR and
NSS libraries are in your LD_LIBRARY_PATH. Certificates may be referred
to by either their DN or by a short nickname that is assigned when the
certificate is added to the database. The nickname is the preferred
method of referring to certificates. All of these commands use the -d
option to specify the database location. The default is ~/.netscape and
is probably not what you want.
Description
|
Command
|
Create a Database
|
certutil -N -d [path]
|
List all Certificates
|
certutil -L -d [path]
|
Extract a cert (Server-Cert) in
ASCII
|
certutil -L -n Server-Cert -d
[path] -a
|
Extract a cert and key
(Server-Cert) in PKCS#12
|
pk12util -o server.p12 -n
Server-Cert -d [path]
|
Import a cert and key
(Import-Me) from PKCS#12
|
pk12util -i server.p12 -n
Import-Me -d [path]
|
Importing OpenSSL Certificates
If you have existing OpenSSL certificates you can import them into an
NSS certificate database.
To import a server certificate (nickname Server-Cert):
% openssl pkcs12 -export -in /path/to/certificate -inkey
/path/to/keyfile -out server.p12 -name "Server-Cert" -passout pass:foo
% pk12util -i server.p12 -d [path] -W foo
To import a CA certificate:
% certutil -A -n "myca" -t "CT,," -d [path] -a -i
/path/to/cacertificate
To import a CRL:
% openssl crl -in /path/to/crlfile -out /tmp/crl.tmp -inform PEM
-outform DER
% crlutil -I -t 1 -d [path] -i /tmp/crl.tmp
To verify that your server certificate was imported properly, you can
have NSS validate it:
% certutil -V -n Server-Cert -u V -d .
certutil: certificate is valid
Why is SSLv2 disabled?
All major browsers (Firefox, Internet Explorer, Mozilla, Netscape, Opera, and
Safari) support SSLv3 and TLS so there is no need for a web server to support
SSLv2. There are some known attacks against SSLv2 that are handled by
SSLv3/TLS. SSLv2 also doesn't support useful features like client
authentication.
Frequently Asked Questions
Q. Does mod_nss support mod_proxy?
A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
provides a single interface for SSL providers and mod_nss defers to
mod_ssl if it is loaded.
Sample Use Cases
I. Restart Apache using the NSS Internal Software Token
1. Become the root user.
2. Install mod_nss.
3. This use case will utilize the NSS security databases created during installation of mod_nss:
# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
alpha u,pu,u
NOTE: |
For actual deployments, the administrator should setup
their own NSS security databases (e. g. - replace the default mod_nss
NSS security databases located in /etc/httpd/alias ), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the /etc/httpd/conf.d/nss.conf file such that mod_nss uses these NSS security databases. |
4. Use certutil
to apply a password to the NSS security databases configured in step 3 above:
# certutil -W -d /etc/httpd/alias
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Password changed successfully.
5. Configure mod_nss to use the NSS internal software token:
Edit /etc/httpd/conf.d/nss.conf
:
Replace:
NSSPassPhraseDialog builtin
with:
NSSPassPhraseDialog file:/etc/httpd/password.conf
NOTE: |
Whenever httpd is invoked as a service/systemd process, the NSSPassPhraseDialog builtin
parameter must be changed to point to a file URL in order to allow
mod_nss to work with the Apache web server. This is because the mod_nss
test for issuing the password prompt Please enter password for "internal" token: on the command line is only displayed when the command isatty(fileno(stdin))
is set to 'true', and when the command is entered from this type of
invocation the value is 'false'. In order to see the prompt, one can
set the NSSPassPhraseDialog builtin parameter and invoke httpd -D FOREGROUND from the command line. |
If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the NSSNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the NSSECCNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
NSSECCNickname Server-Cert
Make certain that the NSSCertificateDatabase
parameter is uncommented and points to the NSS security databases directory configured in step 3 above:
NSSCertificateDatabase /etc/httpd/alias
Create the /etc/httpd/password.conf
file:
Add:
Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.
Apply the appropriate ownership and permissions to the /etc/httpd/password.conf
file:
# chgrp apache /etc/httpd/password.conf
# chmod 640 /etc/httpd/password.conf
# ls -l /etc/httpd/password.conf
-rw-r-----. 1 root apache 18 Nov 27 14:05 /etc/httpd/password.conf
6. Restart the Apache server:
# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
# service httpd status
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Wed 2013-11-27 15:25:48 PST; 1min 11s ago
Process: 20804 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 20807 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: name=systemd:/system/httpd.service
|_____20807 /usr/sbin/httpd -DFOREGROUND
|_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
|_____20809 /usr/sbin/httpd -DFOREGROUND
|_____20810 /usr/sbin/httpd -DFOREGROUND
|_____20811 /usr/sbin/httpd -DFOREGROUND
|_____20812 /usr/sbin/httpd -DFOREGROUND
|_____20813 /usr/sbin/httpd -DFOREGROUND
Nov 27 15:25:48 server.example.com systemd[1]: Started The Apache HTTP Server.
II. Restart Apache using the NSS FIPS Software Token
1. Become the root user.
2. Install mod_nss.
3. This use case will utilize the NSS security databases created during installation of mod_nss:
# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
alpha u,pu,u
NOTE: |
For actual deployments, the administrator should setup
their own NSS security databases (e. g. - replace the default mod_nss
NSS security databases located in /etc/httpd/alias ), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the /etc/httpd/conf.d/nss.conf file such that mod_nss uses these NSS security databases. |
4. Use certutil
to apply a password to the NSS security databases configured in step 3 above:
# certutil -W -d /etc/httpd/alias
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Password changed successfully.
5. Configure mod_nss to use the NSS FIPS software token:
Edit /etc/httpd/conf.d/nss.conf
:
Replace:
NSSPassPhraseDialog builtin
with:
NSSPassPhraseDialog file:/etc/httpd/password.conf
NOTE: |
Whenever httpd is invoked as a service/systemd process, the NSSPassPhraseDialog builtin
parameter must be changed to point to a file URL in order to allow
mod_nss to work with the Apache web server. This is because the mod_nss
test for issuing the password prompt Please enter password for "NSS FIPS 140-2 Certificate DB" token: on the command line is only displayed when the command isatty(fileno(stdin))
is set to 'true', and when the command is entered from this type of
invocation the value is 'false'. In order to see the prompt, one can
set the NSSPassPhraseDialog builtin parameter and invoke httpd -D FOREGROUND from the command line. |
To enable FIPS mode for mod_nss, add the following parameter:
after the line marked:
If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the NSSNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the NSSECCNickname
parameter is uncommented and matches the nickname displayed in step 3 above:
NSSECCNickname Server-Cert
Make certain that the NSSCertificateDatabase
parameter is uncommented and points to the NSS security databases directory configured in step 3 above:
NSSCertificateDatabase /etc/httpd/alias
Create the /etc/httpd/password.conf
file:
Add:
NSS FIPS 140-2 Certificate DB:<password>
Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.
IMPORTANT: |
Notice that since the NSS FIPS software token is being used, the contents of the /etc/httpd/password.conf file references the password for the NSS FIPS software token (NSS FIPS 140-2 Certificate DB:<password> ) rather than the NSS internal software token (internal:<password> ). |
Apply the appropriate ownership and permissions to the /etc/httpd/password.conf
file:
# chgrp apache /etc/httpd/password.conf
# chmod 640 /etc/httpd/password.conf
# ls -l /etc/httpd/password.conf
-rw-r-----. 1 root apache 39 Nov 27 15:48 /etc/httpd/password.conf
6. Restart the Apache server:
# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
# service httpd status
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Wed 2013-11-27 16:26:07 PST; 4s ago
Process: 21296 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 21299 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: name=systemd:/system/httpd.service
|_____21299 /usr/sbin/httpd -DFOREGROUND
|_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
|_____21340 /usr/sbin/httpd -DFOREGROUND
|_____21341 /usr/sbin/httpd -DFOREGROUND
|_____21342 /usr/sbin/httpd -DFOREGROUND
Nov 27 16:26:07 server.example.com systemd[1]: Started The Apache HTTP Server.
mod_nss-1.0.14/gencert.8 0000664 0000000 0000000 00000004540 12704231257 0014765 0 ustar 00root root 0000000 0000000 .\" A man page for gencert
.\"
.\" Licensed under the Apache License, Version 2.0 (the "License");
.\" you may not use this file except in compliance with the License.
.\" You may obtain a copy of the License at
.\"
.\" http://www.apache.org/licenses/LICENSE-2.0
.\"
.\" Unless required by applicable law or agreed to in writing, software
.\" distributed under the License is distributed on an "AS IS" BASIS,
.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
.\" See the License for the specific language governing permissions and
.\" limitations under the License.
.\"
.\" Author: Rob Crittenden
.\"
.TH "gencert" "8" "Jul 1 2013" "Rob Crittenden" ""
.SH "NAME"
gencert \- Generate a test NSS database for mod_nss
.SH "SYNOPSIS"
gencert
.SH "DESCRIPTION"
A tool used to generate a self\-signed CA as well as server and user certificates for mod_nss testing.
.PP
This is used to generate a default NSS database for the mod_nss Apache module. It does not test to see if an existing database already exists, so use with care.
.PP
\fBgencert\fP will generate a new NSS database with the password "httptest".
.PP
It generates a self\-signed CA with the subject "CN=Certificate Shack, O=example.com, C=US"
.PP
It also generates a certificate suitable for servers with the subject "CN=, O=example.com, C=US", and a user certificate with the subject "E=alpha@, CN=Frank Alpha, UID=alpha, OU=People, O=example.com, C=US".
.PP
The nicknames it uses are:
.IP
.TS
tab(;);
ll,ll.
CA:;cacert
Server certificate:;Server\-Cert
User cert:;alpha
.TE
.SH OPTIONS
.TP
.B
Specifies the destination directory where the NSS databases will be created.
.SH BUGS
Report bugs to http://bugzilla.redhat.com.
.SH AUTHORS
Rob Crittenden .
.SH COPYRIGHT
Copyright (c) 2011 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0.
.PP
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
mod_nss-1.0.14/gencert.in 0000775 0000000 0000000 00000023676 12704231257 0015242 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Copyright 2001-2004 The Apache Software Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# $Header$
#
# gencert - generate new CA, server and user certificates for NSS testing.
#
CERTUTIL=/usr/bin/certutil
# Note: In order for the client tests that ship with this module to work
# properly with this test certificate you need to ensure that the domain of
# the server is the same as your domain. Otherwise you will get an error message
# like -12776 (requested domain name does not match the server's certificate).
getFQDN() {
max=0
maxhost=
OS=`uname -s`
if [ $OS == "SunOS" ]; then
if [ -x /usr/lib/mail/sh/check-hostname ]; then
maxhost=`/usr/lib/mail/sh/check-hostname | awk 'BEGIN { FS=" " } { if ($3 == "OK:") { print $7 } }'`
fi
echo $maxhost
return
fi
defhost=`hostname`
if [ -e /usr/bin/host -o -e /bin/host ]; then
hosthost=`host $defhost | grep -v "not found" | awk '{print $1}'`
else
hosthost=''
fi
for host in $defhost $hosthost `hostname -f` `hostname -a` ; do
len=`echo $host | wc -c`
if [ $len -gt $max ]; then
max=$len
maxhost=$host
fi
done
echo $maxhost
}
FQDN=`getFQDN`
if [ "x${FQDN}" = "x" ]; then
FQDN=localhost.localdomain
fi
CA_CERTDN="CN=Certificate Shack, O=example.com, C=US"
SERVER_CERTDN="CN=${FQDN}, O=example.com, C=US"
ALPHA_CERTDN="E=alpha@${FQDN}, CN=Frank Alpha, UID=alpha, OU=People, O=example.com, C=US"
BETA_CERTDN="E=beta@${FQDN}, CN=Anna Beta, UID=beta, OU=People, O=example.com, C=US"
COLON_CERTDN="E=colon:user@${FQDN}, CN=Colon User, UID=colon, OU=People, O=example.com, C=US"
# size of the keys
KEYSIZE=2048
# validity of the certs in months
VALIDITY=48
# starting point of serial numbers. 1 is the CA, 2 is the client cert "alpha"
# 3 is the server cert "Server-Cert".
CERTSERIAL=0
if [ $# -lt 1 ]
then
echo "usage: $0 " 1>&2
exit 1
fi
DEST=`echo $1 | cut -d: -f2`
if [ ! -d $DEST -o ! -w $DEST ]
then
echo "ERROR: $1 must be writable directory." 1>&2
exit 1
fi
DBDIR=$1
shift
TEST=0
SNI=0
while [[ $# -ge 1 ]]
do
key="$1"
case $key in
-s|--sni)
SNI="$2"
shift
;;
-t|--test)
TEST=1
;;
*)
echo "Unknown option $1"
exit 1
;;
esac
shift
done
echo "TEST = $TEST"
echo "SNI = $SNI"
echo "httptest" > $DEST/pw.txt
function generate_server_sni_cert {
hostname=$1
local SERVER_DN="CN=${hostname}, O=SNI, O=example.com, C=US"
local NICKNAME="Server-Cert-${hostname}"
echo ""
echo "#####################################################################"
echo "Generating $NICKNAME server certificate request"
echo "#####################################################################"
if [ -e /dev/urandom ]; then
(ps -elf; date; dd if=/dev/urandom count=1 bs=1024 2>/dev/null| tr -dc 'a-zA-Z0-9') > $DEST/noise
else
(ps -elf; date; dd if=/dev/random count=1 bs=128 2>/dev/null| tr -dc 'a-zA-Z0-9') > $DEST/noise
fi
$CERTUTIL -R -d $DBDIR \
-s "$SERVER_DN" \
-o $DEST/tmpcertreq \
-g $KEYSIZE \
-z $DEST/noise \
-f $DEST/pw.txt
echo ""
echo "#####################################################################"
echo "Generating $NICKNAME server certificate"
echo "#####################################################################"
let CERTSERIAL=CERTSERIAL+1
echo -e "2\n9\nn\n1\n9\nn\n" | \
$CERTUTIL -C -d $DBDIR \
-c cacert \
-i $DEST/tmpcertreq \
-o $DEST/tmpcert.der \
-m $CERTSERIAL \
-v $VALIDITY \
-f $DEST/pw.txt \
-1 \
-5 \
-8 $hostname
rm $DEST/tmpcertreq
echo ""
echo "#####################################################################"
echo "Importing $NICKNAME certificate into server cert DB"
echo "#####################################################################"
$CERTUTIL -A -d $DBDIR -n $NICKNAME \
-t u,u,u \
-i $DEST/tmpcert.der \
-f $DEST/pw.txt
rm $DEST/tmpcert.der
}
echo ""
echo "#####################################################################"
echo "Generating new server certificate and key database. The password"
echo "is httptest"
echo "#####################################################################"
$CERTUTIL -N -d $DBDIR -f $DEST/pw.txt
echo ""
echo "#####################################################################"
echo "Generating self-signed client CA certificate"
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
let CERTSERIAL=CERTSERIAL+1
# 5 9 n -> Cert signing key
# y 10 y -> basic constraints: CA cert
# 5 6 7 9 n -> SSL, S/MIME, Object signing CA
echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \
$CERTUTIL -S -d $DBDIR -n cacert \
-s "$CA_CERTDN" \
-x \
-t CTu,CTu,CTu \
-g $KEYSIZE \
-m $CERTSERIAL \
-v $VALIDITY \
-f $DEST/pw.txt \
-z $DEST/noise \
-2 \
-1 \
echo ""
echo "#####################################################################"
echo "Generating user certificate for \"alpha\"."
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
let CERTSERIAL=CERTSERIAL+1
# 0 2 9 n -> Key usage: Key Encipherment, Digital Signature
# 0 9 n -> SSL Client
echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
$CERTUTIL -S -d $DBDIR -n alpha \
-s "$ALPHA_CERTDN" \
-c cacert \
-t u,pu,u \
-g $KEYSIZE \
-m $CERTSERIAL \
-v $VALIDITY \
-f $DEST/pw.txt \
-z $DEST/noise \
-1 \
-5 \
-7 alpha@${FQDN}
echo ""
echo "#####################################################################"
echo "Generating user certificate for \"beta\"."
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
let CERTSERIAL=CERTSERIAL+1
# 0 2 9 n -> Key usage: Key Encipherment, Digital Signature
# 0 9 n -> SSL Client
echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
$CERTUTIL -S -d $DBDIR -n beta \
-s "$BETA_CERTDN" \
-c cacert \
-t u,pu,u \
-g $KEYSIZE \
-m $CERTSERIAL \
-v $VALIDITY \
-f $DEST/pw.txt \
-z $DEST/noise \
-1 \
-5 \
-7 beta@${FQDN}
if [ $TEST == 1 ]; then
echo ""
echo "#####################################################################"
echo "Generating user certificate for \"colon\"."
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
let CERTSERIAL=CERTSERIAL+1
# 0 2 9 n -> Key usage: Key Encipherment, Digital Signature
# 0 9 n -> SSL Client
echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
$CERTUTIL -S -d $DBDIR -n colon \
-s "$COLON_CERTDN" \
-c cacert \
-t u,pu,u \
-g $KEYSIZE \
-m $CERTSERIAL \
-v $VALIDITY \
-f $DEST/pw.txt \
-z $DEST/noise \
-1 \
-5
fi
echo ""
echo "#####################################################################"
echo "Generating server certificate request"
echo ""
echo "#####################################################################"
echo "Generating server certificate request"
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
$CERTUTIL -R -d $DBDIR \
-s "$SERVER_CERTDN" \
-o $DEST/tmpcertreq \
-g $KEYSIZE \
-z $DEST/noise \
-f $DEST/pw.txt
echo ""
echo "#####################################################################"
echo "Generating server certificate"
echo "#####################################################################"
let CERTSERIAL=CERTSERIAL+1
echo -e "2\n9\nn\n1\n9\nn\n" | \
$CERTUTIL -C -d $DBDIR \
-c cacert \
-i $DEST/tmpcertreq \
-o $DEST/tmpcert.der \
-m $CERTSERIAL \
-v $VALIDITY \
-f $DEST/pw.txt \
-1 \
-5 \
-8 $FQDN
rm $DEST/tmpcertreq
echo ""
echo "#####################################################################"
echo "Importing server certificate into server cert DB"
echo "#####################################################################"
$CERTUTIL -A -d $DBDIR -n Server-Cert \
-t u,u,u \
-i $DEST/tmpcert.der \
-f $DEST/pw.txt
rm $DEST/tmpcert.der
if [ $SNI -gt 0 ]; then
SNI=`expr $SNI + 1`
count=1
while test $count -lt $SNI ; do
generate_server_sni_cert www$count.example.com
count=`expr $count + 1`
done
fi
echo ""
echo "#####################################################################"
echo "Cleaning up"
echo "#####################################################################"
rm $DEST/pw.txt
rm $DEST/noise
echo ""
echo "The database password is httptest"
echo ""
exit 0
mod_nss-1.0.14/makerpm.sh 0000775 0000000 0000000 00000003542 12704231257 0015241 0 ustar 00root root 0000000 0000000 #!/bin/sh -xv
# This script provides an example of how to build the various flavors
# of the mod_nss rpm. If you don't have a source tarball, you
# can create one from checking out the source tree (which you presumably
# have if you have checked out this script) and putting it in
# SOURCES/mod_nss-1.0.tar.gz. The things you need to define below
# are:
# RPM_PLATFORM - one of RHEL3, RHEL4, FC3, FC4, etc. - should correspond
# to our internal build platform naming convention
# FLAVOR - use dbg for debug builds and opt for optimized builds
# NSPRDIR - directory holding NSPR include and lib directories
# NSSDIR - directory holding NSS include and lib directories
mkdirs() {
for d in "$@" ; do
if [ -d $d ]; then
mv $d $d.deleted
rm -rf $d.deleted &
fi
mkdir -p $d
done
}
mkdirs SOURCES BUILD SRPMS RPMS
cd SOURCES
cvs -d $FEDCVSROOT co -d mod_nss-1.0 mod_nss
tar cf - mod_nss-1.0 | gzip > mod_nss-1.0.tar.gz
rm -rf mod_nss-1.0
cd ..
# define PLATFORM to be RHEL3, RHEL4, FC3, FC4, etc.
RPM_PLATFORM=RHEL4
# define FLAVOR to be dbg or opt for debug or optimized build
FLAVOR=dbg
# root dir for RPM built and temp files
ABS_TOPDIR=`pwd`
arch=`uname -i`
#mkdirs RPMS/$arch
# now define the locations of our components
NSPRDIR=/share/builds/components/nspr/v4.4.1/RHEL4_x86_gcc3_DBG.OBJ
NSSDIR=/share/builds/components/nss/NSS_3_9_3_RTM/RHEL4_x86_gcc3_DBG.OBJ
rpmbuild --define "_topdir $ABS_TOPDIR" --define "_sourcedir $ABS_TOPDIR/SOURCES" --define "_rpmdir $ABS_TOPDIR/RPMS" --define "_srcrpmdir $ABS_TOPDIR/SRPMS" --define "ARCH $arch" --define "flavor $FLAVOR" --define "platform $RPM_PLATFORM" --define "nsprincdir $NSPRDIR/include" --define "nsprlibdir $NSPRDIR/lib" --define "nssincdir $NSSDIR/include" --define "nsslibdir $NSSDIR/lib" --nodeps -ba mod_nss.spec
mod_nss-1.0.14/migrate.pl 0000775 0000000 0000000 00000023515 12704231257 0015240 0 ustar 00root root 0000000 0000000 #!/usr/bin/perl
#
# Migrate configuration from OpenSSL to NSS
use Cwd;
use Getopt::Std;
BEGIN {
$NSSDir = cwd();
$SSLCACertificatePath = "";
$SSLCACertificateFile = "";
$SSLCertificateFile = "";
$SSLCARevocationPath = "";
$SSLCARevocationFile = "";
$SSLCertificateKeyFile = "";
$passphrase = 0;
}
# these directives are common for mod_ssl 2.4.18 and mod_nss 1.0.13
%keep = ( "SSLCipherSuite" => "",
"SSLEngine" => "",
"SSLOptions" => "",
"SSLPassPhraseDialog" => "",
"SSLProtocol" => "",
"SSLProxyCipherSuite" => "",
"SSLProxyEngine" => "",
"SSLProxyCheckPeerCN" => "",
"SSLProxyProtocol" => "",
"SSLRandomSeed" => "",
"SSLRenegBufferSize" => "",
"SSLRequire" => "",
"SSLRequireSSL" => "",
"SSLSessionCacheTimeout" => "",
"SSLSessionTickets" => "",
"SSLStrictSNIVHostCheck" => "",
"SSLUserName" => "",
"SSLVerifyClient" => "",
);
%insert = ( "SSLSessionCacheTimeout", "NSSSessionCacheSize 10000\nNSSSession3CacheTimeout 86400\n",);
getopts('chr:w:' , \%opt );
sub usage() {
print STDERR "Usage: migrate.pl [-c] -r -w \n";
print STDERR "\t-c converts the certificates\n";
print STDERR "\t-r path to mod_ssl configuration file\n";
print STDERR "\t-w path to new mod_nss configuration file\n";
print STDERR "\n";
print STDERR "This conversion script is not aware of apache's configuration blocks\n";
print STDERR "and nestable conditional directives. Please check the output of the\n";
print STDERR "conversion and adjust manually if necessary!\n";
exit();
}
usage() if ($opt{h} || !$opt{r} || !$opt{w});
print STDERR "input: $opt{r}\noutput: $opt{w}\n";
open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n";
open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n";
print NSS "## This is a conversion of mod_ssl specific options by migrate.pl\n";
print NSS "## \n";
print NSS "## Please read through this configuration and verify the individual options!\n\n";
while () {
my $comment = 0;
# write through even if in comment before comments are stripped below.
if(/(ServerName|ServerAlias)/) {
print NSS $_;
next;
}
# skip blank lines and comments
if (/^\s*#/ || /^\s*$/) {
print NSS $_;
next;
}
s/mod_ssl\.c/mod_nss.c/;
# write through nestable apache configuration block directives:
if (/^ || /^\s) {
print NSS $_;
next;
}
m/(\w+)\s+(.+)/;
$stmt = $1;
$value = $2;
# Handle the special cases
if ($stmt eq "SSLVerifyClient" && $value eq "optional_no_ca") {
print NSS "# Replaced optional_no_ca with optional\n";
print NSS "SSLVerifyClient optional\n";
next;
}
if ($stmt eq "SSLRandomSeed" && $value eq "connect builtin") {
print NSS "## mod_nss doesn't do per-connection random seeding\n";
print NSS "##$_";
next;
}
# we support OpenSSL cipher strings now, keeping the string as is
# unless using system-wide crypto policy
if (($stmt eq "SSLCipherSuite" || $stmt eq "SSLProxyCipherSuite") &&
$value eq "PROFILE=SYSTEM") {
my $fname = "/etc/crypto-policies/back-ends/openssl.config";
open (my $fh, "<", $fname) or die "Unable to open $fname: $!.\n";
my $ciphers = <$fh>;
close($fh);
(my $newstmt = $stmt) =~ s/SSL/NSS/;
print NSS $newstmt, " ", $ciphers, "\n";
next;
}
if ($stmt eq "SSLProtocol" ) {
print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n";
print NSS "##$_";
print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n";
print NSS "NSSProtocol TLSv1.0,TLSv1.2\n\n";
next;
} elsif ($stmt eq "SSLProxyProtocol" ) {
print NSS "## we ignore the arguments to SSLProxyProtocol. The original value was:\n";
print NSS "##$_";
print NSS "## The following is a _range_ from TLSv1.0 to TLSv1.2.\n";
print NSS "NSSProxyProtocol TLSv1.0,TLSv1.2\n\n";
next;
} elsif ($stmt eq "SSLCACertificatePath") {
$SSLCACertificatePath = $value;
$comment = 1;
} elsif ($stmt eq "SSLCACertificateFile") {
$SSLCACertificateFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLCertificateFile") {
print NSS "NSSCertificateDatabase $NSSDir\n";
print NSS "NSSNickName Server-Cert\n";
$SSLCertificateFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLCertificateKeyFile") {
$SSLCertificateKeyFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLCARevocationPath") {
$SSLCARevocationPath = $value;
$comment = 1;
} elsif ($stmt eq "SSLCARevocationFile") {
$SSLCARevocationFile = $value;
$comment = 1;
} elsif ($stmt eq "SSLPassPhraseDialog") {
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
$passphrase = 1;
$comment = 1;
}
if (exists($insert{$stmt})) {
#print NSS "$_";
print NSS $insert{$stmt};
next;
}
if (m/^\s*SSL/) {
if (!exists($keep{$stmt})) {
print NSS "# Skipping, not applicable in mod_nss\n";
print NSS "##$_";
next;
} else {
# Fix up any remaining directive names
s/^(\s*)SSL/\1NSS/;
}
}
# Fall-through to print whatever is left
if ($comment) {
print NSS "##$_";
$comment = 0;
} else {
print NSS $_;
}
}
if ($passphrase == 0) {
# NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.9'.
print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
}
close(NSS);
close(SSL);
#
# Create NSS certificate database and import any existing certificates
#
if ($opt{c}) {
print STDERR "Creating NSS certificate database.\n";
run_command("certutil -N -d $NSSDir");
# Convert the certificate into pkcs12 format
if ($SSLCertificateFile ne "" && $SSLCertificateKeyFile ne "") {
my $subject = get_cert_subject($SSLCertificateFile);
print STDERR "Importing certificate $subject as \"Server-Cert\".\n";
run_command("openssl pkcs12 -export -in $SSLCertificateFile -inkey $SSLCertificateKeyFile -out server.p12 -name \"Server-Cert\" -passout pass:foo");
run_command("pk12util -i server.p12 -d $NSSDir -W foo");
}
if ($SSLCACertificateFile ne "") {
my $subject = get_cert_subject($SSLCACertificateFile);
if ($subject ne "") {
print STDERR "Importing CA certificate $subject\n";
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificateFile");
}
}
if ($SSLCACertificatePath ne "") {
opendir(DIR, $SSLCACertificatePath) or die "can't opendir $SSLCACertificatePath: $!";
while (defined($file = readdir(DIR))) {
next if -d $file;
# we can operate directly on the hash files so don't have to worry
# about any SKIPME's.
if ($file =~ /hash.*/) {
my $subject = get_cert_subject("$SSLCACertificatePath/$file");
if ($subject ne "") {
print STDERR "Importing CA certificate $subject\n";
run_command("certutil -A -n \"$subject\" -t \"CT,,\" -d $NSSDir -a -i $SSLCACertificatePath/$file");
}
}
}
closedir(DIR);
}
if ($SSLCARevocationFile ne "") {
print STDERR "Importing CRL file $CARevocationFile\n";
# Convert to DER format
run_command("openssl crl -in $SSLCARevocationFile -out /root/crl.tmp -inform PEM -outform DER");
run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp");
unlink("/root/crl.tmp");
}
if ($SSLCARevocationPath ne "") {
opendir(DIR, $SSLCARevocationPath) or die "can't opendir $SSLCARevocationPath: $!";
while (defined($file = readdir(DIR))) {
next if -d $file;
# we can operate directly on the hash files so don't have to worry
# about any SKIPME's.
if ($file =~ /hash.*/) {
my $subject = get_cert_subject("$SSLCARevocationPath/$file");
if ($subject ne "") {
print STDERR "Importing CRL file $file\n";
# Convert to DER format
run_command("openssl crl -in $SSLCARevocationPath/$file -out /root/crl.tmp -inform PEM -outform DER");
run_command("crlutil -I -t 1 -d $NSSDir -i /root/crl.tmp");
unlink("/root/crl.tmp");
}
}
}
closedir(DIR);
}
}
print STDERR "\nConversion complete.\n\n";
print STDERR "The output file should contain a valid mod_nss configuration\n";
print STDERR "based on the mod_ssl directives from the input file.\n\n";
print STDERR "Do not forget to rename the mod_ssl based apache config file\n";
print STDERR "to a name that does not end in .conf\n\n";
print STDERR "Restart apache and check the server error logs for problems.\n";
exit(0);
# Given the filename of a PEM file, use openssl to fetch the certificate
# subject
sub get_cert_subject {
my $file = shift;
my $subject = "";
return "" if ! -T $file;
$subject = `openssl x509 -subject < $file | head -1`;
$subject =~ s/subject= \///; # Remove leading subject= \
$subject =~ s/\//,/g; # Replace / with , as separator
$subject =~ s/Email=.*(,){0,1}//; # Remove Email attribute
$subject =~ s/,$//; # Remove any trailing commas
chomp($subject);
return $subject;
}
#
# Wrapper around the system() command
sub run_command {
my @args = shift;
my $status = 0;
$status = 0xffff & system(@args);
return if ($status == 0);
print STDERR "Command '@args' failed: $!\n";
exit;
}
mod_nss-1.0.14/mod_nss.c 0000664 0000000 0000000 00000042532 12704231257 0015056 0 ustar 00root root 0000000 0000000 /* Copyright 2001-2004 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mod_nss.h"
#include
#include "sslerr.h"
/*
* the table of configuration directives we provide
*/
#define SSL_CMD_ALL(name, args, desc) \
AP_INIT_##args("NSS"#name, nss_cmd_NSS##name, \
NULL, RSRC_CONF|OR_AUTHCFG, desc),
#define SSL_CMD_SRV(name, args, desc) \
AP_INIT_##args("NSS"#name, nss_cmd_NSS##name, \
NULL, RSRC_CONF, desc),
#define SSL_CMD_DIR(name, type, args, desc) \
AP_INIT_##args("NSS"#name, nss_cmd_NSS##name, \
NULL, OR_##type, desc),
#define AP_END_CMD { NULL }
static const command_rec nss_config_cmds[] = {
/*
* Global (main-server) context configuration directives
*/
SSL_CMD_SRV(CertificateDatabase, TAKE1,
"SSL Server Certificate database "
"(`/path/to/file'")
SSL_CMD_SRV(DBPrefix, TAKE1,
"NSS Database prefix (optional) "
"(`my-prefix-'")
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL 2 Session Cache object lifetime "
"(`N' - number of seconds)")
SSL_CMD_SRV(Session3CacheTimeout, TAKE1,
"SSL 3/TLS Session Cache object lifetime "
"(`N' - number of seconds)")
SSL_CMD_SRV(SessionCacheSize, TAKE1,
"SSL Session Cache size "
"(`N' - number of entries)")
SSL_CMD_SRV(SkipPermissionCheck, FLAG,
"Skip checking the NSS database read permissions"
"(`on', `off')")
SSL_CMD_SRV(PassPhraseDialog, TAKE1,
"SSL dialog mechanism for the pass phrase query "
"(`builtin', `file:/path/to/file`")
SSL_CMD_SRV(PassPhraseHelper, TAKE1,
"Process to securely store SSL tokens to handle restarts "
"(`/path/to/file`")
SSL_CMD_SRV(OCSP, FLAG,
"OCSP (Online Certificate Status Protocol)"
"(`on', `off')")
SSL_CMD_SRV(OCSPDefaultResponder, FLAG,
"Use a default OCSP Responder"
"(`on', `off')")
SSL_CMD_SRV(OCSPDefaultURL, TAKE1,
"The URL of the OCSP default responder"
"(`http://example.com:80/ocsp")
SSL_CMD_SRV(OCSPDefaultName, TAKE1,
"The nickname of the certificate to trust to sign the OCSP responses."
"(`OCSP_Cert`")
SSL_CMD_SRV(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
"(`startup builtin|file:/path|exec:/path [bytes]')")
/*
* Per-server context configuration directives
*/
SSL_CMD_SRV(Engine, FLAG,
"SSL switch for the protocol engine "
"(`on', `off')")
SSL_CMD_SRV(FIPS, FLAG,
"FIPS 140-1 mode "
"(`on', `off')")
SSL_CMD_SRV(SNI, FLAG,
"SNI"
"(`on', `off')")
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
"Strict SNI virtual host checking")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable "
"(`[+-]XXX,...,[+-]XXX' - see manual)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable the various SSL protocols"
"(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client Authentication "
"(`none', `optional', `require'")
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
#ifdef SSL_ENABLE_RENEGOTIATION
SSL_CMD_SRV(Renegotiation, FLAG,
"Enable SSL Renegotiation (default off) "
"(`on', `off')")
SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
"If Rengotiation is allowed, require safe negotiation (default off) "
"(`on', `off')")
#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
"(`Server-Cert'")
#endif
SSL_CMD_SRV(EnforceValidCerts, FLAG,
"Require a valid, trust, non-expired server certificate (default on)"
"(`on', `off'")
SSL_CMD_SRV(SessionTickets, FLAG,
"Enable or disable TLS session tickets"
"(`on', `off')")
SSL_CMD_ALL(UserName, TAKE1,
"Set user name to SSL variable value")
/*
* Per-directory context configuration directives
*/
SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
"Set one or more options to configure the SSL engine"
"(`[+-]option[=value] ...' - see manual)")
SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
"Require the SSL protocol for the per-directory context "
"(no arguments)")
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
"Configure the amount of memory that will be used for buffering the "
"request body if a per-location SSL renegotiation is required due to "
"changed access control requirements")
/*
* Proxy configuration for remote SSL connections
*/
SSL_CMD_SRV(ProxyEngine, FLAG,
"SSL switch for the proxy protocol engine "
"(`on', `off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
"(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)")
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"(`XXX:...:XXX' - see manual)")
SSL_CMD_SRV(ProxyNickname, TAKE1,
"SSL Proxy: client certificate Nickname to be for proxy connections "
"(`nickname')")
SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
"SSL Proxy: check the peers certificate CN")
#ifdef IGNORE
/* Deprecated directives. */
AP_INIT_RAW_ARGS("NSSLog", ap_set_deprecated, NULL, OR_ALL,
"SSLLog directive is no longer supported - use ErrorLog."),
AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
#endif
AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
"Apache user. Comes from httpd.conf."),
AP_END_CMD
};
/*
* the various processing hooks
*/
static int nss_hook_pre_config(apr_pool_t *pconf,
apr_pool_t *plog,
apr_pool_t *ptemp)
{
/* Register us to handle mod_log_config %c/%x variables */
nss_var_log_config_register(pconf);
return OK;
}
static SSLConnRec *nss_init_connection_ctx(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
return sslconn;
}
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
sslconn->is_proxy = 0;
sslconn->disabled = 0;
sslconn->non_nss_request = 0;
sslconn->ssl = NULL;
myConnConfigSet(c, sslconn);
return sslconn;
}
static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
int nss_proxy_enable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLConnRec *sslconn = nss_init_connection_ctx(c);
if (!sc->proxy_enabled) {
if (othermod_proxy_enable) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"mod_nss proxy not configured, passing through to mod_ssl module");
return othermod_proxy_enable(c);
}
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"SSL Proxy requested for %s but not enabled "
"[Hint: NSSProxyEngine]", sc->vhost_id);
return 0;
}
sslconn->is_proxy = 1;
sslconn->disabled = 0;
return 1;
}
static int ssl_proxy_enable(conn_rec *c) {
return nss_proxy_enable(c);
}
int nss_engine_disable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLConnRec *sslconn;
if (othermod_engine_disable) {
othermod_engine_disable(c);
}
if (sc->enabled == FALSE) {
return 0;
}
sslconn = nss_init_connection_ctx(c);
sslconn->disabled = 1;
return 1;
}
static int ssl_engine_disable(conn_rec *c) {
return nss_engine_disable(c);
}
/* Callback for an incoming certificate that is not valid */
SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
{
conn_rec *c = (conn_rec *)arg;
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
PRErrorCode err = PR_GetError();
SECStatus rv = SECFailure;
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
const char *hostname_note;
switch (err) {
case SSL_ERROR_BAD_CERT_DOMAIN:
if (sc->proxy_ssl_check_peer_cn == TRUE) {
if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
apr_table_unset(c->notes, "proxy-request-hostname");
rv = CERT_VerifyCertName(peerCert, hostname_note);
if (rv != SECSuccess) {
char *remote = CERT_GetCommonName(&peerCert->subject);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"SSL Proxy: Possible man-in-the-middle attack. The remote server is %s, we expected %s", remote, hostname_note);
PORT_Free(remote);
}
} else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
}
} else {
rv = SECSuccess;
}
break;
default:
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Bad remote server certificate: %d", err);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
break;
}
return rv;
}
/* Callback to pull the client certificate upon server request */
static SECStatus NSSGetClientAuthData(void *arg, PRFileDesc *socket,
CERTDistNames *caNames,
CERTCertificate **pRetCert,/*return */
SECKEYPrivateKey **pRetKey)
{
CERTCertificate * cert;
SECKEYPrivateKey * privKey;
void * proto_win = NULL;
SECStatus rv = SECFailure;
char * localNickName = (char *)arg;
proto_win = SSL_RevealPinArg(socket);
if (localNickName) {
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
localNickName, certUsageSSLClient,
PR_FALSE, proto_win);
if (cert) {
privKey = PK11_FindKeyByAnyCert(cert, proto_win);
if (privKey) {
rv = SECSuccess;
} else {
CERT_DestroyCertificate(cert);
}
}
if (rv == SECSuccess) {
*pRetCert = cert;
*pRetKey = privKey;
}
}
return rv;
}
static int nss_hook_pre_connection(conn_rec *c, void *csd)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
PRFileDesc *ssl;
SSLConnRec *sslconn = myConnConfig(c);
modnss_ctx_t *mctx;
/*
* Immediately stop processing if SSL is disabled for this connection
*/
if (!(sc && (sc->enabled ||
(sslconn && sslconn->is_proxy))))
{
return DECLINED;
}
/*
* Create SSL context
*/
if (!sslconn) {
sslconn = nss_init_connection_ctx(c);
}
if (sslconn->disabled) {
return DECLINED;
}
/*
* Remember the connection information for
* later access inside callback functions
*/
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
#if AP_SERVER_MINORVERSION_NUMBER <= 2
c->remote_ip ? c->remote_ip : "unknown");
#else
c->client_ip ? c->client_ip : "unknown");
#endif
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
ssl = nss_io_new_fd();
ssl = SSL_ImportFD(mctx->model, ssl);
if (!(ssl)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"Unable to create a new SSL connection from the SSL "
"context");
nss_log_nss_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
return DECLINED; /* XXX */
}
sslconn->ssl = ssl;
sslconn->client_socket = csd;
nss_io_filter_init(c, ssl);
SSL_ResetHandshake(ssl, mctx->as_server);
/* If we are doing a client connection, set our own bad certificate
* handler and register the nickname we want to use in case client
* authentication is requested.
*/
if (!mctx->as_server) {
if (SSL_BadCertHook(ssl, (SSLBadCertHandler) NSSBadCertHandler, c) != SECSuccess)
{
/* errors are reported in the certificate handler */
return DECLINED;
}
if (mctx->nickname) {
if (SSL_GetClientAuthDataHook(ssl, NSSGetClientAuthData,
(void*)mctx->nickname) != SECSuccess)
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"Unable to register client authentication callback");
return DECLINED;
}
}
}
return APR_SUCCESS;
}
static const char *nss_hook_http_scheme(const request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->enabled == FALSE) {
return NULL;
}
return "https";
}
static apr_port_t nss_hook_default_port(const request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->enabled == FALSE) {
return 0;
}
return 443;
}
/*
* the module registration phase
*/
static void nss_register_hooks(apr_pool_t *p)
{
/* nss_hook_ReadReq needs to use the BrowserMatch settings so must
* run after mod_setenvif's post_read_request hook. */
static const char *pre_prr[] = { "mod_setenvif.c", NULL };
nss_io_filter_register(p);
ap_hook_pre_connection(nss_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_config (nss_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
#if AP_SERVER_MINORVERSION_NUMBER < 2 /* See comment in mod_nss.h */
ap_hook_http_method (nss_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
#else
ap_hook_http_scheme (nss_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
#endif
ap_hook_default_port (nss_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (nss_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (nss_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (nss_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST);
ap_hook_fixups (nss_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker(nss_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (nss_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request(nss_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
nss_var_register();
/* Always register these mod_nss optional functions */
APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
/* Save the state of any previously registered mod_ssl functions */
othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
/* Always register these local mod_ssl optional functions */
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
}
module AP_MODULE_DECLARE_DATA nss_module = {
STANDARD20_MODULE_STUFF,
nss_config_perdir_create, /* create per-dir config structures */
nss_config_perdir_merge, /* merge per-dir config structures */
nss_config_server_create, /* create per-server config structures */
nss_config_server_merge, /* merge per-server config structures */
nss_config_cmds, /* table of configuration directives */
nss_register_hooks /* register hooks */
};
mod_nss-1.0.14/mod_nss.h 0000664 0000000 0000000 00000040326 12704231257 0015062 0 ustar 00root root 0000000 0000000 /* Copyright 2001-2004 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __MOD_NSS_H__
#define __MOD_NSS_H__
/* Apache headers */
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_main.h"
#include "http_connection.h"
#include "http_request.h"
#include "http_protocol.h"
#include "mod_ssl.h"
#include "util_script.h"
#include "util_filter.h"
#include "apr.h"
#include "apr_strings.h"
#define APR_WANT_STRFUNC
#include "apr_want.h"
#include "apr_tables.h"
#include "apr_lib.h"
#include "apr_fnmatch.h"
#include "apr_strings.h"
#include "apr_dbm.h"
#include "apr_rmm.h"
#include "apr_shm.h"
#include "apr_global_mutex.h"
#include "apr_optional.h"
#include
#include
#include
#define MOD_NSS_VERSION PACKAGE_VERSION
/* NSPR headers */
#include "nspr.h"
#include
#include
/* NSS header files */
#include
#include
#include
#include
/* Apache ships its autoconf-generated config.h which defines these
* as empty. We want the mod_nss version in our own config.h so
* undefine them to eliminate the build warnings.
*/
#undef PACKAGE_NAME
#undef PACKAGE_VERSION
#undef PACKAGE_STRING
#undef PACKAGE_TARNAME
#undef PACKAGE_URL
#undef PACKAGE_BUGREPORT
#include "config.h"
/* The #ifdef macros are only defined AFTER including the above
* therefore we cannot include these system files at the top :-(
*/
#if APR_HAVE_SYS_TIME_H
#include
#endif
#if APR_HAVE_UNISTD_H
#include /* needed for STDIN_FILENO et.al., at least on FreeBSD */
#endif
/* mod_ssl headers */
#include "nss_expr.h"
/*
* Provide reasonable default for some defines
*/
#ifndef FALSE
#define FALSE (0)
#endif
#ifndef TRUE
#define TRUE (!FALSE)
#endif
#ifndef PFALSE
#define PFALSE ((void *)FALSE)
#endif
#ifndef PTRUE
#define PTRUE ((void *)TRUE)
#endif
#ifndef UNSET
#define UNSET (-1)
#endif
#ifndef NUL
#define NUL '\0'
#endif
/*
* Provide reasonable defines for some types
*/
#ifndef BOOL
#define BOOL unsigned int
#endif
#ifndef UCHAR
#define UCHAR unsigned char
#endif
/*
* Provide useful shorthands
*/
#define strEQ(s1,s2) (strcmp(s1,s2) == 0)
#define strNE(s1,s2) (strcmp(s1,s2) != 0)
#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
#define strIsEmpty(s) (s == NULL || s[0] == NUL)
#define myConnConfig(c) \
(SSLConnRec *)ap_get_module_config(c->conn_config, &nss_module)
#define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server)
#define myConnConfigSet(c, val) \
ap_set_module_config(c->conn_config, &nss_module, val)
#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &nss_module)
#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &nss_module)
#define myModConfig(srv) (mySrvConfig((srv)))->mc
/*
* Defaults for the configuration
*/
#ifndef SSL_SESSION_CACHE_TIMEOUT
#define SSL_SESSION_CACHE_TIMEOUT 100
#endif
#ifndef SSL3_SESSION_CACHE_TIMEOUT
#define SSL3_SESSION_CACHE_TIMEOUT 86400
#endif
#ifndef SSL_SESSION_CACHE_SIZE
#define SSL_SESSION_CACHE_SIZE 10000
#endif
/* Default setting for per-dir reneg buffer. */
#ifndef DEFAULT_RENEG_BUFFER_SIZE
#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
#endif
/*
* Define the SSL options
*/
#define SSL_OPT_NONE (0)
#define SSL_OPT_RELSET (1<<0)
#define SSL_OPT_STDENVVARS (1<<1)
#define SSL_OPT_COMPATENVVARS (1<<2)
#define SSL_OPT_EXPORTCERTDATA (1<<3)
#define SSL_OPT_FAKEBASICAUTH (1<<4)
#define SSL_OPT_STRICTREQUIRE (1<<5)
#define SSL_OPT_OPTRENEGOTIATE (1<<6)
#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_COMPATENVVAR|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
typedef int nss_opt_t;
/*
* Define the SSL requirement structure
*/
typedef struct {
char *cpExpr;
nss_expr *mpExpr;
} nss_require_t;
/*
* Define the SSL random number generator seeding source. The CONNECT
* method is not currently used.
*/
typedef enum {
SSL_RSCTX_STARTUP = 1,
SSL_RSCTX_CONNECT = 2
} ssl_rsctx_t;
typedef enum {
SSL_RSSRC_BUILTIN = 1,
SSL_RSSRC_FILE = 2,
SSL_RSSRC_EXEC = 3
} ssl_rssrc_t;
typedef struct {
ssl_rsctx_t nCtx;
ssl_rssrc_t nSrc;
char *cpPath;
int nBytes;
} ssl_randseed_t;
/*
* Define the SSL verify levels
*/
typedef enum {
SSL_CVERIFY_UNSET = UNSET,
SSL_CVERIFY_NONE = 0,
SSL_CVERIFY_OPTIONAL = 1,
SSL_CVERIFY_REQUIRE = 2,
SSL_CVERIFY_OPTIONAL_NO_CA = 3
} nss_verify_t;
/*
* Define the SSL pass phrase dialog types
*/
typedef enum {
SSL_PPTYPE_UNSET = UNSET,
SSL_PPTYPE_BUILTIN = 0,
SSL_PPTYPE_FILE = 1,
SSL_PPTYPE_DEFER = 2,
SSL_PPTYPE_FILTER = 3,
} nss_pphrase_t;
/*
* Define the mod_ssl per-module configuration structure
* (i.e. the global configuration for each httpd process)
*/
typedef struct {
PRFileDesc *ssl;
const char *client_dn;
CERTCertificate *client_cert;
int is_proxy;
int disabled;
int non_nss_request;
apr_socket_t * client_socket;
} SSLConnRec;
typedef struct {
pid_t pid;
int nInitCount;
apr_pool_t *pPool;
apr_pool_t *ptemp; /* pointer to ptemp passed in during init */
const char *pCertificateDatabase;
const char *pDBPrefix;
/* config for SSL session cache */
int session_cache_size;
int session_cache_timeout;
int ssl3_session_cache_timeout;
/* config for handling encrypted keys */
nss_pphrase_t pphrase_dialog_type;
const char *pphrase_dialog_path;
const char *pphrase_dialog_helper;
BOOL skip_permission_check;
apr_proc_t proc;
apr_procattr_t *procattr;
apr_array_header_t *aRandSeed;
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
int semid;
const char *user;
} SSLModConfigRec;
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
/* stuff related to authentication that can also be per-dir */
typedef struct {
const char *cipher_suite;
const char *protocols;
/* for client or downstream server authentication */
nss_verify_t verify_mode;
} modnss_auth_ctx_t;
typedef struct {
SSLSrvConfigRec *sc; /* pointer back to server config */
char *cipherSuite;
int as_server;
int ssl3;
int tls;
int tlsrollback;
int enforce;
#ifdef SSL_ENABLE_RENEGOTIATION
int enablerenegotiation;
int requiresafenegotiation;
#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
#endif
CERTCertificate *servercert;
SECKEYPrivateKey *serverkey;
SSLKEAType serverKEAType;
#ifdef NSS_ENABLE_ECC
CERTCertificate *eccservercert;
SECKEYPrivateKey *eccserverkey;
SSLKEAType eccserverKEAType;
#endif
PRFileDesc *model; /* used to model an SSL socket */
modnss_auth_ctx_t auth;
} modnss_ctx_t;
struct SSLSrvConfigRec {
SSLModConfigRec *mc;
BOOL fips;
BOOL ocsp_default;
const char *ocsp_url;
const char *ocsp_name;
BOOL ocsp;
BOOL enabled;
BOOL sni;
BOOL strict_sni_vhost_check;
BOOL proxy_enabled;
const char *vhost_id;
int vhost_id_len;
modnss_ctx_t *server;
modnss_ctx_t *proxy;
BOOL proxy_ssl_check_peer_cn;
BOOL session_tickets;
};
/*
* Define the mod_ssl per-directory configuration structure
* (i.e. the local configuration for all
* and .htaccess contexts)
*/
typedef struct {
BOOL bSSLRequired;
apr_array_header_t *aRequirement;
int nOptions;
int nOptionsAdd;
int nOptionsDel;
const char *szCipherSuite;
nss_verify_t nVerifyClient;
const char *szUserName;
apr_size_t nRenegBufferSize;
} SSLDirConfigRec;
/*
* for cipher definitions see nss_engine_cipher.h
*/
/* pool and hash to store ServerName and NSSNickname pairs for SNI */
apr_pool_t *mp;
apr_hash_t *ht;
/* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of
* the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it
* is the last version without this define. This is used for more than just
* the below defines. It also determines which API is used.
*/
#ifndef AP_SERVER_MAJORVERSION_NUMBER
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 0
#define AP_SERVER_PATCHLEVEL_NUMBER 55
#endif
#if AP_SERVER_MINORVERSION_NUMBER < 2
typedef struct regex_t ap_regex_t;
#define AP_REG_EXTENDED REG_EXTENDED
#define AP_REG_NOSUB REG_NOSUB
#define AP_REG_ICASE REG_ICASE
#endif
/*
* function prototypes
*/
/* API glue structures */
extern module AP_MODULE_DECLARE_DATA nss_module;
/* configuration handling */
SSLModConfigRec *nss_config_global_create(server_rec *);
void *nss_config_perdir_create(apr_pool_t *p, char *dir);
void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv);
void *nss_config_server_create(apr_pool_t *p, server_rec *s);
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
const char *nss_cmd_NSSSNI(cmd_parms *, void *, int);
const char *nss_cmd_NSSStrictSNIVHostCheck(cmd_parms *, void *, int);
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#ifdef SSL_ENABLE_RENEGOTIATION
const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *, void *, int);
const char *nss_cmd_NSSSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSession3CacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *nss_cmd_NSSSkipPermissionCheck(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSSessionTickets(cmd_parms *cmd, void *dcfg, int flag);
#ifdef ENABLE_SERVER_DHE
const char *nss_cmd_NSSServerDHE(cmd_parms *cmd, void *dcfg, int flag);
#endif
const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
const char *set_user(cmd_parms *cmd, void *dummy, const char *arg);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void nss_init_Child(apr_pool_t *, server_rec *);
void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
apr_status_t nss_init_ModuleKill(void *data);
apr_status_t nss_init_ChildKill(void *data);
/* int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); */
/* Apache API hooks */
int nss_hook_UserCheck(request_rec *r);
int nss_hook_Fixup(request_rec *r);
int nss_hook_Access(request_rec *r);
int nss_hook_Auth(request_rec *r);
int nss_hook_ReadReq(request_rec *r);
/* Variables */
void nss_var_register(void);
char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
void nss_var_log_config_register(apr_pool_t *p);
APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
(apr_pool_t *, server_rec *,
conn_rec *, request_rec *,
char *));
/* An optional function which returns non-zero if the given connection
* is using SSL/TLS. */
APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
/* Proxy Support */
int nss_proxy_enable(conn_rec *c);
int nss_engine_disable(conn_rec *c);
APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
/* I/O */
PRFileDesc * nss_io_new_fd();
int nss_io_layer_init();
void nss_io_filter_init(conn_rec *c, PRFileDesc *ssl);
void nss_io_filter_register(apr_pool_t *p);
/* Utility Functions */
char *nss_util_vhostid(apr_pool_t *, server_rec *);
apr_file_t *nss_util_ppopen(server_rec *, apr_pool_t *, const char *,
const char * const *);
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
char *searchHashVhostbyNick(char *vhost_id);
char *searchHashVhostbyNick_match(char *vhost_id);
void addHashVhostNick(char *vhost_id, char *nickname);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen);
int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix);
/* Pass Phrase Handling */
SECStatus nss_Init_Tokens(server_rec *s);
/* Logging */
#if AP_SERVER_MINORVERSION_NUMBER <= 2
void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
#else
void nss_log_nss_error(const char *file, int line, int module_index, int level, server_rec *s);
#endif
void nss_die(void);
/* NSS callback */
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/* Extract SAN extensions */
void modnss_var_extract_san_entries(apr_table_t *t, PRFileDesc *ssl, apr_pool_t *p);
void SECItem_StripTag(SECItem * item);
const char * SECItem_to_ascii(apr_pool_t *p, SECItem *item);
const char * SECItem_to_hex(apr_pool_t *p,const SECItem * item);
const char * SECItem_to_ipaddr(apr_pool_t *p, SECItem *item);
const char * SECItem_get_oid(apr_pool_t *p, SECItem *oid);
#endif /* __MOD_NSS_H__ */
mod_nss-1.0.14/mod_nss.spec 0000664 0000000 0000000 00000005362 12704231257 0015566 0 ustar 00root root 0000000 0000000 # BEGIN COPYRIGHT BLOCK
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Copyright (C) 2005 Red Hat, Inc.
# All rights reserved.
# END COPYRIGHT BLOCK
%define product fedora
%define _build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.%{flavor}.rpm
Summary: mod_nss
Name: mod_nss
Version: 1.0
Release: 1.%{platform}
License: Apache 2.0
Group: System Environment/Daemons
URL: http://directory.fedora.redhat.com/
Source: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildPreReq: httpd-devel,apr-devel
# Without Autoreq: 0, rpmbuild finds all sorts of crazy
# dependencies that we don't care about, and refuses to install
Autoreq: 0
# Don't automatically generate provides list
AutoProv: 0
# Without Requires: something, rpmbuild will abort!
Requires: httpd,apr
Provides: mod_nss
Prefix: /opt/%{product}-ds/bin/admin
%description
An Apache 2.0 module for implementing crypto using the Mozilla NSS crypto libraries. This supports SSLv3/TLSv1 including support for client certificate authentication. NSS provides web applications with a FIPS 140 certified crypto provider and support for a full range of PKCS11 devices.
%prep
%setup -q
%build
%ifarch x86_64 ppc64 ia64 s390x
mycflags=-m64
%endif
if [ %{flavor} = 'dbg' ]; then
flag=-g
else
flag=-O2
fi
# configure requires nspr, nss, ldapsdk, adminutil
# if can't find apxs, use --with-apxs=/path/to/apxs
./configure --with-apr-config --with-nspr-inc=%{nsprincdir} --with-nspr-lib=%{nsprlibdir} --with-nss-inc=%{nssincdir} --with-nss-lib=%{nsslibdir}
CFLAGS="$flag $mycflags" make
%install
# we don't really want to install this in the system Apache modules dir
%{__mkdir_p} $RPM_BUILD_ROOT/%{prefix}/lib
%{__mkdir_p} $RPM_BUILD_ROOT/%{prefix}/admin/bin
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{prefix}/lib
install -m 755 nss_pcache $RPM_BUILD_ROOT%{prefix}/admin/bin
%clean
rm -rf $RPM_BUILD_ROOT/$RPM_INSTALL_PREFIX
%files
# rather than listing individual files, we just package (and own)
# the entire ldapserver directory - if we change this to put
# files in different places, we won't be able to do this anymore
%defattr(-,root,root,-)
%{prefix}/lib/libmodnss.so
%{prefix}/admin/bin/nss_pcache
%changelog
* Thu Nov 3 2005 Richard Megginson - 1.0
- Initial version
mod_nss-1.0.14/modules.mk 0000664 0000000 0000000 00000001027 12704231257 0015243 0 ustar 00root root 0000000 0000000 mod_nss.la: mod_nss.lo nss_engine_config.lo nss_engine_init.lo nss_engine_io.lo nss_engine_kernel.lo nss_engine_log.lo nss_engine_pphrase.lo nss_engine_vars.lo nss_expr.lo nss_expr_eval.lo nss_expr_parse.lo nss_expr_scan.lo nss_util.lo
$(MOD_LINK) mod_nss.lo nss_engine_config.lo nss_engine_init.lo nss_engine_io.lo nss_engine_kernel.lo nss_engine_log.lo nss_engine_pphrase.lo nss_engine_vars.lo nss_expr.lo nss_expr_eval.lo nss_expr_parse.lo nss_expr_scan.lo nss_util.lo
DISTCLEAN_TARGETS = modules.mk
static = mod_nss.la
shared =
mod_nss-1.0.14/nss.conf.in 0000664 0000000 0000000 00000020365 12704231257 0015327 0 ustar 00root root 0000000 0000000 #
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin. It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
NSSPassPhraseDialog builtin
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
NSSPassPhraseHelper /usr/libexec/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
#
# This does not support seeding the RNG with each connection.
NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random 512
#NSSRandomSeed startup file:/dev/urandom 512
#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
##
## SSL Virtual Host Context
##
# General setup for the virtual host
#DocumentRoot "@apache_prefix@/htdocs"
#ServerName www.example.com:443
#ServerAdmin you@example.com
# mod_nss can log to separate log files, you can choose to do that if you'd like
# LogLevel is not inherited from httpd.conf.
#ErrorLog @apache_prefix@/logs/error_log
#TransferLog @apache_prefix@/logs/access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase @apache_conf@
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
NSSOptions +StdEnvVars
NSSOptions +StdEnvVars
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
mod_nss-1.0.14/nss_engine_cipher.c 0000664 0000000 0000000 00000064644 12704231257 0017106 0 ustar 00root root 0000000 0000000 /* Copyright 2001-2004 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mod_nss.h"
#include "nss_engine_cipher.h"
#include
#include
#include
#include
#include
/* Cipher actions */
#define PERMANENTLY_DISABLE_CIPHER -1 /* !CIPHER */
#define SUBTRACT_CIPHER 0 /* -CIPHER */
#define ENABLE_CIPHER 1 /* CIPHER */
#define REORDER_CIPHER 2 /* +CIPHER */
/* ciphernum is defined in nss_engine_cipher.h */
cipher_properties ciphers_def[] =
{
{"rsa_null_md5", TLS_RSA_WITH_NULL_MD5, "NULL-MD5", SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSLV3, SSL_STRONG_NONE, 0, 0},
{"rsa_null_sha", TLS_RSA_WITH_NULL_SHA, "NULL-SHA", SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSLV3, SSL_STRONG_NONE, 0, 0},
{"rsa_rc4_40_md5", TLS_RSA_EXPORT_WITH_RC4_40_MD5, "EXP-RC4-MD5", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSLV3, SSL_EXPORT40, 40, 128},
{"rsa_rc4_128_md5", TLS_RSA_WITH_RC4_128_MD5, "RC4-MD5", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSLV3, SSL_MEDIUM, 128, 128},
{"rsa_rc4_128_sha", TLS_RSA_WITH_RC4_128_SHA, "RC4-SHA", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSLV3, SSL_MEDIUM, 128, 128},
{"rsa_rc2_40_md5", TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, "EXP-RC2-CBC-MD5", SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSLV3, SSL_EXPORT40, 40, 128},
/* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA not implemented 0x0008 */
{"rsa_des_sha", TLS_RSA_WITH_DES_CBC_SHA, "DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56},
{"rsa_3des_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA, "DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_HIGH, 168, 168},
#ifdef ENABLE_SERVER_DHE
{"dhe_rsa_des_sha", TLS_DHE_RSA_WITH_DES_CBC_SHA, "EDH-RSA-DES-CBC-SHA", SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56},
#endif
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, "AES128-SHA", SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, "AES256-SHA", SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"null_sha_256", TLS_RSA_WITH_NULL_SHA256, "NULL-SHA256", SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLSV1_2, SSL_STRONG_NONE, 0, 0},
{"aes_128_sha_256", TLS_RSA_WITH_AES_128_CBC_SHA256, "AES128-SHA256", SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
{"aes_256_sha_256", TLS_RSA_WITH_AES_256_CBC_SHA256, "AES256-SHA256", SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLSV1_2, SSL_HIGH, 256, 256},
{"camelia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "CAMELLIA128-SHA", SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, "EXP1024-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLSV1, SSL_EXPORT56, 56, 56},
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, "EXP1024-RC4-SHA", SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_EXPORT56, 56, 128},
{"camelia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "CAMELLIA256-SHA", SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
#ifdef ENABLE_GCM
{"rsa_aes_128_gcm_sha_256", TLS_RSA_WITH_AES_128_GCM_SHA256, "AES128-GCM-SHA256", SSL_kRSA|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
#endif
#ifdef ENABLE_SHA384
{"rsa_aes_256_gcm_sha_384", TLS_RSA_WITH_AES_256_GCM_SHA384, "AES256-GCM-SHA384", SSL_kRSA|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
#endif
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_HIGH, 112, 168},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56},
#ifdef ENABLE_SERVER_DHE
{"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "EDH-RSA-DES-CBC3-SHA", SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168},
{"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "DHE-RSA-AES128-SHA", SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "DHE-RSA-AES256-SHA", SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "DHE-RSA-CAMELLIA128-SHA", SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "DHE-RSA-CAMELLIA256-SHA", SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"dhe_rsa_aes_128_sha256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "DHE-RSA-AES128-SHA256", SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
{"dhe_rsa_aes_256_sha256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "DHE-RSA-AES256-SHA256", SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLSV1_2, SSL_HIGH, 256, 256},
#ifdef ENABLE_GCM
{"dhe_rsa_aes_128_gcm_sha_256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "DHE-RSA-AES128-GCM-SHA256", SSL_kEDH|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
#endif
#ifdef ENABLE_SHA384
{"dhe_rsa_aes_256_gcm_sha_384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "DHE-RSA-AES256-GCM-SHA384", SSL_kEDH|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
#endif
#endif /* ENABLE_SERVER_DHE */
#ifdef NSS_ENABLE_ECC
{"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0},
{"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128},
{"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168},
{"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, "ECDHE-ECDSA-NULL-SHA", SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0},
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "ECDHE-ECDSA-RC4-SHA", SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128},
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-ECDSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168},
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "ECDHE-ECDSA-AES128-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "ECDHE-ECDSA-AES256-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0},
{"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128},
{"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168},
{"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, "ECDHE-RSA-NULL-SHA", SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0},
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, "ECDHE-RSA-RC4-SHA", SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128},
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-RSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168},
{"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "ECDHE-RSA-AES128-SHA", SSL_kEECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "ECDHE-RSA-AES256-SHA", SSL_kEECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, "AECDH-NULL-SHA", SSL_kEECDH|SSL_aNULL|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0},
{"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, "AECDH-RC4-SHA", SSL_kEECDH|SSL_aNULL|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128},
{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, "AECDH-DES-CBC3-SHA", SSL_kEECDH|SSL_aNULL|SSL_3DES|SSL_SHA1, TLSV1, SSL_HIGH, 112, 168},
{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, "AECDH-AES128-SHA", SSL_kEECDH|SSL_aNULL|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128},
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, "AECDH-AES256-SHA", SSL_kEECDH|SSL_aNULL|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256},
{"ecdhe_ecdsa_aes_128_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "ECDHE-ECDSA-AES128-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
{"ecdhe_rsa_aes_128_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "ECDHE-RSA-AES128-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLSV1_2, SSL_HIGH, 128, 128},
#ifdef ENABLE_GCM
{"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "ECDHE-ECDSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aECDSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
#endif
#ifdef ENABLE_SHA384
{"ecdhe_ecdsa_aes_256_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "ECDHE-ECDSA-AES256-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256},
{"ecdhe_rsa_aes_256_sha_384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "ECDHE-RSA-AES256-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256|SSL_SHA384, TLSV1_2, SSL_HIGH, 256, 256},
{"ecdhe_ecdsa_aes_256_gcm_sha_384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "ECDHE-ECDSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aECDSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
{"ecdhe_rsa_aes_256_gcm_sha_384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "ECDHE-RSA-AES256-GCM-SHA384", SSL_kEECDH|SSL_aRSA|SSL_AES256GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 256, 256},
#endif
#ifdef ENABLE_GCM
{"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "ECDHE-RSA-AES128-GCM-SHA256", SSL_kEECDH|SSL_aRSA|SSL_AES128GCM|SSL_AEAD, TLSV1_2, SSL_HIGH, 128, 128},
#endif
/* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 is not implemented */
/* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 is not implemented */
/* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 is not implemented */
/* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 is not implemented */
#endif
};
#define CIPHERNUM sizeof(ciphers_def) / sizeof(cipher_properties)
int ciphernum = CIPHERNUM;
/* Some ciphers are optionally enabled in OpenSSL. For safety sake assume
* they are not available.
*/
static int skip_ciphers = 4;
static int ciphers_not_in_openssl[] = {
SSL_RSA_FIPS_WITH_DES_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
};
static int parse_nss_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
int countciphers(PRBool cipher_state[ciphernum], int version) {
int ciphercount = 0;
int i = 0;
for (i = 0; i < ciphernum; i++)
{
if ((cipher_state[i] == PR_TRUE) &&
(ciphers_def[i].version & version)) {
ciphercount++;
}
}
return ciphercount;
}
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum])
{
int rv = 0;
/* If the string has a colon we use the OpenSSL style. If it has a
* comma then NSS. If it has neither we try both. */
if (strchr(ciphers, ':')) {
rv = parse_openssl_ciphers(s, ciphers, cipher_list);
} else if (strchr(ciphers, ',')) {
rv = parse_nss_ciphers(s, ciphers, cipher_list);
} else {
rv = parse_openssl_ciphers(s, ciphers, cipher_list);
if (rv == 0 && 0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2)) {
rv = parse_nss_ciphers(s, ciphers, cipher_list);
}
}
if (0 == countciphers(cipher_list, SSLV3|TLSV1|TLSV1_2)) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"no cipher match");
}
return rv;
}
/* Given a set of ciphers perform a given action on the indexed value.
*
* This is needed because the + action doesn't do anything in the NSS
* context. In OpenSSL it will re-order the cipher list.
*/
static void set_cipher_value(PRBool cipher_list[ciphernum], int index, int action)
{
int i;
if (action == REORDER_CIPHER)
/* NSS doesn't allow ordering so do nothing */
return;
for (i = 0; i < skip_ciphers; i++) {
if (ciphers_def[index].num == ciphers_not_in_openssl[i]) {
cipher_list[index] = PERMANENTLY_DISABLE_CIPHER;
return;
}
}
if (cipher_list[index] != PERMANENTLY_DISABLE_CIPHER)
cipher_list[index] = action;
}
static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum])
{
char * cipher;
int i, action;
PRBool merge = PR_FALSE;
PRBool found = PR_FALSE;
PRBool first = PR_TRUE;
cipher = ciphers;
while (ciphers && (strlen(ciphers)))
{
while ((*cipher) && (isspace(*cipher)))
++cipher;
action = ENABLE_CIPHER; /* default to enable */
switch(*cipher)
{
case '+':
/* Cipher ordering is not supported in NSS */
action = REORDER_CIPHER;
cipher++;
break;
case '-':
action = SUBTRACT_CIPHER;
cipher++;
break;
case '!':
action = PERMANENTLY_DISABLE_CIPHER;
cipher++;
break;
default:
/* Add the cipher */
break;
}
if ((ciphers = strchr(cipher, ':'))) {
*ciphers++ = '\0';
merge = PR_FALSE;
found = PR_FALSE;
}
if (!strcmp(cipher, "ALL")) {
found = PR_TRUE;
for (i=0; i