Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13379
Modified Files:
mod_nss.h nss_engine_init.c
Log Message:
Only call PK11_ListCerts once and pass it when configuring each
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers.
Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering <wolter.eldering(a)vanad.com.cn>
bug 635324
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- mod_nss.h 13 May 2010 15:21:25 -0000 1.22
+++ mod_nss.h 22 Sep 2010 21:19:24 -0000 1.23
@@ -416,7 +416,7 @@
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void nss_init_Child(apr_pool_t *, server_rec *);
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
apr_status_t nss_init_ModuleKill(void *data);
apr_status_t nss_init_ChildKill(void *data);
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- nss_engine_init.c 2 Mar 2010 20:12:05 -0000 1.35
+++ nss_engine_init.c 22 Sep 2010 21:19:24 -0000 1.36
@@ -26,7 +26,7 @@
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
-static CERTCertificate* FindServerCertFromNickname(const char* name);
+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
@@ -485,6 +485,8 @@
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
/*
@@ -496,7 +498,11 @@
/*
* Read the server certificate and key
*/
- nss_init_ConfigureServer(s, p, ptemp, sc);
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
+ }
+
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
}
@@ -898,7 +904,8 @@
SECKEYPrivateKey **serverkey,
SSLKEAType *KEAtype,
PRFileDesc *model,
- int enforce)
+ int enforce,
+ const CERTCertList* clist)
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
@@ -912,17 +919,15 @@
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Using nickname %s.", nickname);
- *servercert = FindServerCertFromNickname(nickname);
+ *servercert = FindServerCertFromNickname(nickname, clist);
/* Verify the certificate chain. */
if (*servercert != NULL) {
SECCertificateUsage usage = certificateUsageSSLServer;
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified: '%s'", nickname);
+ if (enforce) {
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
- if (enforce) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
nss_die();
@@ -1012,7 +1017,8 @@
static void nss_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+ modnss_ctx_t *mctx,
+ const CERTCertList* clist)
{
SECStatus secstatus;
@@ -1033,11 +1039,11 @@
nss_init_certificate(s, mctx->nickname, &mctx->servercert,
&mctx->serverkey, &mctx->serverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#ifdef NSS_ENABLE_ECC
nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
&mctx->eccserverkey, &mctx->eccserverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#endif
}
@@ -1061,23 +1067,25 @@
static void nss_init_proxy_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_ctx(s, p, ptemp, sc->proxy);
- nss_init_server_certs(s, p, ptemp, sc->proxy);
+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
}
static void nss_init_server_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_server_check(s, p, ptemp, sc->server);
nss_init_ctx(s, p, ptemp, sc->server);
- nss_init_server_certs(s, p, ptemp, sc->server);
+ nss_init_server_certs(s, p, ptemp, sc->server, clist);
}
/*
@@ -1086,18 +1094,19 @@
void nss_init_ConfigureServer(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
if (sc->enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Configuring server for SSL protocol");
- nss_init_server_ctx(s, p, ptemp, sc);
+ nss_init_server_ctx(s, p, ptemp, sc, clist);
}
if (sc->proxy_enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Enabling proxy.");
- nss_init_proxy_ctx(s, p, ptemp, sc);
+ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
}
}
@@ -1149,10 +1158,14 @@
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server->servercert == NULL && NSS_IsInitialized())
- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
+ }
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
/*
@@ -1341,9 +1354,8 @@
* newest, valid server certificate.
*/
static CERTCertificate*
-FindServerCertFromNickname(const char* name)
+FindServerCertFromNickname(const char* name, const CERTCertList* clist)
{
- CERTCertList* clist;
CERTCertificate* bestcert = NULL;
CERTCertListNode *cln;
@@ -1353,8 +1365,6 @@
if (name == NULL)
return NULL;
- clist = PK11_ListCerts(PK11CertListUser, NULL);
-
for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
cln = CERT_LIST_NEXT(cln)) {
CERTCertificate* cert = cln->cert;
@@ -1419,9 +1429,6 @@
if (bestcert) {
bestcert = CERT_DupCertificate(bestcert);
}
- if (clist) {
- CERT_DestroyCertList(clist);
- }
return bestcert;
}