[389-commits] mod_nss mod_nss.c, 1.17, 1.18 mod_nss.h, 1.20, 1.21 nss_engine_config.c, 1.15, 1.16 nss_engine_init.c, 1.34, 1.35
rcritten
rcritten at fedoraproject.org
Tue Mar 2 20:12:08 UTC 2010
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13310
Modified Files:
mod_nss.c mod_nss.h nss_engine_config.c nss_engine_init.c
Log Message:
Add controls for managing SSL renegotiation
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
Index: mod_nss.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- mod_nss.c 18 Oct 2007 18:26:21 -0000 1.17
+++ mod_nss.c 2 Mar 2010 20:12:04 -0000 1.18
@@ -97,6 +97,14 @@
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+ SSL_CMD_SRV(Renegotiation, FLAG,
+ "Enable SSL Renegotiation (default off) "
+ "(`on', `off')")
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+ "If Rengotiation is allowed, require safe negotiation (default off) "
+ "(`on', `off')")
+#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- mod_nss.h 9 May 2008 14:17:38 -0000 1.20
+++ mod_nss.h 2 Mar 2010 20:12:04 -0000 1.21
@@ -269,6 +269,10 @@
int tls;
int tlsrollback;
int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ int enablerenegotiation;
+ int requiresafenegotiation;
+#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
@@ -383,6 +387,10 @@
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
Index: nss_engine_config.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_config.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- nss_engine_config.c 7 Jun 2007 14:58:09 -0000 1.15
+++ nss_engine_config.c 2 Mar 2010 20:12:05 -0000 1.16
@@ -78,6 +78,10 @@
mctx->tls = PR_FALSE;
mctx->tlsrollback = PR_FALSE;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ mctx->enablerenegotiation = PR_FALSE;
+ mctx->requiresafenegotiation = PR_FALSE;
+#endif
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
#ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@
cfgMerge(eccnickname, NULL);
#endif
cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+ cfgMerge(enablerenegotiation, PR_FALSE);
+ cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
}
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@
return NULL;
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+#endif
+
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
void *dcfg,
Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- nss_engine_init.c 16 Jul 2008 15:15:39 -0000 1.34
+++ nss_engine_init.c 2 Mar 2010 20:12:05 -0000 1.35
@@ -548,6 +548,24 @@
nss_die();
}
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+ mctx->enablerenegotiation ?
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+ ) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL renegotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+ mctx->requiresafenegotiation) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL safe negotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+#endif
}
static void nss_init_ctx_protocol(server_rec *s,
More information about the 389-commits
mailing list