rpms/mod_nss/F-11 mod_nss-negotiate.patch, NONE, 1.1 mod_nss.spec, 1.16, 1.17
rcritten
rcritten at fedoraproject.org
Fri Mar 19 15:59:55 UTC 2010
Author: rcritten
Update of /cvs/extras/rpms/mod_nss/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv8435
Modified Files:
mod_nss.spec
Added Files:
mod_nss-negotiate.patch
Log Message:
- Patch to add configuration options for new NSS negotiation API (#574187)
- Add (pre) for Requires on httpd so we can be sure the user and group are
already available
- Add file Requires on libnssckbi.so so symlink can't fail
- Use _sysconfdir macro instead of /etc
- Set minimum level of NSS to 3.12.6
- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744)
mod_nss-negotiate.patch:
mod_nss.c | 8 ++++++++
mod_nss.h | 8 ++++++++
nss.conf.in | 11 +++++++++++
nss_engine_config.c | 28 ++++++++++++++++++++++++++++
nss_engine_init.c | 18 ++++++++++++++++++
nss_engine_log.c | 16 ++++++++++++++--
6 files changed, 87 insertions(+), 2 deletions(-)
--- NEW FILE mod_nss-negotiate.patch ---
diff -up ./mod_nss.c.norego ./mod_nss.c
--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+ SSL_CMD_SRV(Renegotiation, FLAG,
+ "Enable SSL Renegotiation (default off) "
+ "(`on', `off')")
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+ "If Rengotiation is allowed, require safe negotiation (default off) "
+ "(`on', `off')")
+#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
diff -up ./mod_nss.h.norego ./mod_nss.h
--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100
@@ -269,6 +269,10 @@ typedef struct {
int tls;
int tlsrollback;
int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ int enablerenegotiation;
+ int requiresafenegotiation;
+#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
mctx->tls = PR_FALSE;
mctx->tlsrollback = PR_FALSE;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ mctx->enablerenegotiation = PR_FALSE;
+ mctx->requiresafenegotiation = PR_FALSE;
+#endif
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
#ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
cfgMerge(eccnickname, NULL);
#endif
cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+ cfgMerge(enablerenegotiation, PR_FALSE);
+ cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
}
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
return NULL;
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+#endif
+
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
void *dcfg,
diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100
+++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
nss_die();
}
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+ mctx->enablerenegotiation ?
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+ ) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL renegotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+ mctx->requiresafenegotiation) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL safe negotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+#endif
}
static void nss_init_ctx_protocol(server_rec *s,
diff -up ./nss.conf.in.norego ./nss.conf.in
--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
+++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
@@ -64,6 +64,17 @@
#NSSRandomSeed startup file:/dev/random 512
#NSSRandomSeed startup file:/dev/urandom 512
+#
+# TLS Negotiation configuration under RFC 5746
+#
+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
+# extension. Default off.
+NSSRenegotiation off
+
+# Peer must send Signaling Cipher Suite Value (SCSV) or
+# Renegotiation Info (RI) extension in ALL handshakes. Default: off
+NSSRequireSafeNegotiation off
+
##
## SSL Virtual Host Context
##
diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
+++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000
@@ -27,7 +27,7 @@
#define LIBSEC_ERROR_BASE (-8192)
#define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
#define LIBSSL_ERROR_BASE (-12288)
-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
+#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
typedef struct l_error_t {
int errorNumber;
@@ -296,7 +296,19 @@
{ 99, "Server requires ciphers more secure than those supported by client" },
{ 100, "Peer reports it experienced an internal error" },
{ 101, "Peer user canceled handshake" },
- { 102, "Peer does not permit renegotiation of SSL security parameters" }
+ { 102, "Peer does not permit renegotiation of SSL security parameters" },
+ { 103, "Server cache not configured" },
+ { 104, "Unsupported extension" },
+ { 105, "Certificate unobtainable" },
+ { 106, "Unrecognized name" },
+ { 107, "Bad certificate status" },
+ { 108, "Bad certificate hash value" },
+ { 109, "Unexpected new session ticket" },
+ { 110, "Malformed new session ticket" },
+ { 111, "Decompression failure" },
+ { 112, "Renegotiation not allowed" },
+ { 113, "Safe negotiation required but not provided by client" },
+ { 114, "Unexpected uncompressed record" },
};
void nss_die(void)
Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-11/mod_nss.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- mod_nss.spec 5 Mar 2009 15:22:20 -0000 1.16
+++ mod_nss.spec 19 Mar 2010 15:59:54 -0000 1.17
@@ -1,19 +1,24 @@
Name: mod_nss
Version: 1.0.8
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
URL: http://directory.fedoraproject.org/wiki/Mod_nss
Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.11.3
-BuildRequires: httpd-devel >= 0:2.0.52, apr-devel, apr-util-devel
+BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6
+BuildRequires: httpd-devel, apr-devel, apr-util-devel
BuildRequires: pkgconfig
-Requires: httpd >= 0:2.0.52
+Requires(pre): httpd
+Requires: nss >= 3.12.6
+# Add a files Requires on this in case the nss package moves it again
+Requires: %{_libdir}/libnssckbi.so
Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
+# Add options for tuning client negotiate in NSS
+Patch4: mod_nss-negotiate.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -26,6 +31,7 @@ security library.
%patch1 -p1 -b .conf
%patch2 -p1 -b .gencert
%patch3 -p1 -b .wouldblock
+%patch4 -p1 -b .negotiate
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -68,7 +74,7 @@ install -m 644 nss.conf $RPM_BUILD_ROOT%
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
-ln -s ../../../%{_lib}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
+ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db
@@ -91,8 +97,8 @@ if [ "$1" -eq 1 ] ; then
fi
# Make sure that the database ownership is setup properly.
- /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
- /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
+ /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
+ /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
fi
%files
@@ -110,6 +116,15 @@ fi
%{_sbindir}/gencert
%changelog
+* Thu Mar 18 2010 Rob Crittenden <rcritten at redhat.com> - 1.0.8-2
+- Patch to add configuration options for new NSS negotiation API (#574187)
+- Add (pre) for Requires on httpd so we can be sure the user and group are
+ already available
+- Add file Requires on libnssckbi.so so symlink can't fail
+- Use _sysconfdir macro instead of /etc
+- Set minimum level of NSS to 3.12.6
+- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744)
+
* Mon Mar 2 2009 Rob Crittenden <rcritten at redhat.com> - 1.0.8-1
- Update to 1.0.8
- Add patch that fixes NSPR layer bug
More information about the scm-commits
mailing list