rpms/mod_nss/devel mod_nss-reverseproxy.patch, NONE, 1.1 mod_nss.spec, 1.18, 1.19
rcritten
rcritten at fedoraproject.org
Thu May 13 15:56:03 UTC 2010
Author: rcritten
Update of /cvs/extras/rpms/mod_nss/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv10462
Modified Files:
mod_nss.spec
Added Files:
mod_nss-reverseproxy.patch
Log Message:
Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224)
mod_nss-reverseproxy.patch:
docs/mod_nss.html | 57 +++++++++++++++++-----------------------------------
mod_nss.c | 25 +++++++++++++++-------
mod_nss.h | 2 +
nss_engine_config.c | 11 ++++++++++
4 files changed, 49 insertions(+), 46 deletions(-)
--- NEW FILE mod_nss-reverseproxy.patch ---
mod_proxy now sets the requested remote host name. Use this to compare
to the CN value of the peer certificate and reject the request if they
do not match (and we are have NSSProxyCheckPeerCN set to on).
diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
@@ -1028,7 +1028,21 @@
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
-<code>NSSProxyNickname beta</code><br>
+<code>NSSProxyNickname beta<br>
+<br>
+</code><big><big>NSSProxyCheckPeerCN</big></big><br>
+<br>
+Compare the CN value of the peer certificate with the hostname being
+requested. If this is set to on, the default, then the request will
+fail if they do not match. If this is set to off then this comparison
+is not done. Note that this test is your only protection against a
+man-in-the-middle attack so leaving this as on is strongly recommended.<br>
+<br>
+<span style="font-weight: bold;">Example</span><br>
+<br>
+<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code>
+on<br>
+</code><br>
<h1><a name="Environment"></a>Environment Variables</h1>
Quite a few environment variables (for CGI and SSI) may be set
depending on the NSSOptions configuration. It can be expensive to set
@@ -1435,42 +1449,9 @@
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
Q. Does mod_nss support mod_proxy?<br>
<br>
-A. In order to use the mod_nss proxy support you will need to build
-your own mod_proxy by applying a patch found in bug <a
- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>.
-The patch is needed so we can compare the hostname contained in the
-remote certificate with the hostname you meant to visit. This prevents
-man-in-the-middle attacks.<br>
-<br>
-You also have to change the SSL functions that mod_proxy looks to use.
-You'll need to apply this patch:<br>
-<br>
-<code>1038,1039c1038,1039<br>
-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br>
-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br>
----<br>
-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br>
-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br>
-1041,1042c1041,1042<br>
-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
-NULL;<br>
-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
-= NULL;<br>
----<br>
-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
-NULL;<br>
-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
-= NULL;<br>
-1069,1070c1069,1070<br>
-< proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br>
-< proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br>
----<br>
-> proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br>
-> proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br>
-</code><br>
+A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
+provides a single interface for SSL providers and mod_nss defers to
+mod_ssl
+if it is loaded.
</body>
</html>
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
@@ -142,6 +142,8 @@
SSL_CMD_SRV(ProxyNickname, TAKE1,
"SSL Proxy: client certificate Nickname to be for proxy connections "
"(`nickname')")
+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
+ "SSL Proxy: check the peers certificate CN")
#ifdef IGNORE
/* Deprecated directives. */
@@ -238,23 +240,30 @@
SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
{
conn_rec *c = (conn_rec *)arg;
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
PRErrorCode err = PR_GetError();
SECStatus rv = SECFailure;
CERTCertificate *peerCert = SSL_PeerCertificate(socket);
+ const char *hostname_note;
switch (err) {
case SSL_ERROR_BAD_CERT_DOMAIN:
- if (c->remote_host != NULL) {
- rv = CERT_VerifyCertName(peerCert, c->remote_host);
- if (rv != SECSuccess) {
- char *remote = CERT_GetCommonName(&peerCert->subject);
+ if (sc->proxy_ssl_check_peer_cn == TRUE) {
+ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
+ apr_table_unset(c->notes, "proxy-request-hostname");
+ rv = CERT_VerifyCertName(peerCert, hostname_note);
+ if (rv != SECSuccess) {
+ char *remote = CERT_GetCommonName(&peerCert->subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
+ PORT_Free(remote);
+ }
+ } else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
- PORT_Free(remote);
+ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
}
} else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
+ rv = SECSuccess;
}
break;
default:
diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
@@ -306,6 +306,7 @@
int vhost_id_len;
modnss_ctx_t *server;
modnss_ctx_t *proxy;
+ BOOL proxy_ssl_check_peer_cn;
};
/*
@@ -410,6 +411,7 @@
const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
+++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
@@ -140,6 +140,7 @@
sc->vhost_id_len = 0; /* set during module init */
sc->proxy = NULL;
sc->server = NULL;
+ sc->proxy_ssl_check_peer_cn = TRUE;
modnss_ctx_init_proxy(sc, p);
@@ -214,6 +215,7 @@
cfgMergeBool(fips);
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
+ cfgMergeBool(proxy_ssl_check_peer_cn);
modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -544,6 +546,15 @@
return NULL;
}
+const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
void *dcfg,
int flag)
Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/devel/mod_nss.spec,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -p -r1.18 -r1.19
--- mod_nss.spec 18 Mar 2010 21:10:12 -0000 1.18
+++ mod_nss.spec 13 May 2010 15:56:02 -0000 1.19
@@ -1,6 +1,6 @@
Name: mod_nss
Version: 1.0.8
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
@@ -19,6 +19,7 @@ Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
# Add options for tuning client negotiate in NSS
Patch4: mod_nss-negotiate.patch
+Patch5: mod_nss-reverseproxy.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -32,6 +33,7 @@ security library.
%patch2 -p1 -b .gencert
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
+%patch5 -p1 -b .reverseproxy
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -116,6 +118,9 @@ fi
%{_sbindir}/gencert
%changelog
+* Thu May 13 2010 Rob Crittenden <rcritten at redhat.com> - 1.0.8-5
+- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224)
+
* Thu Mar 18 2010 Rob Crittenden <rcritten at redhat.com> - 1.0.8-4
- Patch to add configuration options for new NSS negotiation API (#574187)
- Add (pre) for Requires on httpd so we can be sure the user and group are
More information about the scm-commits
mailing list