[mod_nss/f18] Resolves: Bugzilla Bug #961471, 767802, 1022717, 1017675, 1022722, 1022726,
mharmsen
mharmsen at fedoraproject.org
Thu Oct 24 21:03:15 UTC 2013
commit a63108874ea992205c355301b1c6e3b36bcb9e83
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Thu Oct 24 13:59:28 2013 -0700
Resolves: Bugzilla Bug #961471, 767802, 1022717, 1017675, 1022722, 1022726,
979798, 979718, 1021469
- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
- Add '--enable-ecc' option to '%configure' line under '%build' section of
this spec file (mharmsen)
- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
- [mod_nss-PK11_ListCerts_2.patch]
- Bugzilla Bug #767802 - PK11_ListCerts called to retrieve all user
certificates for every server (rcritten)
- [mod_nss-array_overrun.patch]
- Bugzilla Bug #1022717 - overrunning array when executing nss_pcache
(rcritten)
- [mod_nss-clientauth.patch]
- Bugzilla Bug #1017675 - mod_nss: FakeBasicAuth authentication bypass
[fedora-all] (rcritten)
- [mod_nss-no_shutdown_if_not_init_2.patch]
- Bugzilla Bug #1022722 - File descriptor leak after "service httpd reload"
or httpd doesn't reload (rrelyea)
- [mod_nss-proxyvariables.patch]
- Bugzilla Bug #1022726 - mod_nss insists on Required value NSSCipherSuite
not set. (mharmsen)
- [mod_nss-tlsv1_1.patch]
- Bugzilla Bug #979798 - current nss support TLS 1.1 so mod_nss should pick
it up (mharmsen)
- Bugzilla Bug #979718 - mod_nss documentation should mention TLS 1.1
(mharmsen)
- [mod_nss-sslmultiproxy_2.patch]
- Fixes Bugzilla Bug #1021469 - [RFE] Support ability to share mod_proxy with
other SSL providers (jorton, mharmsen, nkinder, & rcritten)
mod_nss-PK11_ListCerts_2.patch | 201 +++++++++
mod_nss-array_overrun.patch | 16 +
mod_nss-clientauth.patch | 50 ++
mod_nss-man.patch | 229 ++++++++++
mod_nss-no_shutdown_if_not_init_2.patch | 23 +
mod_nss-proxyvariables.patch | 83 ++++
mod_nss-sslmultiproxy.patch | 211 +++++++++
mod_nss-sslmultiproxy_2.patch | 211 +++++++++
mod_nss-tlsv1_1.patch | 744 +++++++++++++++++++++++++++++++
mod_nss.spec | 137 +++++-
10 files changed, 1887 insertions(+), 18 deletions(-)
---
diff --git a/mod_nss-PK11_ListCerts_2.patch b/mod_nss-PK11_ListCerts_2.patch
new file mode 100644
index 0000000..0ef492c
--- /dev/null
+++ b/mod_nss-PK11_ListCerts_2.patch
@@ -0,0 +1,201 @@
+diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
+--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800
++++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800
+@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
+ /* module initialization */
+ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+ void nss_init_Child(apr_pool_t *, server_rec *);
+-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
++void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
+ apr_status_t nss_init_ModuleKill(void *data);
+ apr_status_t nss_init_ChildKill(void *data);
+ int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
+diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
+--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800
++++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800
+@@ -26,7 +26,7 @@
+ static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
+ static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
+ static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
+-static CERTCertificate* FindServerCertFromNickname(const char* name);
++static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
+ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+
+ /*
+@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
+ "Init: Initializing (virtual) servers for SSL");
+
++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
++
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+ /*
+@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
+ /*
+ * Read the server certificate and key
+ */
+- nss_init_ConfigureServer(s, p, ptemp, sc);
++ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
++ }
++
++ if (clist) {
++ CERT_DestroyCertList(clist);
+ }
+ }
+
+@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
+ SECKEYPrivateKey **serverkey,
+ SSLKEAType *KEAtype,
+ PRFileDesc *model,
+- int enforce)
++ int enforce,
++ const CERTCertList* clist)
+ {
+ SECCertTimeValidity certtimestatus;
+ SECStatus secstatus;
+@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Using nickname %s.", nickname);
+
+- *servercert = FindServerCertFromNickname(nickname);
++ *servercert = FindServerCertFromNickname(nickname, clist);
+
+ /* Verify the certificate chain. */
+ if (*servercert != NULL) {
+ SECCertificateUsage usage = certificateUsageSSLServer;
+
+- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "Certificate not verified: '%s'", nickname);
++ if (enforce) {
++ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+- if (enforce) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
+ nss_die();
+@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
+ static void nss_init_server_certs(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- modnss_ctx_t *mctx)
++ modnss_ctx_t *mctx,
++ const CERTCertList* clist)
+ {
+ SECStatus secstatus;
+
+@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
+
+ nss_init_certificate(s, mctx->nickname, &mctx->servercert,
+ &mctx->serverkey, &mctx->serverKEAType,
+- mctx->model, mctx->enforce);
++ mctx->model, mctx->enforce, clist);
+ #ifdef NSS_ENABLE_ECC
+ nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
+ &mctx->eccserverkey, &mctx->eccserverKEAType,
+- mctx->model, mctx->enforce);
++ mctx->model, mctx->enforce, clist);
+ #endif
+ }
+
+@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
+ static void nss_init_proxy_ctx(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ SSLSrvConfigRec *sc,
++ const CERTCertList* clist)
+ {
+ nss_init_ctx(s, p, ptemp, sc->proxy);
+
+- nss_init_server_certs(s, p, ptemp, sc->proxy);
++ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
+ }
+
+ static void nss_init_server_ctx(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ SSLSrvConfigRec *sc,
++ const CERTCertList* clist)
+ {
+ nss_init_server_check(s, p, ptemp, sc->server);
+
+ nss_init_ctx(s, p, ptemp, sc->server);
+
+- nss_init_server_certs(s, p, ptemp, sc->server);
++ nss_init_server_certs(s, p, ptemp, sc->server, clist);
+ }
+
+ /*
+@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
+ void nss_init_ConfigureServer(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ SSLSrvConfigRec *sc,
++ const CERTCertList* clist)
+ {
+ if (sc->enabled == TRUE) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Configuring server for SSL protocol");
+- nss_init_server_ctx(s, p, ptemp, sc);
++ nss_init_server_ctx(s, p, ptemp, sc, clist);
+ }
+
+ if (sc->proxy_enabled == TRUE) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Enabling proxy.");
+- nss_init_proxy_ctx(s, p, ptemp, sc);
++ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
+ }
+ }
+
+@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
+ nss_init_SSLLibrary(base_server);
+
+ /* Configure all virtual servers */
++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+ if (sc->server->servercert == NULL && NSS_IsInitialized())
+- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
++ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
++ }
++ if (clist) {
++ CERT_DestroyCertList(clist);
+ }
+
+ /*
+@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
+ * newest, valid server certificate.
+ */
+ static CERTCertificate*
+-FindServerCertFromNickname(const char* name)
++FindServerCertFromNickname(const char* name, const CERTCertList* clist)
+ {
+- CERTCertList* clist;
+ CERTCertificate* bestcert = NULL;
+
+ CERTCertListNode *cln;
+@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
+ if (name == NULL)
+ return NULL;
+
+- clist = PK11_ListCerts(PK11CertListUser, NULL);
+-
+ for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
+ cln = CERT_LIST_NEXT(cln)) {
+ CERTCertificate* cert = cln->cert;
+@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
+ if (bestcert) {
+ bestcert = CERT_DupCertificate(bestcert);
+ }
+- if (clist) {
+- CERT_DestroyCertList(clist);
+- }
+ return bestcert;
+ }
+
+
diff --git a/mod_nss-array_overrun.patch b/mod_nss-array_overrun.patch
new file mode 100644
index 0000000..67d841d
--- /dev/null
+++ b/mod_nss-array_overrun.patch
@@ -0,0 +1,16 @@
+mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
+"child_argv", with 5 elements, at position 5 with index variable "5".
+
+https://bugzilla.redhat.com/show_bug.cgi?id=714154
+diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400
++++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400
+@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
+
+ /* Do we need to fire up our password helper? */
+ if (mc->nInitCount == 1) {
+- const char * child_argv[5];
++ const char * child_argv[6];
+ apr_status_t rv;
+ struct sembuf sb;
+ char sembuf[32];
diff --git a/mod_nss-clientauth.patch b/mod_nss-clientauth.patch
new file mode 100644
index 0000000..44f3c97
--- /dev/null
+++ b/mod_nss-clientauth.patch
@@ -0,0 +1,50 @@
+The first fix is to retrieve the full certificate subject instead of just the
+CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
+
+The second always attempts to retrieve the client certificate in
+nss_hook_ReadReq().
+
+https://bugzilla.redhat.com/show_bug.cgi?id=702437
+--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
++++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
+@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
+
+ status = SSL_AuthCertificate(arg, socket, checksig, isServer);
+
+- if (status == SECSuccess) {
+- conn_rec *c = filter_ctx->c;
+- SSLConnRec *sslconn = myConnConfig(c);
+-
+- sslconn->client_cert = SSL_PeerCertificate(socket);
+- sslconn->client_dn = NULL;
+- }
++ /* The certificate is copied to sslconn->client_cert in
++ * nss_hook_ReadReq()
++ */
+
+ return status;
+ }
+--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
++++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
+@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
+ nss_util_vhostid(r->pool, r->server));
+ }
+
++ if (sslconn->client_cert != NULL)
++ CERT_DestroyCertificate(sslconn->client_cert);
++ sslconn->client_cert = SSL_PeerCertificate(ssl);
++ sslconn->client_dn = NULL;
++
+ return DECLINED;
+ }
+
+@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
+ }
+
+ if (!sslconn->client_dn) {
+- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
+- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
++ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
++ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
+ PORT_Free(cp);
+ }
diff --git a/mod_nss-man.patch b/mod_nss-man.patch
new file mode 100644
index 0000000..3c13069
--- /dev/null
+++ b/mod_nss-man.patch
@@ -0,0 +1,229 @@
+diff -rupN mod_nss-1.0.8.orig/Makefile.am mod_nss-1.0.8/Makefile.am
+--- mod_nss-1.0.8.orig/Makefile.am 2008-05-16 08:18:07.000000000 -0700
++++ mod_nss-1.0.8/Makefile.am 2013-06-27 19:13:30.000000000 -0700
+@@ -5,6 +5,14 @@ bin_PROGRAMS = nss_pcache
+
+ nss_pcache_SOURCES = nss_pcache.c
+
++man8_MANS = \
++ gencert.8 \
++ nss_pcache.8 \
++ $(NULL)
++
++install-data-hook:
++ @for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
++
+ ## Define the source file for the module
+ libmodnss_la_SOURCES = mod_nss.c nss_engine_config.c nss_engine_init.c nss_engine_io.c nss_engine_kernel.c nss_engine_log.c nss_engine_pphrase.c nss_engine_vars.c nss_expr.c nss_expr_eval.c nss_expr_parse.y nss_expr_scan.l nss_util.c nss_engine_rand.c
+ libmodnss_la_LDFLAGS = -module -avoid-version
+diff -rupN mod_nss-1.0.8.orig/gencert.8 mod_nss-1.0.8/gencert.8
+--- mod_nss-1.0.8.orig/gencert.8 1969-12-31 16:00:00.000000000 -0800
++++ mod_nss-1.0.8/gencert.8 2013-07-01 09:56:37.000000000 -0700
+@@ -0,0 +1,59 @@
++.\" A man page for gencert
++.\"
++.\" Licensed under the Apache License, Version 2.0 (the "License");
++.\" you may not use this file except in compliance with the License.
++.\" You may obtain a copy of the License at
++.\"
++.\" http://www.apache.org/licenses/LICENSE-2.0
++.\"
++.\" Unless required by applicable law or agreed to in writing, software
++.\" distributed under the License is distributed on an "AS IS" BASIS,
++.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++.\" See the License for the specific language governing permissions and
++.\" limitations under the License.
++.\"
++.\" Author: Rob Crittenden <rcritten at redhat.com>
++.\"
++.TH "gencert" "8" "Jul 1 2013" "Rob Crittenden" ""
++.SH "NAME"
++gencert \- Generate a test NSS database for mod_nss
++
++.SH "SYNOPSIS"
++gencert <destdir>
++
++.SH "DESCRIPTION"
++A tool used to generate a self\-signed CA as well as server and user certificates for mod_nss testing.
++.PP
++This is used to generate a default NSS database for the mod_nss Apache module. It does not test to see if an existing database already exists, so use with care.
++.PP
++\fBgencert\fP will generate a new NSS database and set an empty database password.
++.PP
++It generates a self\-signed CA with the subject "CN=Certificate Shack, O=example.com, C=US"
++.PP
++It also generates a certificate suitable for servers with the subject "CN=<FQDN>, O=example.com, C=US", and a user certificate with the subject "E=alpha@<FQDN>, CN=Frank Alpha, UID=alpha, OU=People, O=example.com, C=US".
++.PP
++The nicknames it uses are:
++.IP
++.TS
++tab(;);
++ll,ll.
++CA:;cacert
++Server certificate:;Server\-Cert
++User cert:;alpha
++.TE
++
++.SH OPTIONS
++.TP
++.B <destdir>
++Specifies the destination directory where the NSS databases will be created.
++
++.SH BUGS
++Report bugs to http://bugzilla.redhat.com.
++
++.SH AUTHORS
++Rob Crittenden <rcritten at redhat.com>.
++
++.SH COPYRIGHT
++Copyright (c) 2011 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0.
++.PP
++Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+diff -rupN mod_nss-1.0.8.orig/migrate.pl mod_nss-1.0.8/migrate.pl
+--- mod_nss-1.0.8.orig/migrate.pl 2005-05-31 07:32:42.000000000 -0700
++++ mod_nss-1.0.8/migrate.pl 2013-07-03 14:23:12.000000000 -0700
+@@ -115,7 +115,8 @@ while (<SSL>) {
+ }
+
+ if ($passphrase == 0) {
+- print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n";
++ # NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'.
++ print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
+ }
+
+ close(NSS);
+diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in
+--- mod_nss-1.0.8.orig/nss.conf.in 2013-06-25 17:14:22.000000000 -0700
++++ mod_nss-1.0.8/nss.conf.in 2013-07-03 14:23:48.000000000 -0700
+@@ -42,7 +42,10 @@ NSSPassPhraseDialog builtin
+ # Pass Phrase Helper:
+ # This helper program stores the token password pins between
+ # restarts of Apache.
+-NSSPassPhraseHelper /usr/sbin/nss_pcache
++#
++# NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'.
++#
++NSSPassPhraseHelper /usr/libexec/nss_pcache
+
+ # Configure the SSL Session Cache.
+ # NSSSessionCacheSize is the number of entries in the cache.
+diff -rupN mod_nss-1.0.8.orig/nss_pcache.8 mod_nss-1.0.8/nss_pcache.8
+--- mod_nss-1.0.8.orig/nss_pcache.8 1969-12-31 16:00:00.000000000 -0800
++++ mod_nss-1.0.8/nss_pcache.8 2013-07-03 15:35:39.000000000 -0700
+@@ -0,0 +1,95 @@
++.\" A man page for nss_pcache
++.\"
++.\" Licensed under the Apache License, Version 2.0 (the "License");
++.\" you may not use this file except in compliance with the License.
++.\" You may obtain a copy of the License at
++.\"
++.\" http://www.apache.org/licenses/LICENSE-2.0
++.\"
++.\" Unless required by applicable law or agreed to in writing, software
++.\" distributed under the License is distributed on an "AS IS" BASIS,
++.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++.\" See the License for the specific language governing permissions and
++.\" limitations under the License.
++.\"
++.\" Author: Rob Crittenden <rcritten at redhat.com>
++.\"
++.TH "nss_pcache" "8" "Jul 1 2013" "Rob Crittenden" ""
++.SH "NAME"
++nss_pcache \- Helper program used to store token password pins
++
++.SH "SYNOPSIS"
++nss_pcache <semid> <fips on/off> <directory> [prefix]
++
++.SH "DESCRIPTION"
++A helper program used by the Apache \fBhttpd\fP mod_nss plug-in to store the NSS PKCS #11 token password pins between restarts of Apache.
++.PP
++Whenever an Apache \fBhttpd\fP process configured to use the mod_nss plug-in is started, this program will be automatically invoked via reference to the mod_nss configuration file stored under \fB/etc/httpd/conf.d/nss.conf\fP which contains the following default entry:
++.IP
++# Pass Phrase Helper:
++.br
++# This helper program stores the token password pins between
++.br
++# restarts of Apache.
++.br
++#
++.br
++# NOTE: Located at '/usr/sbin/nss_pcache' prior
++.br
++# to 'mod_nss-1.0.8-22'.
++.br
++#
++.br
++NSSPassPhraseHelper /usr/libexec/nss_pcache
++
++.SH OPTIONS
++.TP
++.B <semid>
++The semaphore which corresponds to the mod_nss plug-in registered with the Apache \fBhttpd\fP process during startup.
++.TP
++.B <fips on/off>
++Specifies whether FIPS mode should be enabled, \fBon\fP, or disabled, \fBoff\fP. By default, FIPS mode is disabled, and no variable is specified in \fB/etc/httpd/conf.d/nss.conf\fP. To enable FIPS mode, establish password access for the specified NSS security databases, and specify the following variable in \fB/etc/httpd/conf.d/nss.conf\fP:
++.IP
++.TS
++tab(;);
++ll,ll.
++;NSSFIPS on
++.TE
++.TP
++.B <directory>
++Specifies the destination directory of the NSS databases that will be associated with this executable specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP:
++.IP
++.TS
++tab(;);
++ll,ll.
++;# Server Certificate Database:
++;# The NSS security database directory that holds the
++;# certificates and keys. The database consists
++;# of 3 files: cert8.db, key3.db and secmod.db.
++;# Provide the directory that these files exist.
++;NSSCertificateDatabase /etc/httpd/alias
++.TE
++.TP
++.B [prefix]
++Optional prefix to attach prior to the names of the NSS certificate and key databases contained in the directory referenced by the previous argument and specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP (must be uncommented in order to be utilized):
++.IP
++.TS
++tab(;);
++ll,ll.
++;# Database Prefix:
++;# In order to be able to store multiple NSS databases
++;# in one directory they need unique names. This option
++;# sets the database prefix used for cert8.db and key3.db.
++;#NSSDBPrefix my-prefix-
++.TE
++
++.SH BUGS
++Report bugs to http://bugzilla.redhat.com.
++
++.SH AUTHORS
++Rob Crittenden <rcritten at redhat.com>.
++
++.SH COPYRIGHT
++Copyright (c) 2013 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0.
++.PP
++Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+diff -rupN mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
+--- mod_nss-1.0.8.orig/nss_pcache.c 2013-06-25 17:14:22.000000000 -0700
++++ mod_nss-1.0.8/nss_pcache.c 2013-06-26 18:44:42.000000000 -0700
+@@ -318,7 +318,7 @@ int main(int argc, char ** argv)
+ union semun semarg;
+
+ if (argc < 4 || argc > 5) {
+- fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
++ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
+ exit(1);
+ }
+
+@@ -336,7 +336,7 @@ int main(int argc, char ** argv)
+ PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
+
+ /* Initialize NSS and open the certificate database read-only. */
+- rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
++ rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
+
+ if (rv != SECSuccess) {
+ fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
diff --git a/mod_nss-no_shutdown_if_not_init_2.patch b/mod_nss-no_shutdown_if_not_init_2.patch
new file mode 100644
index 0000000..13eddeb
--- /dev/null
+++ b/mod_nss-no_shutdown_if_not_init_2.patch
@@ -0,0 +1,23 @@
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800
++++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800
+@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da
+ server_rec *s;
+ int shutdown = 0;
+
+- /* Clear any client-side session cache data */
+- SSL_ClearSessionCache();
+-
+ /*
+ * Free the non-pool allocated structures
+ * in the per-server configurations
+@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da
+ }
+
+ if (shutdown) {
++ /* Clear any client-side session cache data */
++ SSL_ClearSessionCache();
++
+ if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
+ != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
diff --git a/mod_nss-proxyvariables.patch b/mod_nss-proxyvariables.patch
new file mode 100644
index 0000000..5506093
--- /dev/null
+++ b/mod_nss-proxyvariables.patch
@@ -0,0 +1,83 @@
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
+@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
+ tls = 1;
+ } else {
+ if (mctx->auth.protocols == NULL) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProtocols not set; using: SSLv3 and TLSv1");
++ /*
++ * Since this routine will be invoked individually for every
++ * thread associated with each 'server' object as well as for
++ * every thread associated with each 'proxy' object, issue a
++ * single per-thread 'warning' message for either a 'server'
++ * or a 'proxy' based upon the thread's object type.
++ */
++ if (mctx == mctx->sc->server) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "NSSProtocol value not set; using: SSLv3 and TLSv1");
++ } else if (mctx == mctx->sc->proxy) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
++ }
++
+ ssl3 = tls = 1;
+ } else {
+ lprotocols = strdup(mctx->auth.protocols);
+@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
+ * Configure SSL Cipher Suite
+ */
+ if (!suite) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "Required value NSSCipherSuite not set.");
++ /*
++ * Since this is a 'fatal' error, regardless of whether this
++ * particular invocation is from a 'server' object or a 'proxy'
++ * object, issue all error message(s) as appropriate.
++ */
++ if ((mctx->sc->enabled == TRUE) &&
++ (mctx->sc->server) &&
++ (!mctx->sc->server->auth.cipher_suite)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSEngine on; required value NSSCipherSuite not set.");
++ }
++
++ if ((mctx->sc->proxy_enabled == TRUE) &&
++ (mctx->sc->proxy) &&
++ (!mctx->sc->proxy->auth.cipher_suite)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
++ }
++
+ nss_die();
+ }
+ ciphers = strdup(suite);
+@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
+ if (mctx->nickname == NULL)
+ #endif
+ {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "No certificate nickname provided.");
++ /*
++ * Since this is a 'fatal' error, regardless of whether this
++ * particular invocation is from a 'server' object or a 'proxy'
++ * object, issue all error message(s) as appropriate.
++ */
++ if ((mctx->sc->enabled == TRUE) &&
++ (mctx->sc->server) &&
++ (mctx->sc->server->nickname == NULL)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSEngine on; no certificate nickname provided by NSSNickname.");
++ }
++
++ if ((mctx->sc->proxy_enabled == TRUE) &&
++ (mctx->sc->proxy) &&
++ (mctx->sc->proxy->nickname == NULL)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
++ }
++
+ nss_die();
+ }
+
diff --git a/mod_nss-sslmultiproxy.patch b/mod_nss-sslmultiproxy.patch
new file mode 100644
index 0000000..c667653
--- /dev/null
+++ b/mod_nss-sslmultiproxy.patch
@@ -0,0 +1,211 @@
+diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2012-11-09 16:13:26.967022000 -0800
++++ mod_nss-1.0.8/mod_nss.c 2012-11-09 20:18:39.936927000 -0800
+@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
+ return sslconn;
+ }
+
++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
++
+ int nss_proxy_enable(conn_rec *c)
+ {
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
+ SSLConnRec *sslconn = nss_init_connection_ctx(c);
+
+ if (!sc->proxy_enabled) {
++ if (othermod_proxy_enable) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "mod_nss proxy not configured, passing through to mod_ssl module");
++ return othermod_proxy_enable(c);
++ }
++
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: NSSProxyEngine]", sc->vhost_id);
+@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_proxy_enable(conn_rec *c) {
++static int ssl_proxy_enable(conn_rec *c) {
+ return nss_proxy_enable(c);
+ }
+
+@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
+
+ SSLConnRec *sslconn;
+
++ if (othermod_engine_disable) {
++ othermod_engine_disable(c);
++ }
++
+ if (sc->enabled == FALSE) {
+ return 0;
+ }
+@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_engine_disable(conn_rec *c) {
++static int ssl_engine_disable(conn_rec *c) {
+ return nss_engine_disable(c);
+ }
+
+@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
+
+ nss_var_register();
+
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
+
+- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ }
+
+ module AP_MODULE_DECLARE_DATA nss_module = {
+diff -rupN mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
+--- mod_nss-1.0.8.orig/mod_nss.h 2012-11-09 16:13:26.799022000 -0800
++++ mod_nss-1.0.8/mod_nss.h 2012-11-09 17:14:18.660077000 -0800
+@@ -13,8 +13,8 @@
+ * limitations under the License.
+ */
+
+-#ifndef __MOD_SSL_H__
+-#define __MOD_SSL_H__
++#ifndef __MOD_NSS_H__
++#define __MOD_NSS_H__
+
+ /* Apache headers */
+ #include "httpd.h"
+@@ -25,6 +25,7 @@
+ #include "http_connection.h"
+ #include "http_request.h"
+ #include "http_protocol.h"
++#include "mod_ssl.h"
+ #include "util_script.h"
+ #include "util_filter.h"
+ #include "mpm.h"
+@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
+ /* Variables */
+ void nss_var_register(void);
+ char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+ void nss_var_log_config_register(apr_pool_t *p);
+
+ APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
+ (apr_pool_t *, server_rec *,
+ conn_rec *, request_rec *,
+ char *));
+-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+- (apr_pool_t *, server_rec *,
+- conn_rec *, request_rec *,
+- char *));
+
+ /* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+ APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
+ /* Proxy Support */
+ int nss_proxy_enable(conn_rec *c);
+ int nss_engine_disable(conn_rec *c);
+-int ssl_proxy_enable(conn_rec *c);
+-int ssl_engine_disable(conn_rec *c);
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
+ /* I/O */
+ PRFileDesc * nss_io_new_fd();
+@@ -495,4 +486,4 @@ void nss_die(void);
+
+ /* NSS callback */
+ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+-#endif /* __MOD_SSL_H__ */
++#endif /* __MOD_NSS_H__ */
+diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+--- mod_nss-1.0.8.orig/nss_engine_vars.c 2012-11-09 16:13:26.997024000 -0800
++++ mod_nss-1.0.8/nss_engine_vars.c 2012-11-09 20:15:32.948488000 -0800
+@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
+ static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
+ static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
+ static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
++
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
+
+ static int nss_is_https(conn_rec *c)
+ {
+ SSLConnRec *sslconn = myConnConfig(c);
+- return sslconn && sslconn->ssl;
++
++ return (sslconn && sslconn->ssl)
++ || (othermod_is_https && othermod_is_https(c));
+ }
+
+ static int ssl_is_https(conn_rec *c) {
+@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
+
+ void nss_var_register(void)
+ {
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_is_https);
+ APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
+
+- /* These can only be registered if mod_ssl is not loaded */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ return;
+ }
+@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ */
+ if (result == NULL && c != NULL) {
+ SSLConnRec *sslconn = myConnConfig(c);
++
++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++ /* If mod_ssl is registered for this connection,
++ * pass any SSL_* variable through to the mod_ssl module
++ */
++ return othermod_var_lookup(p, s, c, r, var);
++ }
++
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl)
+ result = nss_var_lookup_ssl(p, c, var+4);
+@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ return result;
+ }
+
+-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+ return nss_var_lookup(p, s, c, r, var);
+ }
+
diff --git a/mod_nss-sslmultiproxy_2.patch b/mod_nss-sslmultiproxy_2.patch
new file mode 100644
index 0000000..5d97f2e
--- /dev/null
+++ b/mod_nss-sslmultiproxy_2.patch
@@ -0,0 +1,211 @@
+diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2013-10-21 15:01:49.000000000 -0700
++++ mod_nss-1.0.8/mod_nss.c 2013-10-21 15:20:57.000000000 -0700
+@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
+ return sslconn;
+ }
+
++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
++
+ int nss_proxy_enable(conn_rec *c)
+ {
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
+ SSLConnRec *sslconn = nss_init_connection_ctx(c);
+
+ if (!sc->proxy_enabled) {
++ if (othermod_proxy_enable) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "mod_nss proxy not configured, passing through to mod_ssl module");
++ return othermod_proxy_enable(c);
++ }
++
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: NSSProxyEngine]", sc->vhost_id);
+@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_proxy_enable(conn_rec *c) {
++static int ssl_proxy_enable(conn_rec *c) {
+ return nss_proxy_enable(c);
+ }
+
+@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
+
+ SSLConnRec *sslconn;
+
++ if (othermod_engine_disable) {
++ othermod_engine_disable(c);
++ }
++
+ if (sc->enabled == FALSE) {
+ return 0;
+ }
+@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_engine_disable(conn_rec *c) {
++static int ssl_engine_disable(conn_rec *c) {
+ return nss_engine_disable(c);
+ }
+
+@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
+
+ nss_var_register();
+
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
+
+- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ }
+
+ module AP_MODULE_DECLARE_DATA nss_module = {
+diff -rupN mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
+--- mod_nss-1.0.8.orig/mod_nss.h 2013-10-21 15:01:49.000000000 -0700
++++ mod_nss-1.0.8/mod_nss.h 2013-10-21 15:24:06.000000000 -0700
+@@ -13,8 +13,8 @@
+ * limitations under the License.
+ */
+
+-#ifndef __MOD_SSL_H__
+-#define __MOD_SSL_H__
++#ifndef __MOD_NSS_H__
++#define __MOD_NSS_H__
+
+ /* Apache headers */
+ #include "httpd.h"
+@@ -25,6 +25,7 @@
+ #include "http_connection.h"
+ #include "http_request.h"
+ #include "http_protocol.h"
++#include "mod_ssl.h"
+ #include "util_script.h"
+ #include "util_filter.h"
+ #include "apr.h"
+@@ -437,34 +438,24 @@ int nss_hook_ReadReq(request_rec *r);
+ /* Variables */
+ void nss_var_register(void);
+ char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+ void nss_var_log_config_register(apr_pool_t *p);
+
+ APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
+ (apr_pool_t *, server_rec *,
+ conn_rec *, request_rec *,
+ char *));
+-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+- (apr_pool_t *, server_rec *,
+- conn_rec *, request_rec *,
+- char *));
+
+ /* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+ APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
+ /* Proxy Support */
+ int nss_proxy_enable(conn_rec *c);
+ int nss_engine_disable(conn_rec *c);
+-int ssl_proxy_enable(conn_rec *c);
+-int ssl_engine_disable(conn_rec *c);
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
+ /* I/O */
+ PRFileDesc * nss_io_new_fd();
+@@ -494,4 +485,4 @@ void nss_die(void);
+
+ /* NSS callback */
+ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+-#endif /* __MOD_SSL_H__ */
++#endif /* __MOD_NSS_H__ */
+diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+--- mod_nss-1.0.8.orig/nss_engine_vars.c 2013-10-21 15:01:50.000000000 -0700
++++ mod_nss-1.0.8/nss_engine_vars.c 2013-10-21 15:43:43.000000000 -0700
+@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
+ static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
+ static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
+ static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
++
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
+
+ static int nss_is_https(conn_rec *c)
+ {
+ SSLConnRec *sslconn = myConnConfig(c);
+- return sslconn && sslconn->ssl;
++
++ return (sslconn && sslconn->ssl)
++ || (othermod_is_https && othermod_is_https(c));
+ }
+
+ static int ssl_is_https(conn_rec *c) {
+@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
+
+ void nss_var_register(void)
+ {
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_is_https);
+ APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
+
+- /* These can only be registered if mod_ssl is not loaded */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ return;
+ }
+@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ */
+ if (result == NULL && c != NULL) {
+ SSLConnRec *sslconn = myConnConfig(c);
++
++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++ /* If mod_ssl is registered for this connection,
++ * pass any SSL_* variable through to the mod_ssl module
++ */
++ return othermod_var_lookup(p, s, c, r, var);
++ }
++
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl)
+ result = nss_var_lookup_ssl(p, c, var+4);
+@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ return result;
+ }
+
+-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+ return nss_var_lookup(p, s, c, r, var);
+ }
+
diff --git a/mod_nss-tlsv1_1.patch b/mod_nss-tlsv1_1.patch
new file mode 100644
index 0000000..be8449e
--- /dev/null
+++ b/mod_nss-tlsv1_1.patch
@@ -0,0 +1,744 @@
+diff -rupN mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
+--- mod_nss-1.0.8.orig/docs/mod_nss.html 2012-10-15 13:53:48.889995000 -0700
++++ mod_nss-1.0.8/docs/mod_nss.html 2012-10-16 11:37:30.983783000 -0700
+@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bo
+ <br>
+ Enables or disables FIPS 140 mode. This replaces the standard
+ internal PKCS#11 module with a FIPS-enabled one. It also forces the
+-enabled protocols to TLSv1 and disables all ciphers but the
++enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the
+ FIPS ones. You may still select which ciphers you would like
+ limited to those that are FIPS-certified. Any non-FIPS that are
+ included in the NSSCipherSuite entry are automatically disabled.
+@@ -570,7 +570,7 @@ definition<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1<br>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1<br>
+ </td>
+ </tr>
+ <tr>
+@@ -578,106 +578,106 @@ definition<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_null_md5<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_null_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc2_40_md5</td>
+ <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_128_md5</td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_128_sha</td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_40_md5</td>
+ <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fortezza<br>
+ </td>
+ <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fortezza_rc4_128_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fortezza_null<br>
+ </td>
+ <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fips_des_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fips_3des_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_des_56_sha</td>
+ <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSL3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_56_sha</td>
+ <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_256_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ </tbody>
+ </table>
+@@ -698,127 +698,127 @@ Definition<br>
+ <tr>
+ <td>ecdh_ecdsa_null_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_rc4_128_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_3des_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_256_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_null_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_rc4_128_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_3des_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_aes_128_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_aes_256_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_null_sha</td>
+ <td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_128_sha</td>
+ <td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_3des_sha</td>
+ <td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_128_sha</td>
+ <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_256_sha</td>
+ <td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>echde_rsa_null</td>
+ <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_rc4_128_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_3des_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_aes_128_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_aes_256_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_null_sha</td>
+ <td>TLS_ECDH_anon_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_rc4_128sha</td>
+ <td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_3des_sha</td>
+ <td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_aes_128_sha</td>
+ <td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_aes_256_sha</td>
+ <td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ </tbody>
+ </table>
+@@ -839,16 +839,35 @@ specifically but allows ciphers for that
+ Options are:<br>
+ <ul>
+ <li><code>SSLv3</code></li>
+- <li><code>TLSv1</code></li>
++ <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
++ <li><code>TLSv1.0</code></li>
++ <li><code>TLSv1.1</code></li>
+ <li><code>All</code></li>
+ </ul>
+ Note that this differs from mod_ssl in that you can't add or subtract
+ protocols.<br>
++<br>
++If no NSSProtocol is specified, mod_nss will default to allowing the use of
++the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the
++minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol
++allowed.
++<br>
++If values for NSSProtocol are specified, mod_nss will set both the minimum
++and the maximum allowed protocols based upon these entries allowing for the
++inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1
++are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes
++protocol ranges to accept all protocols inclusively
++(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
++in the middle of a range (e. g. - TLS 1.0).<br>
++<br>
++Finally, NSS will always automatically negotiate the use of the strongest
++possible protocol that has been specified which is acceptable to both sides of
++a given connection.<br>
+ <a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
+ <br>
+ <span style="font-weight: bold;">Example</span><br>
+ <br>
+-<code>NSSProtocol SSLv3,TLSv1</code><br>
++<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1</code><br>
+ <br>
+ <big><big>NSSNickname<br>
+ </big></big><br>
+@@ -1101,7 +1120,7 @@ was compiled against.<br>
+ <tr>
+ <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
+ </code></td>
+- <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
++ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, or TLSv1.1<br>
+ </td>
+ </tr>
+ <tr>
+@@ -1443,7 +1462,7 @@ Opera, and
+ Safari) support SSL 3 and TLS so there is no need for a web server to
+ support
+ SSL 2. There are some known attacks against SSL 2 that are handled by
+-SSL 3/TLS. SSL2 also doesn't support useful features like client
++SSL 3/TLS. SSLv2 also doesn't support useful features like client
+ authentication.
+ <br>
+ <h1><a name="FAQ"></a>Frequently Asked Questions</h1>
+diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2012-10-15 13:53:48.971995000 -0700
++++ mod_nss-1.0.8/mod_nss.c 2012-10-17 09:46:18.838689000 -0700
+@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
+ "(`[+-]XXX,...,[+-]XXX' - see manual)")
+ SSL_CMD_SRV(Protocol, RAW_ARGS,
+ "Enable the various SSL protocols"
+- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
++ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)")
+ SSL_CMD_ALL(VerifyClient, TAKE1,
+ "SSL Client Authentication "
+ "(`none', `optional', `require'")
+@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
+ "(`on', `off')")
+ SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+ "SSL Proxy: enable or disable SSL protocol flavors "
+- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)")
+ SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+ "(`XXX:...:XXX' - see manual)")
+diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in
+--- mod_nss-1.0.8.orig/nss.conf.in 2012-10-15 13:53:48.856995000 -0700
++++ mod_nss-1.0.8/nss.conf.in 2012-10-19 18:06:59.101468000 -0700
+@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
+ # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+ #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
+
+-NSSProtocol SSLv3,TLSv1
++# SSL Protocol:
++# Cryptographic protocols that provide communication security.
++# NSS handles the specified protocols as "ranges", and automatically
++# negotiates the use of the strongest protocol for a connection starting
++# with the maximum specified protocol and downgrading as necessary to the
++# minimum specified protocol that can be used between two processes.
++# Since all protocol ranges are completely inclusive, and no protocol in the
++# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
++# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
++NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+
+ # SSL Certificate Nickname:
+ # The nickname of the RSA server certificate you are going to use.
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-15 13:53:49.165998000 -0700
++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-19 17:44:04.973592000 -0700
+@@ -616,62 +616,98 @@ static void nss_init_ctx_protocol(server
+ apr_pool_t *ptemp,
+ modnss_ctx_t *mctx)
+ {
+- int ssl2, ssl3, tls;
++ int ssl2, ssl3, tls, tls1_1;
++ char *protocol_marker = NULL;
+ char *lprotocols = NULL;
+ SECStatus stat;
++ SSLVersionRange enabledVersions;
+
+- ssl2 = ssl3 = tls = 0;
++ ssl2 = ssl3 = tls = tls1_1 = 0;
++
++ /*
++ * Since this routine will be invoked individually for every thread
++ * associated with each 'server' object as well as for every thread
++ * associated with each 'proxy' object, identify the protocol marker
++ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
++ * via each thread's object type and apply this useful information to
++ * all log messages.
++ */
++ if (mctx == mctx->sc->server) {
++ protocol_marker = "NSSProtocol";
++ } else if (mctx == mctx->sc->proxy) {
++ protocol_marker = "NSSProxyProtocol";
++ }
+
+ if (mctx->sc->fips) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+- "In FIPS mode, enabling TLSv1");
+- tls = 1;
++ "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1",
++ protocol_marker);
++ tls = tls1_1 = 1;
+ } else {
+ if (mctx->auth.protocols == NULL) {
+- /*
+- * Since this routine will be invoked individually for every
+- * thread associated with each 'server' object as well as for
+- * every thread associated with each 'proxy' object, issue a
+- * single per-thread 'warning' message for either a 'server'
+- * or a 'proxy' based upon the thread's object type.
+- */
+- if (mctx == mctx->sc->server) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProtocol value not set; using: SSLv3 and TLSv1");
+- } else if (mctx == mctx->sc->proxy) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
+- }
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",
++ protocol_marker);
+
+- ssl3 = tls = 1;
++ ssl3 = tls = tls1_1 = 1;
+ } else {
+ lprotocols = strdup(mctx->auth.protocols);
+ ap_str_tolower(lprotocols);
+
+ if (strstr(lprotocols, "all") != NULL) {
+ #ifdef WANT_SSL2
+- ssl2 = ssl3 = tls = 1;
++ ssl2 = ssl3 = tls = tls1_1= 1;
+ #else
+- ssl3 = tls = 1;
++ ssl3 = tls = tls1_1 = 1;
+ #endif
+ } else {
+- if (strstr(lprotocols, "sslv2") != NULL) {
++ char *protocol_list = NULL;
++ char *saveptr = NULL;
++ char *token = NULL;
++
++ for (protocol_list = lprotocols; ; protocol_list = NULL) {
++ token = strtok_r(protocol_list, ",", &saveptr);
++ if (token == NULL) {
++ break;
++ } else if (strcmp(token, "sslv2") == 0) {
+ #ifdef WANT_SSL2
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
+- ssl2 = 1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling SSL2",
++ protocol_marker);
++ ssl2 = 1;
+ #else
+- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
++ "%s: SSL2 is not supported",
++ protocol_marker);
+ #endif
+- }
+-
+- if (strstr(lprotocols, "sslv3") != NULL) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
+- ssl3 = 1;
+- }
+-
+- if (strstr(lprotocols, "tlsv1") != NULL) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
+- tls = 1;
++ } else if (strcmp(token, "sslv3") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling SSL3",
++ protocol_marker);
++ ssl3 = 1;
++ } else if (strcmp(token, "tlsv1") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.0 via TLSv1",
++ protocol_marker);
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
++ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
++ protocol_marker);
++ tls = 1;
++ } else if (strcmp(token, "tlsv1.0") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.0",
++ protocol_marker);
++ tls = 1;
++ } else if (strcmp(token, "tlsv1.1") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.1",
++ protocol_marker);
++ tls1_1 = 1;
++ } else {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "%s: Unknown protocol '%s' not supported",
++ protocol_marker, token);
++ }
+ }
+ }
+ free(lprotocols);
+@@ -686,31 +722,98 @@ static void nss_init_ctx_protocol(server
+ stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
+ }
+
++ /* Set protocol version ranges:
++ *
++ * (1) Set the minimum protocol accepted
++ * (2) Set the maximum protocol accepted
++ * (3) Protocol ranges extend from maximum down to minimum protocol
++ * (4) All protocol ranges are completely inclusive;
++ * no protocol in the middle of a range may be excluded
++ * (5) NSS automatically negotiates the use of the strongest protocol
++ * for a connection starting with the maximum specified protocol
++ * and downgrading as necessary to the minimum specified protocol
++ *
++ * For example, if SSL 3.0 is chosen as the minimum protocol, and
++ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
++ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
++ * cannot be excluded from this range. NSS will automatically negotiate
++ * to utilize the strongest acceptable protocol for a connection starting
++ * with the maximum specified protocol and downgrading as necessary to the
++ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
++ */
+ if (stat == SECSuccess) {
++ /* Set minimum protocol version (lowest -> highest)
++ *
++ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
++ */
+ if (ssl3 == 1) {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (minimum)",
++ protocol_marker);
++ } else if (tls == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.0] (minimum)",
++ protocol_marker);
++ } else if (tls1_1 == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (minimum)",
++ protocol_marker);
+ } else {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
++ /* Set default minimum protocol version to SSL 3.0 */
++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (default minimum)",
++ protocol_marker);
+ }
+- }
+- if (stat == SECSuccess) {
+- if (tls == 1) {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
++
++ /* Set maximum protocol version (highest -> lowest)
++ *
++ * TLS 1.1 -> TLS 1.0 -> SSL 3.0
++ */
++ if (tls1_1 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (maximum)",
++ protocol_marker);
++ } else if (tls == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.0] (maximum)",
++ protocol_marker);
++ } else if (ssl3 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (maximum)",
++ protocol_marker);
+ } else {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
++ /* Set default maximum protocol version to TLS 1.1 */
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (default maximum)",
++ protocol_marker);
+ }
++
++ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
+ }
+
+ if (stat != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL protocol initialization failed.");
++ "%s: SSL/TLS protocol initialization failed.",
++ protocol_marker);
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+
+ mctx->ssl2 = ssl2;
+ mctx->ssl3 = ssl3;
+- mctx->tls = tls;
++ if (tls1_1 == 1) {
++ mctx->tls = tls1_1;
++ } else {
++ mctx->tls = tls;
++ }
+ }
+
+ static void nss_init_ctx_session_cache(server_rec *s,
+@@ -791,6 +894,8 @@ static void nss_init_ctx_cipher_suite(se
+ PRBool cipher_state[ciphernum];
+ PRBool fips_state[ciphernum];
+ const char *suite = mctx->auth.cipher_suite;
++ char * object_type = NULL;
++ char * cipher_suite_marker = NULL;
+ char * ciphers;
+ char * fipsciphers = NULL;
+ int i;
+@@ -820,6 +925,23 @@ static void nss_init_ctx_cipher_suite(se
+
+ nss_die();
+ }
++
++ /*
++ * Since this routine will be invoked individually for every thread
++ * associated with each 'server' object as well as for every thread
++ * associated with each 'proxy' object, identify the cipher suite markers
++ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
++ * via each thread's object type and apply this useful information to
++ * all log messages.
++ */
++ if (mctx == mctx->sc->server) {
++ object_type = "server";
++ cipher_suite_marker = "NSSCipherSuite";
++ } else if (mctx == mctx->sc->proxy) {
++ object_type = "proxy";
++ cipher_suite_marker = "NSSProxyCipherSuite";
++ }
++
+ ciphers = strdup(suite);
+
+ #define CIPHERSIZE 2048
+@@ -854,13 +976,13 @@ static void nss_init_ctx_cipher_suite(se
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
+- fipsciphers);
++ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
++ object_type, fipsciphers);
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "Configuring permitted SSL ciphers [%s]",
+- suite);
++ "%s: Configuring permitted SSL ciphers [%s]",
++ cipher_suite_marker, suite);
+
+ /* Disable all NSS supported cipher suites. This is to prevent any new
+ * NSS cipher suites from getting automatically and unintentionally
+@@ -899,7 +1021,7 @@ static void nss_init_ctx_cipher_suite(se
+ for (i=0; i<ciphernum; i++) {
+ if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
++ "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
+ cipher_state[i] = PR_FALSE;
+ }
+ }
+@@ -908,19 +1030,22 @@ static void nss_init_ctx_cipher_suite(se
+ /* See if any ciphers have been enabled for a given protocol */
+ if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL2 is enabled but no SSL2 ciphers are enabled.");
++ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+ if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL3 is enabled but no SSL3 ciphers are enabled.");
++ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+ if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "TLS is enabled but no TLS ciphers are enabled.");
++ "%s: TLS is enabled but no TLS ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+--- mod_nss-1.0.8.orig/nss_engine_vars.c 2008-01-03 13:35:28.000000000 -0800
++++ mod_nss-1.0.8/nss_engine_vars.c 2012-10-19 17:12:48.178045000 -0700
+@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
+ case SSL_LIBRARY_VERSION_3_0:
+ result = "SSLv3";
+ break;
+- case SSL_LIBRARY_VERSION_3_1_TLS:
++ case SSL_LIBRARY_VERSION_TLS_1_0:
++ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
+ result = "TLSv1";
+ break;
++ case SSL_LIBRARY_VERSION_TLS_1_1:
++ result = "TLSv1.1";
++ break;
+ }
+ }
+ }
diff --git a/mod_nss.spec b/mod_nss.spec
index 754b246..11c2135 100644
--- a/mod_nss.spec
+++ b/mod_nss.spec
@@ -1,36 +1,52 @@
%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
-%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}}
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
-%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}}
Name: mod_nss
Version: 1.0.8
-Release: 19.1%{?dist}
+Release: 24%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
URL: http://directory.fedoraproject.org/wiki/Mod_nss
Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6
+BuildRequires: nspr-devel >= 4.9.2, nss-devel >= 3.14.0.0
BuildRequires: httpd-devel, apr-devel, apr-util-devel
BuildRequires: pkgconfig
Requires: httpd-mmn = %{_httpd_mmn}
Requires(post): httpd, nss-tools
-Requires: nss >= 3.12.6
+Requires: nss%{?_isa} >= 3.14.0.0
+# Although the following change reverses the desire of Bugzilla Bug #601939, it
+# was provided to suppress the dangling symlink warning of Bugzilla Bug #906089
+# as exposed via 'rpmlint'.
+Requires: %{_libdir}/libnssckbi.so
+
+# Change configuration to not conflict with mod_ssl
Patch1: mod_nss-conf.patch
+# Generate a password-less NSS database
Patch2: mod_nss-gencert.patch
+# Properly set blocking status when no data is available
Patch3: mod_nss-wouldblock.patch
# Add options for tuning client negotiate in NSS
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
-Patch6: mod_nss-pcachesignal.h
-Patch7: mod_nss-reseterror.patch
-Patch8: mod_nss-lockpcache.patch
-Patch9: mod_nss-httpd24.patch
-Patch10: mod_nss-overlapping_memcpy.patch
+Patch6: mod_nss-PK11_ListCerts_2.patch
+Patch7: mod_nss-pcachesignal.h
+Patch8: mod_nss-reseterror.patch
+Patch9: mod_nss-lockpcache.patch
+Patch10: mod_nss-httpd24.patch
+Patch11: mod_nss-overlapping_memcpy.patch
+Patch12: mod_nss-man.patch
+Patch13: mod_nss-array_overrun.patch
+Patch14: mod_nss-clientauth.patch
+Patch15: mod_nss-no_shutdown_if_not_init_2.patch
+Patch16: mod_nss-proxyvariables.patch
+Patch17: mod_nss-tlsv1_1.patch
+Patch18: mod_nss-sslmultiproxy.patch
+Patch19: mod_nss-sslmultiproxy_2.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -45,13 +61,25 @@ security library.
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
%patch5 -p1 -b .reverseproxy
-%patch6 -p1 -b .pcachesignal.h
-%patch7 -p1 -b .reseterror
-%patch8 -p1 -b .lockpcache
+%patch6 -p1 -b .PK11_ListCerts_2
+%patch7 -p1 -b .pcachesignal.h
+%patch8 -p1 -b .reseterror
+%patch9 -p1 -b .lockpcache
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
+%patch10 -p1 -b .httpd24
+%endif
+%patch11 -p1 -b .overlapping_memcpy
+%patch12 -p1 -b .man
+%patch13 -p1 -b .array_overrun
+%patch14 -p1 -b .clientauth
+%patch15 -p1 -b .no_shutdown_if_not_init_2
+%patch16 -p1 -b .proxyvariables
+%patch17 -p1 -b .tlsv1_1
%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
-%patch9 -p1 -b .httpd24
+%patch19 -p1 -b .sslmultiproxy_2
+%else
+%patch18 -p1 -b .sslmultiproxy
%endif
-%patch10 -p1 -b .overlap
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -76,7 +104,7 @@ NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
- --with-apr-config
+ --with-apr-config --enable-ecc
make %{?_smp_mflags} all
@@ -89,8 +117,10 @@ rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf
mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir}
mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules
+mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
# httpd >= 2.4.x
@@ -100,10 +130,18 @@ sed -i /^LoadModule/d nss.conf
install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir}
%endif
+install -m 644 gencert.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m 644 nss_pcache.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+
install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir}
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
-install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
+install -m 755 nss_pcache $RPM_BUILD_ROOT%{_libexecdir}/
+# Provide a compatibility link to prevent disruption of customized deployments.
+#
+# NOTE: This link may be deprecated in a future release of 'mod_nss'.
+#
+ln -s %{_libexecdir}/nss_pcache $RPM_BUILD_ROOT%{_sbindir}/nss_pcache
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
@@ -135,6 +173,7 @@ fi
%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html
+%{_mandir}/man8/*
%config(noreplace) %{_httpd_confdir}/nss.conf
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
%config(noreplace) %{_httpd_modconfdir}/10-nss.conf
@@ -146,10 +185,72 @@ fi
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log
%{_sysconfdir}/httpd/alias/libnssckbi.so
+%{_libexecdir}/nss_pcache
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%changelog
+* Mon Oct 21 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-24
+- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
+- Add '--enable-ecc' option to '%configure' line under '%build' section of
+ this spec file (mharmsen)
+- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
+- [mod_nss-PK11_ListCerts_2.patch]
+- Bugzilla Bug #767802 - PK11_ListCerts called to retrieve all user
+ certificates for every server (rcritten)
+- [mod_nss-array_overrun.patch]
+- Bugzilla Bug #1022717 - overrunning array when executing nss_pcache
+ (rcritten)
+- [mod_nss-clientauth.patch]
+- Bugzilla Bug #1017675 - mod_nss: FakeBasicAuth authentication bypass
+ [fedora-all] (rcritten)
+- [mod_nss-no_shutdown_if_not_init_2.patch]
+- Bugzilla Bug #1022722 - File descriptor leak after "service httpd reload"
+ or httpd doesn't reload (rrelyea)
+- [mod_nss-proxyvariables.patch]
+- Bugzilla Bug #1022726 - mod_nss insists on Required value NSSCipherSuite
+ not set. (mharmsen)
+- [mod_nss-tlsv1_1.patch]
+- Bugzilla Bug #979798 - current nss support TLS 1.1 so mod_nss should pick
+ it up (mharmsen)
+- Bugzilla Bug #979718 - mod_nss documentation should mention TLS 1.1
+ (mharmsen)
+- [mod_nss-sslmultiproxy_2.patch]
+- Fixes Bugzilla Bug #1021469 - [RFE] Support ability to share mod_proxy with
+ other SSL providers (jorton, mharmsen, nkinder, & rcritten)
+
+* Tue Jul 30 2013 Joe Orton <jorton at redhat.com> - 1.0.8-23
+- add dependency on httpd-mmn
+
+* Wed Jul 3 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-22
+- Moved 'nss_pcache' from %%sbindir to %%libexecdir
+ (provided compatibility link)
+
+* Tue Jul 2 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-21.1
+- rpmlint mod_nss.spec
+ 0 packages and 1 specfiles checked; 0 errors, 0 warnings.
+- rpmlint mod_nss-1.0.8-21.1 (SRPM)
+ W: spelling-error %%description -l en_US nss -> ass, nos, nus
+ 1 packages and 0 specfiles checked; 0 errors, 1 warnings.
+- rpmlint mod_nss-1.0.8-21.1 (RPM)
+ W: spelling-error %%description -l en_US nss -> ass, nos, nus
+ E: non-readable /etc/httpd/alias/cert8.db 0640L
+ E: non-readable /etc/httpd/alias/secmod.db 0640L
+ E: non-readable /etc/httpd/alias/key3.db 0640L
+ 1 packages and 0 specfiles checked; 3 errors, 1 warnings.
+- rpmlint mod_nss-debuginfo-1.0.8-21.1 (RPM)
+ W: spelling-error Summary(en_US) nss -> ass, nos, nus
+ W: spelling-error %%description -l en_US nss -> ass, nos, nus
+ 1 packages and 0 specfiles checked; 0 errors, 2 warnings.
+
+* Tue Jun 25 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-21
+- Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff
+ testing
+- Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache
+- Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss
+- Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec
+- Bugzilla Bug #948601 - Man page scan results for mod_nss
+
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.0.8-19.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
@@ -169,7 +270,7 @@ fi
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.0.8-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
-* Wed Mar 7 2011 Rob Crittenden <rcritten at redhat.com> - 1.0.8-14
+* Mon Mar 7 2011 Rob Crittenden <rcritten at redhat.com> - 1.0.8-14
- Add Requires(post) for nss-tools, gencert needs it (#652007)
* Wed Mar 2 2011 Rob Crittenden <rcritten at redhat.com> - 1.0.8-13
More information about the scm-commits
mailing list