[mod_nss/f19] Resolves: Bugzilla Bug #961471, 767802, 1022717, 1017675, 1022722, 1022726, 979798, 979718, 1021469
mharmsen
mharmsen at fedoraproject.org
Thu Oct 24 21:17:50 UTC 2013
commit 36db980f9c7b187b84b76a65f80ccb898304cbc8
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Thu Oct 24 14:17:30 2013 -0700
Resolves: Bugzilla Bug #961471, 767802, 1022717, 1017675, 1022722, 1022726, 979798, 979718, 1021469
- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
- Add '--enable-ecc' option to '%configure' line under '%build' section of
this spec file (mharmsen)
- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
- [mod_nss-PK11_ListCerts_2.patch]
- Bugzilla Bug #767802 - PK11_ListCerts called to retrieve all user
certificates for every server (rcritten)
- [mod_nss-array_overrun.patch]
- Bugzilla Bug #1022717 - overrunning array when executing nss_pcache
(rcritten)
- [mod_nss-clientauth.patch]
- Bugzilla Bug #1017675 - mod_nss: FakeBasicAuth authentication bypass
[fedora-all] (rcritten)
- [mod_nss-no_shutdown_if_not_init_2.patch]
- Bugzilla Bug #1022722 - File descriptor leak after "service httpd reload"
or httpd doesn't reload (rrelyea)
- [mod_nss-proxyvariables.patch]
- Bugzilla Bug #1022726 - mod_nss insists on Required value NSSCipherSuite
not set. (mharmsen)
- [mod_nss-tlsv1_1.patch]
- Bugzilla Bug #979798 - current nss support TLS 1.1 so mod_nss should pick
it up (mharmsen)
- Bugzilla Bug #979718 - mod_nss documentation should mention TLS 1.1
(mharmsen)
- [mod_nss-sslmultiproxy_2.patch]
- Fixes Bugzilla Bug #1021469 - [RFE] Support ability to share mod_proxy with
other SSL providers (jorton, mharmsen, nkinder, & rcritten)
mod_nss-PK11_ListCerts_2.patch | 201 +++++++++
mod_nss-array_overrun.patch | 16 +
mod_nss-clientauth.patch | 50 ++
mod_nss-no_shutdown_if_not_init_2.patch | 23 +
mod_nss-proxyvariables.patch | 83 ++++
mod_nss-sslmultiproxy.patch | 211 +++++++++
mod_nss-sslmultiproxy_2.patch | 211 +++++++++
mod_nss-tlsv1_1.patch | 744 +++++++++++++++++++++++++++++++
mod_nss.spec | 88 +++-
9 files changed, 1611 insertions(+), 16 deletions(-)
---
diff --git a/mod_nss-PK11_ListCerts_2.patch b/mod_nss-PK11_ListCerts_2.patch
new file mode 100644
index 0000000..0ef492c
--- /dev/null
+++ b/mod_nss-PK11_ListCerts_2.patch
@@ -0,0 +1,201 @@
+diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
+--- ./mod_nss.h 2010-09-08 21:06:49.000000000 +0800
++++ ./mod_nss.h.PK11_ListCerts 2010-09-08 21:06:22.000000000 +0800
+@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
+ /* module initialization */
+ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+ void nss_init_Child(apr_pool_t *, server_rec *);
+-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
++void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
+ apr_status_t nss_init_ModuleKill(void *data);
+ apr_status_t nss_init_ChildKill(void *data);
+ int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
+diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
+--- ./nss_engine_init.c 2010-09-08 21:07:13.000000000 +0800
++++ ./nss_engine_init.c.PK11_ListCerts 2010-09-09 00:21:59.000000000 +0800
+@@ -26,7 +26,7 @@
+ static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
+ static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
+ static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
+-static CERTCertificate* FindServerCertFromNickname(const char* name);
++static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
+ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+
+ /*
+@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
+ "Init: Initializing (virtual) servers for SSL");
+
++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
++
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+ /*
+@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
+ /*
+ * Read the server certificate and key
+ */
+- nss_init_ConfigureServer(s, p, ptemp, sc);
++ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
++ }
++
++ if (clist) {
++ CERT_DestroyCertList(clist);
+ }
+ }
+
+@@ -880,7 +886,8 @@ static void nss_init_certificate(server_
+ SECKEYPrivateKey **serverkey,
+ SSLKEAType *KEAtype,
+ PRFileDesc *model,
+- int enforce)
++ int enforce,
++ const CERTCertList* clist)
+ {
+ SECCertTimeValidity certtimestatus;
+ SECStatus secstatus;
+@@ -894,17 +901,15 @@ static void nss_init_certificate(server_
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Using nickname %s.", nickname);
+
+- *servercert = FindServerCertFromNickname(nickname);
++ *servercert = FindServerCertFromNickname(nickname, clist);
+
+ /* Verify the certificate chain. */
+ if (*servercert != NULL) {
+ SECCertificateUsage usage = certificateUsageSSLServer;
+
+- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "Certificate not verified: '%s'", nickname);
++ if (enforce) {
++ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+- if (enforce) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
+ nss_die();
+@@ -994,7 +999,8 @@ static void nss_init_certificate(server_
+ static void nss_init_server_certs(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- modnss_ctx_t *mctx)
++ modnss_ctx_t *mctx,
++ const CERTCertList* clist)
+ {
+ SECStatus secstatus;
+
+@@ -1015,11 +1021,11 @@ static void nss_init_server_certs(server
+
+ nss_init_certificate(s, mctx->nickname, &mctx->servercert,
+ &mctx->serverkey, &mctx->serverKEAType,
+- mctx->model, mctx->enforce);
++ mctx->model, mctx->enforce, clist);
+ #ifdef NSS_ENABLE_ECC
+ nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
+ &mctx->eccserverkey, &mctx->eccserverKEAType,
+- mctx->model, mctx->enforce);
++ mctx->model, mctx->enforce, clist);
+ #endif
+ }
+
+@@ -1043,23 +1049,25 @@ static void nss_init_server_certs(server
+ static void nss_init_proxy_ctx(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ SSLSrvConfigRec *sc,
++ const CERTCertList* clist)
+ {
+ nss_init_ctx(s, p, ptemp, sc->proxy);
+
+- nss_init_server_certs(s, p, ptemp, sc->proxy);
++ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
+ }
+
+ static void nss_init_server_ctx(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ SSLSrvConfigRec *sc,
++ const CERTCertList* clist)
+ {
+ nss_init_server_check(s, p, ptemp, sc->server);
+
+ nss_init_ctx(s, p, ptemp, sc->server);
+
+- nss_init_server_certs(s, p, ptemp, sc->server);
++ nss_init_server_certs(s, p, ptemp, sc->server, clist);
+ }
+
+ /*
+@@ -1068,18 +1076,19 @@ static void nss_init_server_ctx(server_r
+ void nss_init_ConfigureServer(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ SSLSrvConfigRec *sc,
++ const CERTCertList* clist)
+ {
+ if (sc->enabled == TRUE) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Configuring server for SSL protocol");
+- nss_init_server_ctx(s, p, ptemp, sc);
++ nss_init_server_ctx(s, p, ptemp, sc, clist);
+ }
+
+ if (sc->proxy_enabled == TRUE) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Enabling proxy.");
+- nss_init_proxy_ctx(s, p, ptemp, sc);
++ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
+ }
+ }
+
+@@ -1131,10 +1140,14 @@ void nss_init_Child(apr_pool_t *p, serve
+ nss_init_SSLLibrary(base_server);
+
+ /* Configure all virtual servers */
++ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+ if (sc->server->servercert == NULL && NSS_IsInitialized())
+- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
++ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
++ }
++ if (clist) {
++ CERT_DestroyCertList(clist);
+ }
+
+ /*
+@@ -1323,9 +1336,8 @@ cert_IsNewer(CERTCertificate *certa, CER
+ * newest, valid server certificate.
+ */
+ static CERTCertificate*
+-FindServerCertFromNickname(const char* name)
++FindServerCertFromNickname(const char* name, const CERTCertList* clist)
+ {
+- CERTCertList* clist;
+ CERTCertificate* bestcert = NULL;
+
+ CERTCertListNode *cln;
+@@ -1335,8 +1347,6 @@ FindServerCertFromNickname(const char* n
+ if (name == NULL)
+ return NULL;
+
+- clist = PK11_ListCerts(PK11CertListUser, NULL);
+-
+ for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
+ cln = CERT_LIST_NEXT(cln)) {
+ CERTCertificate* cert = cln->cert;
+@@ -1401,9 +1411,6 @@ FindServerCertFromNickname(const char* n
+ if (bestcert) {
+ bestcert = CERT_DupCertificate(bestcert);
+ }
+- if (clist) {
+- CERT_DestroyCertList(clist);
+- }
+ return bestcert;
+ }
+
+
diff --git a/mod_nss-array_overrun.patch b/mod_nss-array_overrun.patch
new file mode 100644
index 0000000..67d841d
--- /dev/null
+++ b/mod_nss-array_overrun.patch
@@ -0,0 +1,16 @@
+mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
+"child_argv", with 5 elements, at position 5 with index variable "5".
+
+https://bugzilla.redhat.com/show_bug.cgi?id=714154
+diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400
++++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400
+@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
+
+ /* Do we need to fire up our password helper? */
+ if (mc->nInitCount == 1) {
+- const char * child_argv[5];
++ const char * child_argv[6];
+ apr_status_t rv;
+ struct sembuf sb;
+ char sembuf[32];
diff --git a/mod_nss-clientauth.patch b/mod_nss-clientauth.patch
new file mode 100644
index 0000000..44f3c97
--- /dev/null
+++ b/mod_nss-clientauth.patch
@@ -0,0 +1,50 @@
+The first fix is to retrieve the full certificate subject instead of just the
+CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
+
+The second always attempts to retrieve the client certificate in
+nss_hook_ReadReq().
+
+https://bugzilla.redhat.com/show_bug.cgi?id=702437
+--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
++++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
+@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
+
+ status = SSL_AuthCertificate(arg, socket, checksig, isServer);
+
+- if (status == SECSuccess) {
+- conn_rec *c = filter_ctx->c;
+- SSLConnRec *sslconn = myConnConfig(c);
+-
+- sslconn->client_cert = SSL_PeerCertificate(socket);
+- sslconn->client_dn = NULL;
+- }
++ /* The certificate is copied to sslconn->client_cert in
++ * nss_hook_ReadReq()
++ */
+
+ return status;
+ }
+--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
++++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
+@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
+ nss_util_vhostid(r->pool, r->server));
+ }
+
++ if (sslconn->client_cert != NULL)
++ CERT_DestroyCertificate(sslconn->client_cert);
++ sslconn->client_cert = SSL_PeerCertificate(ssl);
++ sslconn->client_dn = NULL;
++
+ return DECLINED;
+ }
+
+@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
+ }
+
+ if (!sslconn->client_dn) {
+- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
+- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
++ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
++ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
+ PORT_Free(cp);
+ }
diff --git a/mod_nss-no_shutdown_if_not_init_2.patch b/mod_nss-no_shutdown_if_not_init_2.patch
new file mode 100644
index 0000000..13eddeb
--- /dev/null
+++ b/mod_nss-no_shutdown_if_not_init_2.patch
@@ -0,0 +1,23 @@
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-01-27 17:18:41.001015000 -0800
++++ mod_nss-1.0.8/nss_engine_init.c 2012-01-27 17:20:14.093830000 -0800
+@@ -1237,9 +1237,6 @@ apr_status_t nss_init_ChildKill(void *da
+ server_rec *s;
+ int shutdown = 0;
+
+- /* Clear any client-side session cache data */
+- SSL_ClearSessionCache();
+-
+ /*
+ * Free the non-pool allocated structures
+ * in the per-server configurations
+@@ -1282,6 +1279,9 @@ apr_status_t nss_init_ChildKill(void *da
+ }
+
+ if (shutdown) {
++ /* Clear any client-side session cache data */
++ SSL_ClearSessionCache();
++
+ if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
+ != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
diff --git a/mod_nss-proxyvariables.patch b/mod_nss-proxyvariables.patch
new file mode 100644
index 0000000..5506093
--- /dev/null
+++ b/mod_nss-proxyvariables.patch
@@ -0,0 +1,83 @@
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700
++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
+@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
+ tls = 1;
+ } else {
+ if (mctx->auth.protocols == NULL) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProtocols not set; using: SSLv3 and TLSv1");
++ /*
++ * Since this routine will be invoked individually for every
++ * thread associated with each 'server' object as well as for
++ * every thread associated with each 'proxy' object, issue a
++ * single per-thread 'warning' message for either a 'server'
++ * or a 'proxy' based upon the thread's object type.
++ */
++ if (mctx == mctx->sc->server) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "NSSProtocol value not set; using: SSLv3 and TLSv1");
++ } else if (mctx == mctx->sc->proxy) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
++ }
++
+ ssl3 = tls = 1;
+ } else {
+ lprotocols = strdup(mctx->auth.protocols);
+@@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se
+ * Configure SSL Cipher Suite
+ */
+ if (!suite) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "Required value NSSCipherSuite not set.");
++ /*
++ * Since this is a 'fatal' error, regardless of whether this
++ * particular invocation is from a 'server' object or a 'proxy'
++ * object, issue all error message(s) as appropriate.
++ */
++ if ((mctx->sc->enabled == TRUE) &&
++ (mctx->sc->server) &&
++ (!mctx->sc->server->auth.cipher_suite)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSEngine on; required value NSSCipherSuite not set.");
++ }
++
++ if ((mctx->sc->proxy_enabled == TRUE) &&
++ (mctx->sc->proxy) &&
++ (!mctx->sc->proxy->auth.cipher_suite)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSProxyEngine on; required value NSSProxyCipherSuite not set.");
++ }
++
+ nss_die();
+ }
+ ciphers = strdup(suite);
+@@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server
+ if (mctx->nickname == NULL)
+ #endif
+ {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "No certificate nickname provided.");
++ /*
++ * Since this is a 'fatal' error, regardless of whether this
++ * particular invocation is from a 'server' object or a 'proxy'
++ * object, issue all error message(s) as appropriate.
++ */
++ if ((mctx->sc->enabled == TRUE) &&
++ (mctx->sc->server) &&
++ (mctx->sc->server->nickname == NULL)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSEngine on; no certificate nickname provided by NSSNickname.");
++ }
++
++ if ((mctx->sc->proxy_enabled == TRUE) &&
++ (mctx->sc->proxy) &&
++ (mctx->sc->proxy->nickname == NULL)) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname.");
++ }
++
+ nss_die();
+ }
+
diff --git a/mod_nss-sslmultiproxy.patch b/mod_nss-sslmultiproxy.patch
new file mode 100644
index 0000000..c667653
--- /dev/null
+++ b/mod_nss-sslmultiproxy.patch
@@ -0,0 +1,211 @@
+diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2012-11-09 16:13:26.967022000 -0800
++++ mod_nss-1.0.8/mod_nss.c 2012-11-09 20:18:39.936927000 -0800
+@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
+ return sslconn;
+ }
+
++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
++
+ int nss_proxy_enable(conn_rec *c)
+ {
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
+ SSLConnRec *sslconn = nss_init_connection_ctx(c);
+
+ if (!sc->proxy_enabled) {
++ if (othermod_proxy_enable) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "mod_nss proxy not configured, passing through to mod_ssl module");
++ return othermod_proxy_enable(c);
++ }
++
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: NSSProxyEngine]", sc->vhost_id);
+@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_proxy_enable(conn_rec *c) {
++static int ssl_proxy_enable(conn_rec *c) {
+ return nss_proxy_enable(c);
+ }
+
+@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
+
+ SSLConnRec *sslconn;
+
++ if (othermod_engine_disable) {
++ othermod_engine_disable(c);
++ }
++
+ if (sc->enabled == FALSE) {
+ return 0;
+ }
+@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_engine_disable(conn_rec *c) {
++static int ssl_engine_disable(conn_rec *c) {
+ return nss_engine_disable(c);
+ }
+
+@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
+
+ nss_var_register();
+
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
+
+- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ }
+
+ module AP_MODULE_DECLARE_DATA nss_module = {
+diff -rupN mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
+--- mod_nss-1.0.8.orig/mod_nss.h 2012-11-09 16:13:26.799022000 -0800
++++ mod_nss-1.0.8/mod_nss.h 2012-11-09 17:14:18.660077000 -0800
+@@ -13,8 +13,8 @@
+ * limitations under the License.
+ */
+
+-#ifndef __MOD_SSL_H__
+-#define __MOD_SSL_H__
++#ifndef __MOD_NSS_H__
++#define __MOD_NSS_H__
+
+ /* Apache headers */
+ #include "httpd.h"
+@@ -25,6 +25,7 @@
+ #include "http_connection.h"
+ #include "http_request.h"
+ #include "http_protocol.h"
++#include "mod_ssl.h"
+ #include "util_script.h"
+ #include "util_filter.h"
+ #include "mpm.h"
+@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
+ /* Variables */
+ void nss_var_register(void);
+ char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+ void nss_var_log_config_register(apr_pool_t *p);
+
+ APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
+ (apr_pool_t *, server_rec *,
+ conn_rec *, request_rec *,
+ char *));
+-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+- (apr_pool_t *, server_rec *,
+- conn_rec *, request_rec *,
+- char *));
+
+ /* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+ APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
+ /* Proxy Support */
+ int nss_proxy_enable(conn_rec *c);
+ int nss_engine_disable(conn_rec *c);
+-int ssl_proxy_enable(conn_rec *c);
+-int ssl_engine_disable(conn_rec *c);
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
+ /* I/O */
+ PRFileDesc * nss_io_new_fd();
+@@ -495,4 +486,4 @@ void nss_die(void);
+
+ /* NSS callback */
+ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+-#endif /* __MOD_SSL_H__ */
++#endif /* __MOD_NSS_H__ */
+diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+--- mod_nss-1.0.8.orig/nss_engine_vars.c 2012-11-09 16:13:26.997024000 -0800
++++ mod_nss-1.0.8/nss_engine_vars.c 2012-11-09 20:15:32.948488000 -0800
+@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
+ static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
+ static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
+ static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
++
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
+
+ static int nss_is_https(conn_rec *c)
+ {
+ SSLConnRec *sslconn = myConnConfig(c);
+- return sslconn && sslconn->ssl;
++
++ return (sslconn && sslconn->ssl)
++ || (othermod_is_https && othermod_is_https(c));
+ }
+
+ static int ssl_is_https(conn_rec *c) {
+@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
+
+ void nss_var_register(void)
+ {
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_is_https);
+ APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
+
+- /* These can only be registered if mod_ssl is not loaded */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ return;
+ }
+@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ */
+ if (result == NULL && c != NULL) {
+ SSLConnRec *sslconn = myConnConfig(c);
++
++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++ /* If mod_ssl is registered for this connection,
++ * pass any SSL_* variable through to the mod_ssl module
++ */
++ return othermod_var_lookup(p, s, c, r, var);
++ }
++
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl)
+ result = nss_var_lookup_ssl(p, c, var+4);
+@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ return result;
+ }
+
+-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+ return nss_var_lookup(p, s, c, r, var);
+ }
+
diff --git a/mod_nss-sslmultiproxy_2.patch b/mod_nss-sslmultiproxy_2.patch
new file mode 100644
index 0000000..5d97f2e
--- /dev/null
+++ b/mod_nss-sslmultiproxy_2.patch
@@ -0,0 +1,211 @@
+diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2013-10-21 15:01:49.000000000 -0700
++++ mod_nss-1.0.8/mod_nss.c 2013-10-21 15:20:57.000000000 -0700
+@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
+ return sslconn;
+ }
+
++static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
++
+ int nss_proxy_enable(conn_rec *c)
+ {
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
+ SSLConnRec *sslconn = nss_init_connection_ctx(c);
+
+ if (!sc->proxy_enabled) {
++ if (othermod_proxy_enable) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "mod_nss proxy not configured, passing through to mod_ssl module");
++ return othermod_proxy_enable(c);
++ }
++
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: NSSProxyEngine]", sc->vhost_id);
+@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_proxy_enable(conn_rec *c) {
++static int ssl_proxy_enable(conn_rec *c) {
+ return nss_proxy_enable(c);
+ }
+
+@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
+
+ SSLConnRec *sslconn;
+
++ if (othermod_engine_disable) {
++ othermod_engine_disable(c);
++ }
++
+ if (sc->enabled == FALSE) {
+ return 0;
+ }
+@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
+ return 1;
+ }
+
+-int ssl_engine_disable(conn_rec *c) {
++static int ssl_engine_disable(conn_rec *c) {
+ return nss_engine_disable(c);
+ }
+
+@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
+
+ nss_var_register();
+
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
+
+- /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
++ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ }
+
+ module AP_MODULE_DECLARE_DATA nss_module = {
+diff -rupN mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
+--- mod_nss-1.0.8.orig/mod_nss.h 2013-10-21 15:01:49.000000000 -0700
++++ mod_nss-1.0.8/mod_nss.h 2013-10-21 15:24:06.000000000 -0700
+@@ -13,8 +13,8 @@
+ * limitations under the License.
+ */
+
+-#ifndef __MOD_SSL_H__
+-#define __MOD_SSL_H__
++#ifndef __MOD_NSS_H__
++#define __MOD_NSS_H__
+
+ /* Apache headers */
+ #include "httpd.h"
+@@ -25,6 +25,7 @@
+ #include "http_connection.h"
+ #include "http_request.h"
+ #include "http_protocol.h"
++#include "mod_ssl.h"
+ #include "util_script.h"
+ #include "util_filter.h"
+ #include "apr.h"
+@@ -437,34 +438,24 @@ int nss_hook_ReadReq(request_rec *r);
+ /* Variables */
+ void nss_var_register(void);
+ char *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+-char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+ void nss_var_log_config_register(apr_pool_t *p);
+
+ APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
+ (apr_pool_t *, server_rec *,
+ conn_rec *, request_rec *,
+ char *));
+-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+- (apr_pool_t *, server_rec *,
+- conn_rec *, request_rec *,
+- char *));
+
+ /* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+ APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
+ /* Proxy Support */
+ int nss_proxy_enable(conn_rec *c);
+ int nss_engine_disable(conn_rec *c);
+-int ssl_proxy_enable(conn_rec *c);
+-int ssl_engine_disable(conn_rec *c);
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+ APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
+-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
+ /* I/O */
+ PRFileDesc * nss_io_new_fd();
+@@ -494,4 +485,4 @@ void nss_die(void);
+
+ /* NSS callback */
+ SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
+-#endif /* __MOD_SSL_H__ */
++#endif /* __MOD_NSS_H__ */
+diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+--- mod_nss-1.0.8.orig/nss_engine_vars.c 2013-10-21 15:01:50.000000000 -0700
++++ mod_nss-1.0.8/nss_engine_vars.c 2013-10-21 15:43:43.000000000 -0700
+@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
+ static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
+ static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
+ static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
++
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
+
+ static int nss_is_https(conn_rec *c)
+ {
+ SSLConnRec *sslconn = myConnConfig(c);
+- return sslconn && sslconn->ssl;
++
++ return (sslconn && sslconn->ssl)
++ || (othermod_is_https && othermod_is_https(c));
+ }
+
+ static int ssl_is_https(conn_rec *c) {
+@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
+
+ void nss_var_register(void)
+ {
++ /* Always register these mod_nss optional functions */
+ APR_REGISTER_OPTIONAL_FN(nss_is_https);
+ APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
+
+- /* These can only be registered if mod_ssl is not loaded */
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+- if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
+- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
++ /* Save the state of any previously registered mod_ssl functions */
++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
++ /* Always register these local mod_ssl optional functions */
++ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
++ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ return;
+ }
+@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ */
+ if (result == NULL && c != NULL) {
+ SSLConnRec *sslconn = myConnConfig(c);
++
++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++ /* If mod_ssl is registered for this connection,
++ * pass any SSL_* variable through to the mod_ssl module
++ */
++ return othermod_var_lookup(p, s, c, r, var);
++ }
++
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl)
+ result = nss_var_lookup_ssl(p, c, var+4);
+@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
+ return result;
+ }
+
+-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
++static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+ return nss_var_lookup(p, s, c, r, var);
+ }
+
diff --git a/mod_nss-tlsv1_1.patch b/mod_nss-tlsv1_1.patch
new file mode 100644
index 0000000..be8449e
--- /dev/null
+++ b/mod_nss-tlsv1_1.patch
@@ -0,0 +1,744 @@
+diff -rupN mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
+--- mod_nss-1.0.8.orig/docs/mod_nss.html 2012-10-15 13:53:48.889995000 -0700
++++ mod_nss-1.0.8/docs/mod_nss.html 2012-10-16 11:37:30.983783000 -0700
+@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bo
+ <br>
+ Enables or disables FIPS 140 mode. This replaces the standard
+ internal PKCS#11 module with a FIPS-enabled one. It also forces the
+-enabled protocols to TLSv1 and disables all ciphers but the
++enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the
+ FIPS ones. You may still select which ciphers you would like
+ limited to those that are FIPS-certified. Any non-FIPS that are
+ included in the NSSCipherSuite entry are automatically disabled.
+@@ -570,7 +570,7 @@ definition<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1<br>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1<br>
+ </td>
+ </tr>
+ <tr>
+@@ -578,106 +578,106 @@ definition<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_null_md5<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_null_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc2_40_md5</td>
+ <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_128_md5</td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_128_sha</td>
+ <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_40_md5</td>
+ <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fortezza<br>
+ </td>
+ <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fortezza_rc4_128_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fortezza_null<br>
+ </td>
+ <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fips_des_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">fips_3des_sha<br>
+ </td>
+ <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_des_56_sha</td>
+ <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSL3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_rc4_56_sha</td>
+ <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_128_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td style="vertical-align: top;">rsa_aes_256_sha<br>
+ </td>
+ <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
+ </td>
+- <td style="vertical-align: top;">SSLv3/TLSv1</td>
++ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ </tr>
+ </tbody>
+ </table>
+@@ -698,127 +698,127 @@ Definition<br>
+ <tr>
+ <td>ecdh_ecdsa_null_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_rc4_128_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_3des_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_128_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_ecdsa_aes_256_sha</td>
+ <td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_null_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_rc4_128_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_3des_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_aes_128_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_ecdsa_aes_256_sha</td>
+ <td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_null_sha</td>
+ <td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_128_sha</td>
+ <td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_3des_sha</td>
+ <td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_128_sha</td>
+ <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_rsa_aes_256_sha</td>
+ <td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>echde_rsa_null</td>
+ <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_rc4_128_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_3des_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_aes_128_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdhe_rsa_aes_256_sha</td>
+ <td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_null_sha</td>
+ <td>TLS_ECDH_anon_WITH_NULL_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_rc4_128sha</td>
+ <td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_3des_sha</td>
+ <td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_aes_128_sha</td>
+ <td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ <tr>
+ <td>ecdh_anon_aes_256_sha</td>
+ <td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
+- <td>TLSv1</td>
++ <td>TLSv1.0/TLSv1.1</td>
+ </tr>
+ </tbody>
+ </table>
+@@ -839,16 +839,35 @@ specifically but allows ciphers for that
+ Options are:<br>
+ <ul>
+ <li><code>SSLv3</code></li>
+- <li><code>TLSv1</code></li>
++ <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
++ <li><code>TLSv1.0</code></li>
++ <li><code>TLSv1.1</code></li>
+ <li><code>All</code></li>
+ </ul>
+ Note that this differs from mod_ssl in that you can't add or subtract
+ protocols.<br>
++<br>
++If no NSSProtocol is specified, mod_nss will default to allowing the use of
++the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the
++minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol
++allowed.
++<br>
++If values for NSSProtocol are specified, mod_nss will set both the minimum
++and the maximum allowed protocols based upon these entries allowing for the
++inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1
++are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes
++protocol ranges to accept all protocols inclusively
++(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
++in the middle of a range (e. g. - TLS 1.0).<br>
++<br>
++Finally, NSS will always automatically negotiate the use of the strongest
++possible protocol that has been specified which is acceptable to both sides of
++a given connection.<br>
+ <a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
+ <br>
+ <span style="font-weight: bold;">Example</span><br>
+ <br>
+-<code>NSSProtocol SSLv3,TLSv1</code><br>
++<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1</code><br>
+ <br>
+ <big><big>NSSNickname<br>
+ </big></big><br>
+@@ -1101,7 +1120,7 @@ was compiled against.<br>
+ <tr>
+ <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
+ </code></td>
+- <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
++ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, or TLSv1.1<br>
+ </td>
+ </tr>
+ <tr>
+@@ -1443,7 +1462,7 @@ Opera, and
+ Safari) support SSL 3 and TLS so there is no need for a web server to
+ support
+ SSL 2. There are some known attacks against SSL 2 that are handled by
+-SSL 3/TLS. SSL2 also doesn't support useful features like client
++SSL 3/TLS. SSLv2 also doesn't support useful features like client
+ authentication.
+ <br>
+ <h1><a name="FAQ"></a>Frequently Asked Questions</h1>
+diff -rupN mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2012-10-15 13:53:48.971995000 -0700
++++ mod_nss-1.0.8/mod_nss.c 2012-10-17 09:46:18.838689000 -0700
+@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
+ "(`[+-]XXX,...,[+-]XXX' - see manual)")
+ SSL_CMD_SRV(Protocol, RAW_ARGS,
+ "Enable the various SSL protocols"
+- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
++ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)")
+ SSL_CMD_ALL(VerifyClient, TAKE1,
+ "SSL Client Authentication "
+ "(`none', `optional', `require'")
+@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
+ "(`on', `off')")
+ SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+ "SSL Proxy: enable or disable SSL protocol flavors "
+- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)")
+ SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+ "(`XXX:...:XXX' - see manual)")
+diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in
+--- mod_nss-1.0.8.orig/nss.conf.in 2012-10-15 13:53:48.856995000 -0700
++++ mod_nss-1.0.8/nss.conf.in 2012-10-19 18:06:59.101468000 -0700
+@@ -111,7 +111,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
+ # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+ #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
+
+-NSSProtocol SSLv3,TLSv1
++# SSL Protocol:
++# Cryptographic protocols that provide communication security.
++# NSS handles the specified protocols as "ranges", and automatically
++# negotiates the use of the strongest protocol for a connection starting
++# with the maximum specified protocol and downgrading as necessary to the
++# minimum specified protocol that can be used between two processes.
++# Since all protocol ranges are completely inclusive, and no protocol in the
++# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
++# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
++NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+
+ # SSL Certificate Nickname:
+ # The nickname of the RSA server certificate you are going to use.
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-15 13:53:49.165998000 -0700
++++ mod_nss-1.0.8/nss_engine_init.c 2012-10-19 17:44:04.973592000 -0700
+@@ -616,62 +616,98 @@ static void nss_init_ctx_protocol(server
+ apr_pool_t *ptemp,
+ modnss_ctx_t *mctx)
+ {
+- int ssl2, ssl3, tls;
++ int ssl2, ssl3, tls, tls1_1;
++ char *protocol_marker = NULL;
+ char *lprotocols = NULL;
+ SECStatus stat;
++ SSLVersionRange enabledVersions;
+
+- ssl2 = ssl3 = tls = 0;
++ ssl2 = ssl3 = tls = tls1_1 = 0;
++
++ /*
++ * Since this routine will be invoked individually for every thread
++ * associated with each 'server' object as well as for every thread
++ * associated with each 'proxy' object, identify the protocol marker
++ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
++ * via each thread's object type and apply this useful information to
++ * all log messages.
++ */
++ if (mctx == mctx->sc->server) {
++ protocol_marker = "NSSProtocol";
++ } else if (mctx == mctx->sc->proxy) {
++ protocol_marker = "NSSProxyProtocol";
++ }
+
+ if (mctx->sc->fips) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+- "In FIPS mode, enabling TLSv1");
+- tls = 1;
++ "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1",
++ protocol_marker);
++ tls = tls1_1 = 1;
+ } else {
+ if (mctx->auth.protocols == NULL) {
+- /*
+- * Since this routine will be invoked individually for every
+- * thread associated with each 'server' object as well as for
+- * every thread associated with each 'proxy' object, issue a
+- * single per-thread 'warning' message for either a 'server'
+- * or a 'proxy' based upon the thread's object type.
+- */
+- if (mctx == mctx->sc->server) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProtocol value not set; using: SSLv3 and TLSv1");
+- } else if (mctx == mctx->sc->proxy) {
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
+- }
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",
++ protocol_marker);
+
+- ssl3 = tls = 1;
++ ssl3 = tls = tls1_1 = 1;
+ } else {
+ lprotocols = strdup(mctx->auth.protocols);
+ ap_str_tolower(lprotocols);
+
+ if (strstr(lprotocols, "all") != NULL) {
+ #ifdef WANT_SSL2
+- ssl2 = ssl3 = tls = 1;
++ ssl2 = ssl3 = tls = tls1_1= 1;
+ #else
+- ssl3 = tls = 1;
++ ssl3 = tls = tls1_1 = 1;
+ #endif
+ } else {
+- if (strstr(lprotocols, "sslv2") != NULL) {
++ char *protocol_list = NULL;
++ char *saveptr = NULL;
++ char *token = NULL;
++
++ for (protocol_list = lprotocols; ; protocol_list = NULL) {
++ token = strtok_r(protocol_list, ",", &saveptr);
++ if (token == NULL) {
++ break;
++ } else if (strcmp(token, "sslv2") == 0) {
+ #ifdef WANT_SSL2
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
+- ssl2 = 1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling SSL2",
++ protocol_marker);
++ ssl2 = 1;
+ #else
+- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
++ "%s: SSL2 is not supported",
++ protocol_marker);
+ #endif
+- }
+-
+- if (strstr(lprotocols, "sslv3") != NULL) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
+- ssl3 = 1;
+- }
+-
+- if (strstr(lprotocols, "tlsv1") != NULL) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
+- tls = 1;
++ } else if (strcmp(token, "sslv3") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling SSL3",
++ protocol_marker);
++ ssl3 = 1;
++ } else if (strcmp(token, "tlsv1") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.0 via TLSv1",
++ protocol_marker);
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
++ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
++ protocol_marker);
++ tls = 1;
++ } else if (strcmp(token, "tlsv1.0") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.0",
++ protocol_marker);
++ tls = 1;
++ } else if (strcmp(token, "tlsv1.1") == 0) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Enabling TLSv1.1",
++ protocol_marker);
++ tls1_1 = 1;
++ } else {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
++ "%s: Unknown protocol '%s' not supported",
++ protocol_marker, token);
++ }
+ }
+ }
+ free(lprotocols);
+@@ -686,31 +722,98 @@ static void nss_init_ctx_protocol(server
+ stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
+ }
+
++ /* Set protocol version ranges:
++ *
++ * (1) Set the minimum protocol accepted
++ * (2) Set the maximum protocol accepted
++ * (3) Protocol ranges extend from maximum down to minimum protocol
++ * (4) All protocol ranges are completely inclusive;
++ * no protocol in the middle of a range may be excluded
++ * (5) NSS automatically negotiates the use of the strongest protocol
++ * for a connection starting with the maximum specified protocol
++ * and downgrading as necessary to the minimum specified protocol
++ *
++ * For example, if SSL 3.0 is chosen as the minimum protocol, and
++ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
++ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
++ * cannot be excluded from this range. NSS will automatically negotiate
++ * to utilize the strongest acceptable protocol for a connection starting
++ * with the maximum specified protocol and downgrading as necessary to the
++ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
++ */
+ if (stat == SECSuccess) {
++ /* Set minimum protocol version (lowest -> highest)
++ *
++ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
++ */
+ if (ssl3 == 1) {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (minimum)",
++ protocol_marker);
++ } else if (tls == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.0] (minimum)",
++ protocol_marker);
++ } else if (tls1_1 == 1) {
++ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (minimum)",
++ protocol_marker);
+ } else {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
++ /* Set default minimum protocol version to SSL 3.0 */
++ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (default minimum)",
++ protocol_marker);
+ }
+- }
+- if (stat == SECSuccess) {
+- if (tls == 1) {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
++
++ /* Set maximum protocol version (highest -> lowest)
++ *
++ * TLS 1.1 -> TLS 1.0 -> SSL 3.0
++ */
++ if (tls1_1 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (maximum)",
++ protocol_marker);
++ } else if (tls == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.0] (maximum)",
++ protocol_marker);
++ } else if (ssl3 == 1) {
++ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [SSL 3.0] (maximum)",
++ protocol_marker);
+ } else {
+- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
++ /* Set default maximum protocol version to TLS 1.1 */
++ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: [TLS 1.1] (default maximum)",
++ protocol_marker);
+ }
++
++ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
+ }
+
+ if (stat != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL protocol initialization failed.");
++ "%s: SSL/TLS protocol initialization failed.",
++ protocol_marker);
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+
+ mctx->ssl2 = ssl2;
+ mctx->ssl3 = ssl3;
+- mctx->tls = tls;
++ if (tls1_1 == 1) {
++ mctx->tls = tls1_1;
++ } else {
++ mctx->tls = tls;
++ }
+ }
+
+ static void nss_init_ctx_session_cache(server_rec *s,
+@@ -791,6 +894,8 @@ static void nss_init_ctx_cipher_suite(se
+ PRBool cipher_state[ciphernum];
+ PRBool fips_state[ciphernum];
+ const char *suite = mctx->auth.cipher_suite;
++ char * object_type = NULL;
++ char * cipher_suite_marker = NULL;
+ char * ciphers;
+ char * fipsciphers = NULL;
+ int i;
+@@ -820,6 +925,23 @@ static void nss_init_ctx_cipher_suite(se
+
+ nss_die();
+ }
++
++ /*
++ * Since this routine will be invoked individually for every thread
++ * associated with each 'server' object as well as for every thread
++ * associated with each 'proxy' object, identify the cipher suite markers
++ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
++ * via each thread's object type and apply this useful information to
++ * all log messages.
++ */
++ if (mctx == mctx->sc->server) {
++ object_type = "server";
++ cipher_suite_marker = "NSSCipherSuite";
++ } else if (mctx == mctx->sc->proxy) {
++ object_type = "proxy";
++ cipher_suite_marker = "NSSProxyCipherSuite";
++ }
++
+ ciphers = strdup(suite);
+
+ #define CIPHERSIZE 2048
+@@ -854,13 +976,13 @@ static void nss_init_ctx_cipher_suite(se
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
+- fipsciphers);
++ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
++ object_type, fipsciphers);
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "Configuring permitted SSL ciphers [%s]",
+- suite);
++ "%s: Configuring permitted SSL ciphers [%s]",
++ cipher_suite_marker, suite);
+
+ /* Disable all NSS supported cipher suites. This is to prevent any new
+ * NSS cipher suites from getting automatically and unintentionally
+@@ -899,7 +1021,7 @@ static void nss_init_ctx_cipher_suite(se
+ for (i=0; i<ciphernum; i++) {
+ if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+- "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
++ "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
+ cipher_state[i] = PR_FALSE;
+ }
+ }
+@@ -908,19 +1030,22 @@ static void nss_init_ctx_cipher_suite(se
+ /* See if any ciphers have been enabled for a given protocol */
+ if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL2 is enabled but no SSL2 ciphers are enabled.");
++ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+ if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "SSL3 is enabled but no SSL3 ciphers are enabled.");
++ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+ if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+- "TLS is enabled but no TLS ciphers are enabled.");
++ "%s: TLS is enabled but no TLS ciphers are enabled.",
++ cipher_suite_marker);
+ nss_die();
+ }
+
+diff -rupN mod_nss-1.0.8.orig/nss_engine_vars.c mod_nss-1.0.8/nss_engine_vars.c
+--- mod_nss-1.0.8.orig/nss_engine_vars.c 2008-01-03 13:35:28.000000000 -0800
++++ mod_nss-1.0.8/nss_engine_vars.c 2012-10-19 17:12:48.178045000 -0700
+@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
+ case SSL_LIBRARY_VERSION_3_0:
+ result = "SSLv3";
+ break;
+- case SSL_LIBRARY_VERSION_3_1_TLS:
++ case SSL_LIBRARY_VERSION_TLS_1_0:
++ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
+ result = "TLSv1";
+ break;
++ case SSL_LIBRARY_VERSION_TLS_1_1:
++ result = "TLSv1.1";
++ break;
+ }
+ }
+ }
diff --git a/mod_nss.spec b/mod_nss.spec
index 0aa0aac..e4355fb 100644
--- a/mod_nss.spec
+++ b/mod_nss.spec
@@ -2,38 +2,51 @@
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}}
Name: mod_nss
Version: 1.0.8
-Release: 22%{?dist}
+Release: 24%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
URL: http://directory.fedoraproject.org/wiki/Mod_nss
Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6
+BuildRequires: nspr-devel >= 4.9.2, nss-devel >= 3.14.0.0
BuildRequires: httpd-devel, apr-devel, apr-util-devel
BuildRequires: pkgconfig
+Requires: httpd-mmn = %{_httpd_mmn}
Requires(post): httpd, nss-tools
-Requires: nss%{?_isa} >= 3.12.6
+Requires: nss%{?_isa} >= 3.14.0.0
# Although the following change reverses the desire of Bugzilla Bug #601939, it
# was provided to suppress the dangling symlink warning of Bugzilla Bug #906089
# as exposed via 'rpmlint'.
Requires: %{_libdir}/libnssckbi.so
+# Change configuration to not conflict with mod_ssl
Patch1: mod_nss-conf.patch
+# Generate a password-less NSS database
Patch2: mod_nss-gencert.patch
+# Properly set blocking status when no data is available
Patch3: mod_nss-wouldblock.patch
# Add options for tuning client negotiate in NSS
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
-Patch6: mod_nss-pcachesignal.h
-Patch7: mod_nss-reseterror.patch
-Patch8: mod_nss-lockpcache.patch
-Patch9: mod_nss-httpd24.patch
-Patch10: mod_nss-overlapping_memcpy.patch
-Patch11: mod_nss-man.patch
+Patch6: mod_nss-PK11_ListCerts_2.patch
+Patch7: mod_nss-pcachesignal.h
+Patch8: mod_nss-reseterror.patch
+Patch9: mod_nss-lockpcache.patch
+Patch10: mod_nss-httpd24.patch
+Patch11: mod_nss-overlapping_memcpy.patch
+Patch12: mod_nss-man.patch
+Patch13: mod_nss-array_overrun.patch
+Patch14: mod_nss-clientauth.patch
+Patch15: mod_nss-no_shutdown_if_not_init_2.patch
+Patch16: mod_nss-proxyvariables.patch
+Patch17: mod_nss-tlsv1_1.patch
+Patch18: mod_nss-sslmultiproxy.patch
+Patch19: mod_nss-sslmultiproxy_2.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -48,14 +61,25 @@ security library.
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
%patch5 -p1 -b .reverseproxy
-%patch6 -p1 -b .pcachesignal.h
-%patch7 -p1 -b .reseterror
-%patch8 -p1 -b .lockpcache
+%patch6 -p1 -b .PK11_ListCerts_2
+%patch7 -p1 -b .pcachesignal.h
+%patch8 -p1 -b .reseterror
+%patch9 -p1 -b .lockpcache
%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
-%patch9 -p1 -b .httpd24
+%patch10 -p1 -b .httpd24
+%endif
+%patch11 -p1 -b .overlapping_memcpy
+%patch12 -p1 -b .man
+%patch13 -p1 -b .array_overrun
+%patch14 -p1 -b .clientauth
+%patch15 -p1 -b .no_shutdown_if_not_init_2
+%patch16 -p1 -b .proxyvariables
+%patch17 -p1 -b .tlsv1_1
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
+%patch19 -p1 -b .sslmultiproxy_2
+%else
+%patch18 -p1 -b .sslmultiproxy
%endif
-%patch10 -p1 -b .overlap
-%patch11 -p1 -b .man
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -80,7 +104,7 @@ NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
- --with-apr-config
+ --with-apr-config --enable-ecc
make %{?_smp_mflags} all
@@ -166,6 +190,38 @@ fi
%{_sbindir}/gencert
%changelog
+* Mon Oct 21 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-24
+- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
+- Add '--enable-ecc' option to '%configure' line under '%build' section of
+ this spec file (mharmsen)
+- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
+- [mod_nss-PK11_ListCerts_2.patch]
+- Bugzilla Bug #767802 - PK11_ListCerts called to retrieve all user
+ certificates for every server (rcritten)
+- [mod_nss-array_overrun.patch]
+- Bugzilla Bug #1022717 - overrunning array when executing nss_pcache
+ (rcritten)
+- [mod_nss-clientauth.patch]
+- Bugzilla Bug #1017675 - mod_nss: FakeBasicAuth authentication bypass
+ [fedora-all] (rcritten)
+- [mod_nss-no_shutdown_if_not_init_2.patch]
+- Bugzilla Bug #1022722 - File descriptor leak after "service httpd reload"
+ or httpd doesn't reload (rrelyea)
+- [mod_nss-proxyvariables.patch]
+- Bugzilla Bug #1022726 - mod_nss insists on Required value NSSCipherSuite
+ not set. (mharmsen)
+- [mod_nss-tlsv1_1.patch]
+- Bugzilla Bug #979798 - current nss support TLS 1.1 so mod_nss should pick
+ it up (mharmsen)
+- Bugzilla Bug #979718 - mod_nss documentation should mention TLS 1.1
+ (mharmsen)
+- [mod_nss-sslmultiproxy_2.patch]
+- Fixes Bugzilla Bug #1021469 - [RFE] Support ability to share mod_proxy with
+ other SSL providers (jorton, mharmsen, nkinder, & rcritten)
+
+* Tue Jul 30 2013 Joe Orton <jorton at redhat.com> - 1.0.8-23
+- add dependency on httpd-mmn
+
* Wed Jul 3 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-22
- Moved 'nss_pcache' from %%sbindir to %%libexecdir
(provided compatibility link)
More information about the scm-commits
mailing list