[mod_nss/f20] Resolves: CVE-2013-4566, bz #1036940
mharmsen
mharmsen at fedoraproject.org
Wed Dec 4 02:23:35 UTC 2013
commit 8d35d7eb9b4a200363c6939a423ff0a101c3e214
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Tue Dec 3 18:23:13 2013 -0800
Resolves: CVE-2013-4566, bz #1036940
- [mod_nss-nssverifyclient.patch]
- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
NSSVerifyClient in directory context [fedora-all] (rcritten)
- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
Directory (rcritten)
- [mod_nss-usecases.patch]
- Bugzilla Bug #1036940 - [DOC] making mod_nss work in FIPS mode (mharmsen)
clog | 9 +
mod_nss-nssverifyclient.patch | 12 ++
mod_nss-usecases.patch | 322 +++++++++++++++++++++++++++++++++++++++++
mod_nss.spec | 18 ++-
4 files changed, 359 insertions(+), 2 deletions(-)
---
diff --git a/clog b/clog
new file mode 100644
index 0000000..5184c03
--- /dev/null
+++ b/clog
@@ -0,0 +1,9 @@
+Resolves: CVE-2013-4566, bz #1036940
+
+- [mod_nss-nssverifyclient.patch]
+- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
+ NSSVerifyClient in directory context [fedora-all] (rcritten)
+- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
+ Directory (rcritten)
+- [mod_nss-usecases.patch]
+- Bugzilla Bug #1036940 - [DOC] making mod_nss work in FIPS mode (mharmsen)
diff --git a/mod_nss-nssverifyclient.patch b/mod_nss-nssverifyclient.patch
new file mode 100644
index 0000000..d9858c3
--- /dev/null
+++ b/mod_nss-nssverifyclient.patch
@@ -0,0 +1,12 @@
+diff -rupN mod_nss-1.0.8.patched/nss_engine_kernel.c mod_nss-1.0.8.989724/nss_engine_kernel.c
+--- mod_nss-1.0.8.patched/nss_engine_kernel.c 2007-05-31 14:36:03.000000000 -0700
++++ mod_nss-1.0.8.989724/nss_engine_kernel.c 2013-10-25 13:32:47.000000000 -0700
+@@ -275,7 +275,7 @@ int nss_hook_Access(request_rec *r)
+
+ if (verify == SSL_CVERIFY_REQUIRE) {
+ SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
++ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
+ } else if (verify == SSL_CVERIFY_OPTIONAL) {
+ SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
diff --git a/mod_nss-usecases.patch b/mod_nss-usecases.patch
new file mode 100644
index 0000000..8427fe6
--- /dev/null
+++ b/mod_nss-usecases.patch
@@ -0,0 +1,322 @@
+diff -rupN mod_nss-1.0.8.srpm/docs/mod_nss.html mod_nss-1.0.8.patched/docs/mod_nss.html
+--- mod_nss-1.0.8.srpm/docs/mod_nss.html 2013-11-27 12:03:05.000000000 -0800
++++ mod_nss-1.0.8.patched/docs/mod_nss.html 2013-11-27 17:27:08.000000000 -0800
+@@ -33,6 +33,7 @@
+ <a href="#Database_Management">Database Management</a><br>
+ <a href="#SSLv2">Why is SSLv2 disabled?</a><br>
+ <a href="#FAQ">Frequently Asked Questions</a><br>
++<a href="#Sample_Use_Cases">Sample Use Cases</a><br>
+
+ <h1><a name="Introduction"></a>Introduction</h1>
+ The <a href="http://www.modssl.org/">mod_ssl</a> package was
+@@ -1056,7 +1057,7 @@ man-in-the-middle attack so leaving this
+ <br>
+ <span style="font-weight: bold;">Example</span><br>
+ <br>
+-<code>NSSProcyCheckPeerCN on</code><br>
++<code>NSSProxyCheckPeerCN on</code><br>
+ <br>
+
+ <h1><a name="Environment"></a>Environment Variables</h1>
+@@ -1467,6 +1468,300 @@ Q. Does mod_nss support mod_proxy?<br>
+ <br>
+ A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
+ provides a single interface for SSL providers and mod_nss defers to
+-mod_ssl if it is loaded.
++mod_ssl if it is loaded.<br>
++
++<h1><a name="Sample_Use_Cases"></a>Sample Use Cases</h1>
++<h2>I. Restart Apache using the NSS Internal Software Token</h2>
++<ul>
++1. Become the <b>root</b> user.<br>
++<br>
++2. Install mod_nss.<br>
++<br>
++3. This use case will utilize the NSS security databases created during installation of mod_nss:<br>
++<br>
++<ul>
++<code>
++# certutil -L -d /etc/httpd/alias<br>
++<pre>
++Certificate Nickname Trust Attributes
++ SSL,S/MIME,JAR/XPI
++
++cacert CTu,Cu,Cu
++Server-Cert u,u,u
++alpha u,pu,u
++</pre>
++</code>
++<table>
++<tr>
++<td valign="top"><b>NOTE: </b></td>
++<td valign="top">For actual deployments, the administrator should setup their own NSS security databases (e. g. - replace the default mod_nss NSS security databases located in <code>/etc/httpd/alias</code>), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the <code>/etc/httpd/conf.d/nss.conf</code> file such that mod_nss uses these NSS security databases.</td>
++</tr>
++</table>
++<br>
++</ul>
++4. Use <code>certutil</code> to apply a password to the NSS security databases configured in step 3 above:<br>
++<br>
++<ul>
++<code>
++# certutil -W -d /etc/httpd/alias<br>
++Enter Password or Pin for "NSS Certificate DB":<br>
++Enter a password which will be used to encrypt your keys.<br>
++The password should be at least 8 characters long,<br>
++and should contain at least one non-alphabetic character.<br>
++<br>
++Enter new password:<br>
++Re-enter password:<br>
++Password changed successfully.<br>
++</code>
++</ul>
++<br>
++5. Configure mod_nss to use the NSS internal software token:<br>
++<br>
++<ul>
++Edit <code>/etc/httpd/conf.d/nss.conf</code>:<br>
++<br>
++<ul>
++Replace:<br>
++<ul>
++<code>NSSPassPhraseDialog builtin</code><br>
++</ul>
++with:<br>
++<ul>
++<code>NSSPassPhraseDialog file:/etc/httpd/password.conf</code>
++</ul>
++<br>
++<ul>
++<table>
++<tr>
++<td valign="top"><b>NOTE: </b></td>
++<td valign="top">Whenever <code>httpd</code> is invoked as a service/systemd process, the <code>NSSPassPhraseDialog builtin</code> parameter must be changed to point to a file URL in order to allow mod_nss to work with the Apache web server. This is because the mod_nss test for issuing the password prompt <code>Please enter password for "internal" token:</code> on the command line is only displayed when the command <code>isatty(fileno(stdin))</code> is set to 'true', and when the command is entered from this type of invocation the value is 'false'. In order to see the prompt, one can set the <code>NSSPassPhraseDialog builtin</code> parameter and invoke <code>httpd -D FOREGROUND</code> from the command line.</td>
++</tr>
++</table>
++</ul>
++<br>
++If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the <code>NSSNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
++<ul>
++<code>NSSNickname Server-Cert</code>
++</ul>
++<br>
++If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the <code>NSSECCNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
++<ul>
++<code>NSSECCNickname Server-Cert</code>
++</ul>
++<br>
++Make certain that the <code>NSSCertificateDatabase</code> parameter is uncommented and points to the NSS security databases directory configured in step 3 above:<br>
++<ul>
++<code>NSSCertificateDatabase /etc/httpd/alias</code>
++</ul>
++</ul>
++<br>
++Create the <code>/etc/httpd/password.conf</code> file:<br>
++<br>
++<ul>
++Add:<br>
++<ul>
++<code>internal:<password></code><br>
++</ul>
++Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.<br>
++</ul>
++<br>
++Apply the appropriate ownership and permissions to the <code>/etc/httpd/password.conf</code> file:<br>
++<br>
++<ul>
++<code># chgrp apache /etc/httpd/password.conf</code><br>
++<br>
++<code># chmod 640 /etc/httpd/password.conf</code><br>
++<br>
++<code>
++# ls -l /etc/httpd/password.conf<br>
++-rw-r-----. 1 root apache 18 Nov 27 14:05 /etc/httpd/password.conf<br>
++</code>
++<br>
++</ul>
++</ul>
++6. Restart the Apache server:<br>
++<br>
++<ul>
++<code>
++# service httpd restart<br>
++Redirecting to /bin/systemctl restart httpd.service<br>
++</code>
++<code>
++<pre>
++# service httpd status
++Redirecting to /bin/systemctl status httpd.service
++httpd.service - The Apache HTTP Server
++ Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
++ Active: active (running) since Wed 2013-11-27 15:25:48 PST; 1min 11s ago
++ Process: 20804 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
++ Main PID: 20807 (httpd)
++ Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
++ CGroup: name=systemd:/system/httpd.service
++ |_____20807 /usr/sbin/httpd -DFOREGROUND
++ |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
++ |_____20809 /usr/sbin/httpd -DFOREGROUND
++ |_____20810 /usr/sbin/httpd -DFOREGROUND
++ |_____20811 /usr/sbin/httpd -DFOREGROUND
++ |_____20812 /usr/sbin/httpd -DFOREGROUND
++ |_____20813 /usr/sbin/httpd -DFOREGROUND
++
++Nov 27 15:25:48 server.example.com systemd[1]: Started The Apache HTTP Server.
++</pre>
++</code>
++</ul>
++</ul>
++<h2>II. Restart Apache using the NSS FIPS Software Token</h2>
++<ul>
++1. Become the <b>root</b> user.<br>
++<br>
++2. Install mod_nss.<br>
++<br>
++3. This use case will utilize the NSS security databases created during installation of mod_nss:<br>
++<br>
++<ul>
++<code>
++# certutil -L -d /etc/httpd/alias<br>
++<pre>
++Certificate Nickname Trust Attributes
++ SSL,S/MIME,JAR/XPI
++
++cacert CTu,Cu,Cu
++Server-Cert u,u,u
++alpha u,pu,u
++</pre>
++</code>
++<table>
++<tr>
++<td valign="top"><b>NOTE: </b></td>
++<td valign="top">For actual deployments, the administrator should setup their own NSS security databases (e. g. - replace the default mod_nss NSS security databases located in <code>/etc/httpd/alias</code>), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the <code>/etc/httpd/conf.d/nss.conf</code> file such that mod_nss uses these NSS security databases.</td>
++</tr>
++</table>
++<br>
++</ul>
++4. Use <code>certutil</code> to apply a password to the NSS security databases configured in step 3 above:<br>
++<br>
++<ul>
++<code>
++# certutil -W -d /etc/httpd/alias<br>
++Enter Password or Pin for "NSS Certificate DB":<br>
++Enter a password which will be used to encrypt your keys.<br>
++The password should be at least 8 characters long,<br>
++and should contain at least one non-alphabetic character.<br>
++<br>
++Enter new password:<br>
++Re-enter password:<br>
++Password changed successfully.<br>
++</code>
++</ul>
++<br>
++5. Configure mod_nss to use the NSS FIPS software token:<br>
++<br>
++<ul>
++Edit <code>/etc/httpd/conf.d/nss.conf</code>:<br>
++<br>
++<ul>
++Replace:<br>
++<ul>
++<code>NSSPassPhraseDialog builtin</code><br>
++</ul>
++with:<br>
++<ul>
++<code>NSSPassPhraseDialog file:/etc/httpd/password.conf</code>
++</ul>
++<br>
++<ul>
++<table>
++<tr>
++<td valign="top"><b>NOTE: </b></td>
++<td valign="top">Whenever <code>httpd</code> is invoked as a service/systemd process, the <code>NSSPassPhraseDialog builtin</code> parameter must be changed to point to a file URL in order to allow mod_nss to work with the Apache web server. This is because the mod_nss test for issuing the password prompt <code>Please enter password for "NSS FIPS 140-2 Certificate DB" token:</code> on the command line is only displayed when the command <code>isatty(fileno(stdin))</code> is set to 'true', and when the command is entered from this type of invocation the value is 'false'. In order to see the prompt, one can set the <code>NSSPassPhraseDialog builtin</code> parameter and invoke <code>httpd -D FOREGROUND</code> from the command line.</td>
++</tr>
++</table>
++</ul>
++<br>
++To enable FIPS mode for mod_nss, add the following parameter:
++<ul>
++NSSFIPS on
++</ul>
++after the line marked:
++<ul>
++NSSEngine on
++</ul>
++<br>
++If the SSL Server Certificate contained in the NSS security database is an RSA certificate, make certain that the <code>NSSNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
++<ul>
++<code>NSSNickname Server-Cert</code>
++</ul>
++<br>
++If the SSL Server Certificate contained in the NSS security database is an ECC certificate, make certain that the <code>NSSECCNickname</code> parameter is uncommented and matches the nickname displayed in step 3 above:<br>
++<ul>
++<code>NSSECCNickname Server-Cert</code>
++</ul>
++<br>
++Make certain that the <code>NSSCertificateDatabase</code> parameter is uncommented and points to the NSS security databases directory configured in step 3 above:<br>
++<ul>
++<code>NSSCertificateDatabase /etc/httpd/alias</code>
++</ul>
++</ul>
++<br>
++Create the <code>/etc/httpd/password.conf</code> file:<br>
++<br>
++<ul>
++Add:<br>
++<ul>
++<code>NSS FIPS 140-2 Certificate DB:<password></code><br>
++</ul>
++Replacing '<password>' with the password that was applied to the NSS security databases in step 4 above.<br>
++<br>
++<table>
++<tr>
++<td valign="top"><b>IMPORTANT: </b></td>
++<td valign="top">Notice that since the NSS FIPS software token is being used, the contents of the <code>/etc/httpd/password.conf</code> file references the password for the NSS FIPS software token (<code>NSS FIPS 140-2 Certificate DB:<password></code>) rather than the NSS internal software token (<code>internal:<password></code>).</td>
++</tr>
++</table>
++</ul>
++<br>
++Apply the appropriate ownership and permissions to the <code>/etc/httpd/password.conf</code> file:<br>
++<br>
++<ul>
++<code># chgrp apache /etc/httpd/password.conf</code><br>
++<br>
++<code># chmod 640 /etc/httpd/password.conf</code><br>
++<br>
++<code>
++# ls -l /etc/httpd/password.conf<br>
++-rw-r-----. 1 root apache 39 Nov 27 15:48 /etc/httpd/password.conf<br>
++</code>
++<br>
++</ul>
++</ul>
++6. Restart the Apache server:<br>
++<br>
++<ul>
++<code>
++# service httpd restart<br>
++Redirecting to /bin/systemctl restart httpd.service<br>
++</code>
++<code>
++<pre>
++# service httpd status
++Redirecting to /bin/systemctl status httpd.service
++httpd.service - The Apache HTTP Server
++ Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
++ Active: active (running) since Wed 2013-11-27 16:26:07 PST; 4s ago
++ Process: 21296 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
++ Main PID: 21299 (httpd)
++ Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
++ CGroup: name=systemd:/system/httpd.service
++ |_____21299 /usr/sbin/httpd -DFOREGROUND
++ |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
++ |_____21340 /usr/sbin/httpd -DFOREGROUND
++ |_____21341 /usr/sbin/httpd -DFOREGROUND
++ |_____21342 /usr/sbin/httpd -DFOREGROUND
++
++Nov 27 16:26:07 server.example.com systemd[1]: Started The Apache HTTP Server.
++</pre>
++</code>
++</ul>
++</ul>
+ </body>
+ </html>
diff --git a/mod_nss.spec b/mod_nss.spec
index 6566260..1881009 100644
--- a/mod_nss.spec
+++ b/mod_nss.spec
@@ -6,7 +6,7 @@
Name: mod_nss
Version: 1.0.8
-Release: 26%{?dist}
+Release: 28%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
@@ -50,6 +50,8 @@ Patch19: mod_nss-sslmultiproxy_2.patch
Patch20: mod_nss-docs-fix.patch
Patch21: mod_nss-SSLEngine-off.patch
Patch22: mod_nss-unused-filter_ctx.patch
+Patch23: mod_nss-nssverifyclient.patch
+Patch24: mod_nss-usecases.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -86,6 +88,8 @@ security library.
%patch20 -p1 -b .docs-fix
%patch21 -p1 -b .SSLEngine-off
%patch22 -p1 -b .unused-filter_ctx
+%patch23 -p1 -b .nssverifyclient
+%patch24 -p1 -b .usecases
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -196,6 +200,16 @@ fi
%{_sbindir}/gencert
%changelog
+* Tue Dec 3 2013 Rob Crittenden <rcritten at redhat.com> - 1.0.8-28
+- Resolves: CVE-2013-4566, bz #1036940
+- [mod_nss-nssverifyclient.patch]
+- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
+ NSSVerifyClient in directory context [fedora-all] (rcritten)
+- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
+ Directory (rcritten)
+- [mod_nss-usecases.patch]
+- Bugzilla Bug #1036940 - [DOC] making mod_nss work in FIPS mode (mharmsen)
+
* Tue Nov 12 2013 Joe Orton <jorton at redhat.com> - 1.0.8-26
- [mod_nss-SSLEngine-off.patch]
- Bugzilla Bug #1029043 - Implicit SSLEngine for 443 port breaks mod_nss
@@ -209,7 +223,7 @@ fi
* Mon Oct 21 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-24
- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
-- Add '--enable-ecc' option to '%configure' line under '%build' section of
+- Add '--enable-ecc' option to %%configure line under %%build section of
this spec file (mharmsen)
- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
- [mod_nss-PK11_ListCerts_2.patch]
More information about the scm-commits
mailing list