[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 02/156: By default, don't start with an expired cert. Add option SSLEnforceValid Cert on/off to allow one to start with a bad cert.
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:21 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit aabd41a7fa3f5f98c49288b6f6d352e9f858ca3c
Author: rcritten <>
Date: Fri May 20 21:20:30 2005 +0000
By default, don't start with an expired cert. Add option
SSLEnforceValid Cert on/off to allow one to start with a bad cert.
Fix up some error messages and add in a missing cipher.
---
mod_nss.c | 3 +++
mod_nss.h | 4 +++-
nss_engine_config.c | 12 ++++++++++++
nss_engine_init.c | 29 ++++++++++++++++-------------
4 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/mod_nss.c b/mod_nss.c
index 66a45c7..16d090d 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -75,6 +75,9 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(Nickname, TAKE1,
"SSL Server Certificate nickname "
"(`Server-Cert'")
+ SSL_CMD_SRV(EnforceValidCerts, FLAG,
+ "Require a valid, trust, non-expired server certificate (default on)"
+ "(`on', `off'")
SSL_CMD_ALL(UserName, TAKE1,
"Set user name to SSL variable value")
/*
diff --git a/mod_nss.h b/mod_nss.h
index e734fd4..1095cd2 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -241,6 +241,7 @@ typedef struct {
int ssl3;
int tls;
int tlsrollback;
+ int enforce;
const char *nickname;
CERTCertificate *servercert;
@@ -294,7 +295,7 @@ typedef struct
enum sslversion { SSL2=1, SSL3=2, TLS=4};
/* the table itself is defined in ssl_engine_init.c */
-#define ciphernum 22
+#define ciphernum 23
/*
* function prototypes
@@ -315,6 +316,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLEnforceValidCerts(cmd_parms *, void *, int);
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSL3SessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLSessionCacheSize(cmd_parms *cmd, void *dcfg, const char *arg);
diff --git a/nss_engine_config.c b/nss_engine_config.c
index d662763..962ce2e 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -146,6 +146,7 @@ static void modnss_ctx_cfg_merge(modnss_ctx_t *base,
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMerge(nickname, NULL);
+ cfgMerge(enforce, PR_TRUE);
}
static void modnss_ctx_cfg_merge_server(modnss_ctx_t *base,
@@ -366,6 +367,17 @@ const char *ssl_cmd_SSLNickname(cmd_parms *cmd,
return NULL;
}
+const char *ssl_cmd_SSLEnforceValidCerts(cmd_parms *cmd,
+ void *dcfg,
+ int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enforce = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *cmd,
void *dcfg,
const char *arg)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 8bcb93d..db98fa3 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -44,6 +44,7 @@ cipher_properties ciphers_def[ciphernum] =
{"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
{"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
{"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
+ {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
{"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
@@ -108,7 +109,7 @@ static void ssl_init_SSLLibrary(server_rec *s)
/* Do we need to fire up our password helper? */
if (mc->nInitCount == 1) {
- const char * child_argv[2];
+ const char * child_argv[3];
apr_status_t rv;
if (mc->pphrase_dialog_helper == NULL &&
@@ -119,7 +120,8 @@ static void ssl_init_SSLLibrary(server_rec *s)
}
child_argv[0] = mc->pphrase_dialog_helper;
- child_argv[1] = NULL;
+ child_argv[1] = mc->pCertificateDatabase;
+ child_argv[2] = NULL;
rv = apr_procattr_create(&mc->procattr, mc->pPool);
@@ -578,7 +580,6 @@ static void ssl_init_server_certs(server_rec *s,
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
- int enforce = 0; // not currently used
PK11SlotInfo* slot = NULL;
@@ -599,9 +600,11 @@ static void ssl_init_server_certs(server_rec *s,
if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), mctx->servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified '%s'", mctx->nickname);
+ "Certificate not verified: '%s'", mctx->nickname);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
- if (enforce) {
+ if (mctx->enforce) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to verify certificate '%s'. Add \"SSLEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", mctx->nickname);
ssl_die();
}
}
@@ -610,7 +613,7 @@ static void ssl_init_server_certs(server_rec *s,
if (NULL == mctx->servercert)
{
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate not found '%s'", mctx->nickname);
+ "Certificate not found: '%s'", mctx->nickname);
ssl_die();
}
@@ -643,7 +646,7 @@ static void ssl_init_server_certs(server_rec *s,
if (mctx->serverkey == NULL) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Key not found %s", mctx->nickname);
+ "Key not found for: '%s'", mctx->nickname);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -666,28 +669,28 @@ static void ssl_init_server_certs(server_rec *s,
break;
case secCertTimeExpired:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Server certificate is expired %s", mctx->nickname);
+ "Server certificate is expired: '%s'", mctx->nickname);
break;
case secCertTimeNotValidYet:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Certificate is not valid yet %s", mctx->nickname);
+ "Certificate is not valid yet '%s'", mctx->nickname);
default:
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Unhandled Certificate time type %d for %s", certtimestatus, mctx->nickname);
+ "Unhandled Certificate time type %d for: '%s'", certtimestatus, mctx->nickname);
break;
}
secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
if (secstatus != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "Error setting PKCS11 pin argument: %s", mctx->nickname);
+ "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
ssl_die();
}
secstatus = SSL_ConfigSecureServer(mctx->model, mctx->servercert, mctx->serverkey, mctx->serverKEAType);
if (secstatus != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "SSL error configuring server %s", mctx->nickname);
+ "SSL error configuring server: '%s'", mctx->nickname);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -696,7 +699,7 @@ static void ssl_init_server_certs(server_rec *s,
if (secstatus != SECSuccess)
{
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "SSL error configuring handshake callback %s", mctx->nickname);
+ "SSL error configuring handshake callback: '%s'", mctx->nickname);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list