[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 29/156: Properly clean up the SSL environment so NSS can be shut down gracefully.
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:24 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit 70d2235dfbe3070e786ddf5024f03516b431bab3
Author: rcritten <>
Date: Thu Aug 4 16:18:49 2005 +0000
Properly clean up the SSL environment so NSS can be shut down gracefully.
---
nss_engine_init.c | 34 ++++++++++++++++++++++++++++++----
nss_engine_pphrase.c | 2 ++
2 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index a73e463..beeafcd 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -362,7 +362,7 @@ static void nss_init_ctx_protocol(server_rec *s,
if (mctx->auth.protocols == NULL) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "SSLProtocols not set; using: SSLv3 and TLSv1");
+ "NSSProtocols not set; using: SSLv3 and TLSv1");
ssl3 = tls = 1;
} else {
lprotocols = strdup(mctx->auth.protocols);
@@ -659,6 +659,7 @@ static void nss_init_server_certs(server_rec *s,
}
mctx->serverkey = PK11_FindPrivateKeyFromCert(slot, mctx->servercert, NULL);
+ PK11_FreeSlot(slot);
if (mctx->serverkey == NULL) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
@@ -703,6 +704,7 @@ static void nss_init_server_certs(server_rec *s,
nss_die();
}
+#if 1
secstatus = SSL_ConfigSecureServer(mctx->model, mctx->servercert, mctx->serverkey, mctx->serverKEAType);
if (secstatus != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
@@ -710,6 +712,7 @@ static void nss_init_server_certs(server_rec *s,
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
+#endif
secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
if (secstatus != SECSuccess)
@@ -760,11 +763,34 @@ void nss_init_Child(apr_pool_t *p, server_rec *s)
apr_status_t nss_init_ModuleKill(void *data)
{
- /*
- * There is nothing stored at the server level to kill at the moment.
+ SSLSrvConfigRec *sc;
+ server_rec *base_server = (server_rec *)data;
+ server_rec *s;
+ SECStatus rv;
+
+ /*
+ * Free the non-pool allocated structures
+ * in the per-server configurations
*/
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+
+ if (sc->enabled) {
+ CERT_DestroyCertificate(sc->server->servercert);
+ SECKEY_DestroyPrivateKey(sc->server->serverkey);
+
+ /* Closing this implicitly cleans up the copy of the certificates
+ * and keys associated with any SSL socket */
+ PR_Close(sc->server->model);
+ }
+ }
+
+ if ((rv = NSS_Shutdown()) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "NSS_Shutdown failed: %d", PR_GetError());
+ }
- NSS_Shutdown();
+ PR_Cleanup();
return APR_SUCCESS;
}
diff --git a/nss_engine_pphrase.c b/nss_engine_pphrase.c
index 61324d7..7524511 100644
--- a/nss_engine_pphrase.c
+++ b/nss_engine_pphrase.c
@@ -70,6 +70,7 @@ SECStatus nss_Init_Tokens(server_rec *s)
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"The token %s has not been initialized.", PK11_GetTokenName(slot));
}
+ PK11_FreeSlot(slot);
continue;
}
@@ -79,6 +80,7 @@ SECStatus nss_Init_Tokens(server_rec *s)
break;
}
parg->retryCount = 0; // reset counter to 0 for the next token
+ PK11_FreeSlot(slot);
}
/*
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list