[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 105/156: Add controls for managing SSL renegotiation
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:33 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit 63440400c246bb997c906b301e7b3b1566448189
Author: rcritten <>
Date: Tue Mar 2 20:12:05 2010 +0000
Add controls for managing SSL renegotiation
NSS is introducing some new controls in response to CVE-2009-3555,
MITM attacks via session renegotiation. This patch adds some tuning
so these options can be set at run time.
Patch contributed by Kai Engert based on some early work by Rob
Crittenden.
---
mod_nss.c | 8 ++++++++
mod_nss.h | 8 ++++++++
nss_engine_config.c | 28 ++++++++++++++++++++++++++++
nss_engine_init.c | 18 ++++++++++++++++++
4 files changed, 62 insertions(+)
diff --git a/mod_nss.c b/mod_nss.c
index abf76f4..9337d30 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds[] = {
SSL_CMD_SRV(Nickname, TAKE1,
"SSL RSA Server Certificate nickname "
"(`Server-Cert'")
+#ifdef SSL_ENABLE_RENEGOTIATION
+ SSL_CMD_SRV(Renegotiation, FLAG,
+ "Enable SSL Renegotiation (default off) "
+ "(`on', `off')")
+ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
+ "If Rengotiation is allowed, require safe negotiation (default off) "
+ "(`on', `off')")
+#endif
#ifdef NSS_ENABLE_ECC
SSL_CMD_SRV(ECCNickname, TAKE1,
"SSL ECC Server Certificate nickname "
diff --git a/mod_nss.h b/mod_nss.h
index d672e4e..3d69a44 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -269,6 +269,10 @@ typedef struct {
int tls;
int tlsrollback;
int enforce;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ int enablerenegotiation;
+ int requiresafenegotiation;
+#endif
const char *nickname;
#ifdef NSS_ENABLE_ECC
const char *eccnickname;
@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
+#endif
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
diff --git a/nss_engine_config.c b/nss_engine_config.c
index 6fa2701..d6fd3c5 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t *mctx)
mctx->tls = PR_FALSE;
mctx->tlsrollback = PR_FALSE;
+#ifdef SSL_ENABLE_RENEGOTIATION
+ mctx->enablerenegotiation = PR_FALSE;
+ mctx->requiresafenegotiation = PR_FALSE;
+#endif
mctx->enforce = PR_TRUE;
mctx->nickname = NULL;
#ifdef NSS_ENABLE_ECC
@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ctx_t *base,
cfgMerge(eccnickname, NULL);
#endif
cfgMerge(enforce, PR_TRUE);
+#ifdef SSL_ENABLE_RENEGOTIATION
+ cfgMerge(enablerenegotiation, PR_FALSE);
+ cfgMerge(requiresafenegotiation, PR_FALSE);
+#endif
}
static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parms *cmd,
return NULL;
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
+
+ return NULL;
+}
+#endif
+
#ifdef NSS_ENABLE_ECC
const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
void *dcfg,
diff --git a/nss_engine_init.c b/nss_engine_init.c
index fc3bd25..ad76689 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_rec *s,
nss_die();
}
}
+#ifdef SSL_ENABLE_RENEGOTIATION
+ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
+ mctx->enablerenegotiation ?
+ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
+ ) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL renegotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
+ mctx->requiresafenegotiation) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Unable to set SSL safe negotiation");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+ nss_die();
+ }
+#endif
}
static void nss_init_ctx_protocol(server_rec *s,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list