[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 112/156: Only call PK11_ListCerts once and pass it when configuring each virtual server. This saves considerable time when there are a lot of certificates and/or virtual servers.
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:34 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit d3da91ecfb668740c06565ab8d071b3e5c38a270
Author: rcritten <>
Date: Wed Sep 22 21:19:24 2010 +0000
Only call PK11_ListCerts once and pass it when configuring each
virtual server. This saves considerable time when there are a lot
of certificates and/or virtual servers.
Change enforce so that we only check the validity of the certificate
if enforcecerts is enabled (the default).
Patch contributed by Wolter Eldering <wolter.eldering at vanad.com.cn>
bug 635324
---
mod_nss.h | 2 +-
nss_engine_init.c | 59 +++++++++++++++++++++++++++++++------------------------
2 files changed, 34 insertions(+), 27 deletions(-)
diff --git a/mod_nss.h b/mod_nss.h
index 30a3680..086a7cc 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -416,7 +416,7 @@ const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void nss_init_Child(apr_pool_t *, server_rec *);
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*);
apr_status_t nss_init_ModuleKill(void *data);
apr_status_t nss_init_ChildKill(void *data);
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
diff --git a/nss_engine_init.c b/nss_engine_init.c
index ad76689..0392205 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -26,7 +26,7 @@
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
-static CERTCertificate* FindServerCertFromNickname(const char* name);
+static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
/*
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
/*
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
/*
* Read the server certificate and key
*/
- nss_init_ConfigureServer(s, p, ptemp, sc);
+ nss_init_ConfigureServer(s, p, ptemp, sc, clist);
+ }
+
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
}
@@ -898,7 +904,8 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
SECKEYPrivateKey **serverkey,
SSLKEAType *KEAtype,
PRFileDesc *model,
- int enforce)
+ int enforce,
+ const CERTCertList* clist)
{
SECCertTimeValidity certtimestatus;
SECStatus secstatus;
@@ -912,17 +919,15 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Using nickname %s.", nickname);
- *servercert = FindServerCertFromNickname(nickname);
+ *servercert = FindServerCertFromNickname(nickname, clist);
/* Verify the certificate chain. */
if (*servercert != NULL) {
SECCertificateUsage usage = certificateUsageSSLServer;
- if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Certificate not verified: '%s'", nickname);
+ if (enforce) {
+ if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) {
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
- if (enforce) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname);
nss_die();
@@ -1012,7 +1017,8 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
static void nss_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- modnss_ctx_t *mctx)
+ modnss_ctx_t *mctx,
+ const CERTCertList* clist)
{
SECStatus secstatus;
@@ -1033,11 +1039,11 @@ static void nss_init_server_certs(server_rec *s,
nss_init_certificate(s, mctx->nickname, &mctx->servercert,
&mctx->serverkey, &mctx->serverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#ifdef NSS_ENABLE_ECC
nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert,
&mctx->eccserverkey, &mctx->eccserverKEAType,
- mctx->model, mctx->enforce);
+ mctx->model, mctx->enforce, clist);
#endif
}
@@ -1061,23 +1067,25 @@ static void nss_init_server_certs(server_rec *s,
static void nss_init_proxy_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_ctx(s, p, ptemp, sc->proxy);
- nss_init_server_certs(s, p, ptemp, sc->proxy);
+ nss_init_server_certs(s, p, ptemp, sc->proxy, clist);
}
static void nss_init_server_ctx(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
nss_init_server_check(s, p, ptemp, sc->server);
nss_init_ctx(s, p, ptemp, sc->server);
- nss_init_server_certs(s, p, ptemp, sc->server);
+ nss_init_server_certs(s, p, ptemp, sc->server, clist);
}
/*
@@ -1086,18 +1094,19 @@ static void nss_init_server_ctx(server_rec *s,
void nss_init_ConfigureServer(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
- SSLSrvConfigRec *sc)
+ SSLSrvConfigRec *sc,
+ const CERTCertList* clist)
{
if (sc->enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Configuring server for SSL protocol");
- nss_init_server_ctx(s, p, ptemp, sc);
+ nss_init_server_ctx(s, p, ptemp, sc, clist);
}
if (sc->proxy_enabled == TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Enabling proxy.");
- nss_init_proxy_ctx(s, p, ptemp, sc);
+ nss_init_proxy_ctx(s, p, ptemp, sc, clist);
}
}
@@ -1149,10 +1158,14 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server)
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
+ CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server->servercert == NULL && NSS_IsInitialized())
- nss_init_ConfigureServer(s, p, mc->ptemp, sc);
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist);
+ }
+ if (clist) {
+ CERT_DestroyCertList(clist);
}
/*
@@ -1341,9 +1354,8 @@ cert_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
* newest, valid server certificate.
*/
static CERTCertificate*
-FindServerCertFromNickname(const char* name)
+FindServerCertFromNickname(const char* name, const CERTCertList* clist)
{
- CERTCertList* clist;
CERTCertificate* bestcert = NULL;
CERTCertListNode *cln;
@@ -1353,8 +1365,6 @@ FindServerCertFromNickname(const char* name)
if (name == NULL)
return NULL;
- clist = PK11_ListCerts(PK11CertListUser, NULL);
-
for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist);
cln = CERT_LIST_NEXT(cln)) {
CERTCertificate* cert = cln->cert;
@@ -1419,9 +1429,6 @@ FindServerCertFromNickname(const char* name)
if (bestcert) {
bestcert = CERT_DupCertificate(bestcert);
}
- if (clist) {
- CERT_DestroyCertList(clist);
- }
return bestcert;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list