[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 125/156: Add support for TLS v1.1, protocol ranges.
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:35 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit 25e23d6aa024c875bbbaefc8f11d2780e09036b2
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri Oct 11 17:51:23 2013 -0400
Add support for TLS v1.1, protocol ranges.
Set protocol version ranges:
(1) Set the minimum protocol accepted
(2) Set the maximum protocol accepted
(3) Protocol ranges extend from maximum down to minimum
protocol
(4) All protocol ranges are completely inclusive;
no protocol in the middle of a range may be excluded
(5) NSS automatically negotiates the use of the strongest
protocol for a connection starting with the maximum
specified protocol and downgrading as necessary to the
minimum specified protocol
For example, if SSL 3.0 is chosen as the minimum protocol, and
TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not
and cannot be excluded from this range. NSS will automatically
negotiate to utilize the strongest acceptable protocol for a
connection starting with the maximum specified protocol and
downgrading as necessary to the minimum specified protocol
(TLS 1.1 -> TLS 1.0 -> SSL 3.0).
BZ 816394
---
docs/mod_nss.html | 113 ++++++++++++++++------------
mod_nss.c | 4 +-
nss.conf.in | 11 ++-
nss_engine_init.c | 215 ++++++++++++++++++++++++++++++++++++++++++++----------
nss_engine_vars.c | 6 +-
5 files changed, 259 insertions(+), 90 deletions(-)
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index 2bd4bd6..7e18672 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bold;">
<br>
Enables or disables FIPS 140 mode. This replaces the standard
internal PKCS#11 module with a FIPS-enabled one. It also forces the
-enabled protocols to TLSv1 and disables all ciphers but the
+enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the
FIPS ones. You may still select which ciphers you would like
limited to those that are FIPS-certified. Any non-FIPS that are
included in the NSSCipherSuite entry are automatically disabled.
@@ -570,7 +570,7 @@ definition<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1<br>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1<br>
</td>
</tr>
<tr>
@@ -578,106 +578,106 @@ definition<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_null_md5<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_null_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc2_40_md5</td>
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_128_md5</td>
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_128_sha</td>
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_40_md5</td>
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_rc4_128_sha<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_null<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_3des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_des_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSL3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_128_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_256_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
</tr>
</tbody>
</table>
@@ -698,127 +698,127 @@ Definition<br>
<tr>
<td>ecdh_ecdsa_null_sha</td>
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_ecdsa_rc4_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_ecdsa_3des_sha</td>
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_256_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_ecdsa_null_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_ecdsa_rc4_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_ecdsa_3des_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_ecdsa_aes_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_ecdsa_aes_256_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_rsa_null_sha</td>
<td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_rsa_128_sha</td>
<td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_rsa_3des_sha</td>
<td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_rsa_aes_128_sha</td>
<td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_rsa_aes_256_sha</td>
<td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>echde_rsa_null</td>
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_rsa_rc4_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_rsa_3des_sha</td>
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_256_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_anon_null_sha</td>
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_anon_rc4_128sha</td>
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_anon_3des_sha</td>
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_anon_aes_128_sha</td>
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
<tr>
<td>ecdh_anon_aes_256_sha</td>
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1</td>
+ <td>TLSv1.0/TLSv1.1</td>
</tr>
</tbody>
</table>
@@ -839,16 +839,35 @@ specifically but allows ciphers for that protocol to be used at all.<br>
Options are:<br>
<ul>
<li><code>SSLv3</code></li>
- <li><code>TLSv1</code></li>
+ <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
+ <li><code>TLSv1.0</code></li>
+ <li><code>TLSv1.1</code></li>
<li><code>All</code></li>
</ul>
Note that this differs from mod_ssl in that you can't add or subtract
protocols.<br>
+<br>
+If no NSSProtocol is specified, mod_nss will default to allowing the use of
+the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the
+minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol
+allowed.
+<br>
+If values for NSSProtocol are specified, mod_nss will set both the minimum
+and the maximum allowed protocols based upon these entries allowing for the
+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.1
+are specified, SSLv3, TLSv1.0, and TLSv1.1 will all be allowed, as NSS utilizes
+protocol ranges to accept all protocols inclusively
+(TLS 1.1 -> TLS 1.0 -> SSL 3.0), and does not allow exclusion of any protocols
+in the middle of a range (e. g. - TLS 1.0).<br>
+<br>
+Finally, NSS will always automatically negotiate the use of the strongest
+possible protocol that has been specified which is acceptable to both sides of
+a given connection.<br>
<a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
<br>
<span style="font-weight: bold;">Example</span><br>
<br>
-<code>NSSProtocol SSLv3,TLSv1</code><br>
+<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1</code><br>
<br>
<big><big>NSSNickname<br>
</big></big><br>
@@ -1101,7 +1120,7 @@ was compiled against.<br>
<tr>
<td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
</code></td>
- <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
+ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, or TLSv1.1<br>
</td>
</tr>
<tr>
@@ -1443,7 +1462,7 @@ Opera, and
Safari) support SSL 3 and TLS so there is no need for a web server to
support
SSL 2. There are some known attacks against SSL 2 that are handled by
-SSL 3/TLS. SSL2 also doesn't support useful features like client
+SSL 3/TLS. SSLv2 also doesn't support useful features like client
authentication.
<br>
<h1><a name="FAQ"></a>Frequently Asked Questions</h1>
diff --git a/mod_nss.c b/mod_nss.c
index e4fed90..efb1f7b 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds[] = {
"(`[+-]XXX,...,[+-]XXX' - see manual)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable the various SSL protocols"
- "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
+ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client Authentication "
"(`none', `optional', `require'")
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds[] = {
"(`on', `off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)")
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"(`XXX:...:XXX' - see manual)")
diff --git a/nss.conf.in b/nss.conf.in
index 4411cdc..050ce8a 100644
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -109,7 +109,16 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdh [...]
-NSSProtocol SSLv3,TLSv1
+# SSL Protocol:
+# Cryptographic protocols that provide communication security.
+# NSS handles the specified protocols as "ranges", and automatically
+# negotiates the use of the strongest protocol for a connection starting
+# with the maximum specified protocol and downgrading as necessary to the
+# minimum specified protocol that can be used between two processes.
+# Since all protocol ranges are completely inclusive, and no protocol in the
+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
diff --git a/nss_engine_init.c b/nss_engine_init.c
index a7186bb..0e584cb 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -616,49 +616,97 @@ static void nss_init_ctx_protocol(server_rec *s,
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
- int ssl2, ssl3, tls;
+ int ssl2, ssl3, tls, tls1_1;
+ char *protocol_marker = NULL;
char *lprotocols = NULL;
SECStatus stat;
+ SSLVersionRange enabledVersions;
- ssl2 = ssl3 = tls = 0;
+ ssl2 = ssl3 = tls = tls1_1 = 0;
+
+ /*
+ * Since this routine will be invoked individually for every thread
+ * associated with each 'server' object as well as for every thread
+ * associated with each 'proxy' object, identify the protocol marker
+ * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
+ * via each thread's object type and apply this useful information to
+ * all log messages.
+ */
+ if (mctx == mctx->sc->server) {
+ protocol_marker = "NSSProtocol";
+ } else if (mctx == mctx->sc->proxy) {
+ protocol_marker = "NSSProxyProtocol";
+ }
if (mctx->sc->fips) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "In FIPS mode, enabling TLSv1");
- tls = 1;
+ "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1",
+ protocol_marker);
+ tls = tls1_1 = 1;
} else {
if (mctx->auth.protocols == NULL) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "NSSProtocols not set; using: SSLv3 and TLSv1");
- ssl3 = tls = 1;
+ "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",
+ protocol_marker);
+ ssl3 = tls = tls1_1 = 1;
} else {
lprotocols = strdup(mctx->auth.protocols);
ap_str_tolower(lprotocols);
if (strstr(lprotocols, "all") != NULL) {
#ifdef WANT_SSL2
- ssl2 = ssl3 = tls = 1;
+ ssl2 = ssl3 = tls = tls1_1 = 1;
#else
- ssl3 = tls = 1;
+ ssl3 = tls = tls1_1 = 1;
#endif
} else {
- if (strstr(lprotocols, "sslv2") != NULL) {
+ char *protocol_list = NULL;
+ char *saveptr = NULL;
+ char *token = NULL;
+
+ for (protocol_list = lprotocols; ; protocol_list = NULL) {
+ token = strtok_r(protocol_list, ",", &saveptr);
+ if (token == NULL) {
+ break;
+ } else if (strcmp(token, "sslv2") == 0) {
#ifdef WANT_SSL2
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
- ssl2 = 1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling SSL2",
+ protocol_marker);
+ ssl2 = 1;
#else
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "%s: SSL2 is not supported",
+ protocol_marker);
#endif
- }
-
- if (strstr(lprotocols, "sslv3") != NULL) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
- ssl3 = 1;
- }
-
- if (strstr(lprotocols, "tlsv1") != NULL) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
- tls = 1;
+ } else if (strcmp(token, "sslv3") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling SSL3",
+ protocol_marker);
+ ssl3 = 1;
+ } else if (strcmp(token, "tlsv1") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.0 via TLSv1",
+ protocol_marker);
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "%s: The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
+ protocol_marker);
+ tls = 1;
+ } else if (strcmp(token, "tlsv1.0") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.0",
+ protocol_marker);
+ tls = 1;
+ } else if (strcmp(token, "tlsv1.1") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.1",
+ protocol_marker);
+ tls1_1 = 1;
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ "%s: Unknown protocol '%s' not supported",
+ protocol_marker, token);
+ }
}
}
free(lprotocols);
@@ -673,31 +721,98 @@ static void nss_init_ctx_protocol(server_rec *s,
stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
}
+ /* Set protocol version ranges:
+ *
+ * (1) Set the minimum protocol accepted
+ * (2) Set the maximum protocol accepted
+ * (3) Protocol ranges extend from maximum down to minimum protocol
+ * (4) All protocol ranges are completely inclusive;
+ * no protocol in the middle of a range may be excluded
+ * (5) NSS automatically negotiates the use of the strongest protocol
+ * for a connection starting with the maximum specified protocol
+ * and downgrading as necessary to the minimum specified protocol
+ *
+ * For example, if SSL 3.0 is chosen as the minimum protocol, and
+ * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
+ * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
+ * cannot be excluded from this range. NSS will automatically negotiate
+ * to utilize the strongest acceptable protocol for a connection starting
+ * with the maximum specified protocol and downgrading as necessary to the
+ * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+ */
if (stat == SECSuccess) {
+ /* Set minimum protocol version (lowest -> highest)
+ *
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1
+ */
if (ssl3 == 1) {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [SSL 3.0] (minimum)",
+ protocol_marker);
+ } else if (tls == 1) {
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.0] (minimum)",
+ protocol_marker);
+ } else if (tls1_1 == 1) {
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.1] (minimum)",
+ protocol_marker);
} else {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
+ /* Set default minimum protocol version to SSL 3.0 */
+ enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [SSL 3.0] (default minimum)",
+ protocol_marker);
}
- }
- if (stat == SECSuccess) {
- if (tls == 1) {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
+
+ /* Set maximum protocol version (highest -> lowest)
+ *
+ * TLS 1.1 -> TLS 1.0 -> SSL 3.0
+ */
+ if (tls1_1 == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.1] (maximum)",
+ protocol_marker);
+ } else if (tls == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.0] (maximum)",
+ protocol_marker);
+ } else if (ssl3 == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [SSL 3.0] (maximum)",
+ protocol_marker);
} else {
- stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
+ /* Set default maximum protocol version to TLS 1.1 */
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.1] (default maximum)",
+ protocol_marker);
}
+
+ stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
}
if (stat != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "SSL protocol initialization failed.");
+ "%s: SSL/TLS protocol initialization failed.",
+ protocol_marker);
nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
nss_die();
}
mctx->ssl2 = ssl2;
mctx->ssl3 = ssl3;
- mctx->tls = tls;
+ if (tls1_1 == 1) {
+ mctx->tls = tls1_1;
+ } else {
+ mctx->tls = tls;
+ }
}
static void nss_init_ctx_session_cache(server_rec *s,
@@ -778,6 +893,8 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
PRBool cipher_state[ciphernum];
PRBool fips_state[ciphernum];
const char *suite = mctx->auth.cipher_suite;
+ char * object_type = NULL;
+ char * cipher_suite_marker = NULL;
char * ciphers;
char * fipsciphers = NULL;
int i;
@@ -790,6 +907,23 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
"Required value NSSCipherSuite not set.");
nss_die();
}
+
+ /*
+ * Since this routine will be invoked individually for every thread
+ * associated with each 'server' object as well as for every thread
+ * associated with each 'proxy' object, identify the cipher suite markers
+ * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
+ * via each thread's object type and apply this useful information to
+ * all log messages.
+ */
+ if (mctx == mctx->sc->server) {
+ object_type = "server";
+ cipher_suite_marker = "NSSCipherSuite";
+ } else if (mctx == mctx->sc->proxy) {
+ object_type = "proxy";
+ cipher_suite_marker = "NSSProxyCipherSuite";
+ }
+
ciphers = strdup(suite);
#define CIPHERSIZE 2048
@@ -824,13 +958,13 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "FIPS mode enabled, permitted SSL ciphers are: [%s]",
- fipsciphers);
+ "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
+ object_type, fipsciphers);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "Configuring permitted SSL ciphers [%s]",
- suite);
+ "%s: Configuring permitted SSL ciphers [%s]",
+ cipher_suite_marker, suite);
/* Disable all NSS supported cipher suites. This is to prevent any new
* NSS cipher suites from getting automatically and unintentionally
@@ -869,7 +1003,7 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
for (i=0; i<ciphernum; i++) {
if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
+ "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
cipher_state[i] = PR_FALSE;
}
}
@@ -878,19 +1012,22 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
/* See if any ciphers have been enabled for a given protocol */
if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "SSL2 is enabled but no SSL2 ciphers are enabled.");
+ "%s: SSL2 is enabled but no SSL2 ciphers are enabled.",
+ cipher_suite_marker);
nss_die();
}
if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "SSL3 is enabled but no SSL3 ciphers are enabled.");
+ "%s: SSL3 is enabled but no SSL3 ciphers are enabled.",
+ cipher_suite_marker);
nss_die();
}
if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "TLS is enabled but no TLS ciphers are enabled.");
+ "%s: TLS is enabled but no TLS ciphers are enabled.",
+ cipher_suite_marker);
nss_die();
}
diff --git a/nss_engine_vars.c b/nss_engine_vars.c
index b3dcf92..8f0379a 100644
--- a/nss_engine_vars.c
+++ b/nss_engine_vars.c
@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c)
case SSL_LIBRARY_VERSION_3_0:
result = "SSLv3";
break;
- case SSL_LIBRARY_VERSION_3_1_TLS:
+ case SSL_LIBRARY_VERSION_TLS_1_0:
+ /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
result = "TLSv1";
break;
+ case SSL_LIBRARY_VERSION_TLS_1_1:
+ result = "TLSv1.1";
+ break;
}
}
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list