From b1a7f8fd8c507f1c6f5eb015447efcf7296d8c4b Mon Sep 17 00:00:00 2001 From: rcritten Date: Mar 19 2010 15:59:54 +0000 Subject: - Patch to add configuration options for new NSS negotiation API (#574187) - Add (pre) for Requires on httpd so we can be sure the user and group are already available - Add file Requires on libnssckbi.so so symlink can't fail - Use _sysconfdir macro instead of /etc - Set minimum level of NSS to 3.12.6 - The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744) --- diff --git a/mod_nss-negotiate.patch b/mod_nss-negotiate.patch new file mode 100644 index 0000000..c385cfb --- /dev/null +++ b/mod_nss-negotiate.patch @@ -0,0 +1,180 @@ + +diff -up ./mod_nss.c.norego ./mod_nss.c +--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 +@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds + SSL_CMD_SRV(Nickname, TAKE1, + "SSL RSA Server Certificate nickname " + "(`Server-Cert'") ++#ifdef SSL_ENABLE_RENEGOTIATION ++ SSL_CMD_SRV(Renegotiation, FLAG, ++ "Enable SSL Renegotiation (default off) " ++ "(`on', `off')") ++ SSL_CMD_SRV(RequireSafeNegotiation, FLAG, ++ "If Rengotiation is allowed, require safe negotiation (default off) " ++ "(`on', `off')") ++#endif + #ifdef NSS_ENABLE_ECC + SSL_CMD_SRV(ECCNickname, TAKE1, + "SSL ECC Server Certificate nickname " +diff -up ./mod_nss.h.norego ./mod_nss.h +--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 +@@ -269,6 +269,10 @@ typedef struct { + int tls; + int tlsrollback; + int enforce; ++#ifdef SSL_ENABLE_RENEGOTIATION ++ int enablerenegotiation; ++ int requiresafenegotiation; ++#endif + const char *nickname; + #ifdef NSS_ENABLE_ECC + const char *eccnickname; +@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p + const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); ++#endif + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); + #endif +diff -up ./nss_engine_config.c.norego ./nss_engine_config.c +--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 +@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t + mctx->tls = PR_FALSE; + mctx->tlsrollback = PR_FALSE; + ++#ifdef SSL_ENABLE_RENEGOTIATION ++ mctx->enablerenegotiation = PR_FALSE; ++ mctx->requiresafenegotiation = PR_FALSE; ++#endif + mctx->enforce = PR_TRUE; + mctx->nickname = NULL; + #ifdef NSS_ENABLE_ECC +@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ + cfgMerge(eccnickname, NULL); + #endif + cfgMerge(enforce, PR_TRUE); ++#ifdef SSL_ENABLE_RENEGOTIATION ++ cfgMerge(enablerenegotiation, PR_FALSE); ++ cfgMerge(requiresafenegotiation, PR_FALSE); ++#endif + } + + static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, +@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm + return NULL; + } + ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++#endif ++ + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, + void *dcfg, +diff -up ./nss_engine_init.c.norego ./nss_engine_init.c +--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 +@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r + nss_die(); + } + } ++#ifdef SSL_ENABLE_RENEGOTIATION ++ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, ++ mctx->enablerenegotiation ? ++ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER ++ ) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL renegotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, ++ mctx->requiresafenegotiation) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL safe negotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++#endif + } + + static void nss_init_ctx_protocol(server_rec *s, + +diff -up ./nss.conf.in.norego ./nss.conf.in +--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000 ++++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000 +@@ -64,6 +64,17 @@ + #NSSRandomSeed startup file:/dev/random 512 + #NSSRandomSeed startup file:/dev/urandom 512 + ++# ++# TLS Negotiation configuration under RFC 5746 ++# ++# Only renegotiate if the peer's hello bears the TLS renegotiation_info ++# extension. Default off. ++NSSRenegotiation off ++ ++# Peer must send Signaling Cipher Suite Value (SCSV) or ++# Renegotiation Info (RI) extension in ALL handshakes. Default: off ++NSSRequireSafeNegotiation off ++ + ## + ## SSL Virtual Host Context + ## + +diff -up ./nss_engine_log.c.norego ./nss_engine_log.c +--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 ++++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 +@@ -27,7 +27,7 @@ + #define LIBSEC_ERROR_BASE (-8192) + #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) + #define LIBSSL_ERROR_BASE (-12288) +-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) ++#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) + + typedef struct l_error_t { + int errorNumber; +@@ -296,7 +296,19 @@ + { 99, "Server requires ciphers more secure than those supported by client" }, + { 100, "Peer reports it experienced an internal error" }, + { 101, "Peer user canceled handshake" }, +- { 102, "Peer does not permit renegotiation of SSL security parameters" } ++ { 102, "Peer does not permit renegotiation of SSL security parameters" }, ++ { 103, "Server cache not configured" }, ++ { 104, "Unsupported extension" }, ++ { 105, "Certificate unobtainable" }, ++ { 106, "Unrecognized name" }, ++ { 107, "Bad certificate status" }, ++ { 108, "Bad certificate hash value" }, ++ { 109, "Unexpected new session ticket" }, ++ { 110, "Malformed new session ticket" }, ++ { 111, "Decompression failure" }, ++ { 112, "Renegotiation not allowed" }, ++ { 113, "Safe negotiation required but not provided by client" }, ++ { 114, "Unexpected uncompressed record" }, + }; + + void nss_die(void) diff --git a/mod_nss.spec b/mod_nss.spec index 9e9a67e..59a2f27 100644 --- a/mod_nss.spec +++ b/mod_nss.spec @@ -1,19 +1,24 @@ Name: mod_nss Version: 1.0.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: SSL/TLS module for the Apache HTTP server Group: System Environment/Daemons License: ASL 2.0 URL: http://directory.fedoraproject.org/wiki/Mod_nss Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.11.3 -BuildRequires: httpd-devel >= 0:2.0.52, apr-devel, apr-util-devel +BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6 +BuildRequires: httpd-devel, apr-devel, apr-util-devel BuildRequires: pkgconfig -Requires: httpd >= 0:2.0.52 +Requires(pre): httpd +Requires: nss >= 3.12.6 +# Add a files Requires on this in case the nss package moves it again +Requires: %{_libdir}/libnssckbi.so Patch1: mod_nss-conf.patch Patch2: mod_nss-gencert.patch Patch3: mod_nss-wouldblock.patch +# Add options for tuning client negotiate in NSS +Patch4: mod_nss-negotiate.patch %description The mod_nss module provides strong cryptography for the Apache Web @@ -26,6 +31,7 @@ security library. %patch1 -p1 -b .conf %patch2 -p1 -b .gencert %patch3 -p1 -b .wouldblock +%patch4 -p1 -b .negotiate # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -68,7 +74,7 @@ install -m 644 nss.conf $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/ install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ -ln -s ../../../%{_lib}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/ +ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/ touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db @@ -91,8 +97,8 @@ if [ "$1" -eq 1 ] ; then fi # Make sure that the database ownership is setup properly. - /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; - /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; fi %files @@ -110,6 +116,15 @@ fi %{_sbindir}/gencert %changelog +* Thu Mar 18 2010 Rob Crittenden - 1.0.8-2 +- Patch to add configuration options for new NSS negotiation API (#574187) +- Add (pre) for Requires on httpd so we can be sure the user and group are + already available +- Add file Requires on libnssckbi.so so symlink can't fail +- Use _sysconfdir macro instead of /etc +- Set minimum level of NSS to 3.12.6 +- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744) + * Mon Mar 2 2009 Rob Crittenden - 1.0.8-1 - Update to 1.0.8 - Add patch that fixes NSPR layer bug