LogoopenSUSE Build Service > Projects
Sign Up | Log In

View File mod_nss-tlsv1_1.patch of Package apache2-mod_nss (Project mozilla)

Index: mod_nss-1.0.8/docs/mod_nss.html
===================================================================
--- mod_nss-1.0.8.orig/docs/mod_nss.html
+++ mod_nss-1.0.8/docs/mod_nss.html
@@ -466,7 +466,7 @@ Example</span><br style="font-weight: bo
 <br>
 Enables or disables FIPS 140 mode. This replaces the standard
 internal PKCS#11 module with a FIPS-enabled one. It also forces the
-enabled protocols to TLSv1 and disables all ciphers but the
+enabled protocols to TLSv1.2 - TLS v1.0 and disables all ciphers but the
 FIPS ones. You may still select which ciphers you would like
 limited to those that are FIPS-certified. Any non-FIPS that are
 included in the NSSCipherSuite entry are automatically disabled.
@@ -570,7 +570,7 @@ definition<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1<br>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br>
       </td>
     </tr>
     <tr>
@@ -578,106 +578,106 @@ definition<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_null_md5<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_null_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc2_40_md5</td>
       <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_128_md5</td>
       <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_128_sha</td>
       <td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_40_md5</td>
       <td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fortezza<br>
       </td>
       <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fortezza_rc4_128_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fortezza_null<br>
       </td>
       <td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fips_des_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">fips_3des_sha<br>
       </td>
       <td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_des_56_sha</td>
       <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSL3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_rc4_56_sha</td>
       <td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_aes_128_sha<br>
       </td>
       <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td style="vertical-align: top;">rsa_aes_256_sha<br>
       </td>
       <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
       </td>
-      <td style="vertical-align: top;">SSLv3/TLSv1</td>
+      <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
   </tbody>
 </table>
@@ -698,127 +698,127 @@ Definition<br>
     <tr>
       <td>ecdh_ecdsa_null_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_rc4_128_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_3des_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_aes_128_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_ecdsa_aes_256_sha</td>
       <td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_null_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_rc4_128_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_3des_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_aes_128_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_ecdsa_aes_256_sha</td>
       <td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_null_sha</td>
       <td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_128_sha</td>
       <td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_3des_sha</td>
       <td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_aes_128_sha</td>
       <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_rsa_aes_256_sha</td>
       <td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>echde_rsa_null</td>
       <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_rc4_128_sha</td>
       <td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_3des_sha</td>
       <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_aes_128_sha</td>
       <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdhe_rsa_aes_256_sha</td>
       <td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_null_sha</td>
       <td>TLS_ECDH_anon_WITH_NULL_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_rc4_128sha</td>
       <td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_3des_sha</td>
       <td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_aes_128_sha</td>
       <td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
     <tr>
       <td>ecdh_anon_aes_256_sha</td>
       <td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
-      <td>TLSv1</td>
+      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
     </tr>
   </tbody>
 </table>
@@ -839,16 +839,36 @@ specifically but allows ciphers for that
 Options are:<br>
 <ul>
   <li><code>SSLv3</code></li>
-  <li><code>TLSv1</code></li>
+  <li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
+  <li><code>TLSv1.0</code></li>
+  <li><code>TLSv1.1</code></li>
+  <li><code>TLSv1.2</code></li>
   <li><code>All</code></li>
 </ul>
 Note that this differs from mod_ssl in that you can't add or subtract
 protocols.<br>
+<br>
+If no NSSProtocol is specified, mod_nss will default to allowing the use of
+the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols, where SSLv3 will be set to be the
+minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol
+allowed.
+<br>
+If values for NSSProtocol are specified, mod_nss will set both the minimum
+and the maximum allowed protocols based upon these entries allowing for the
+inclusion of every protocol in-between. For example, if only SSLv3 and TLSv1.2
+are specified, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 will all be allowed, as NSS utilizes
+protocol ranges to accept all protocols inclusively
+(TLS 1.2 -&gt;TLS 1.1 -&gt; TLS 1.0 -&gt; SSL 3.0), and does not allow exclusion of any protocols
+in the middle of a range (e. g. - TLS 1.0).<br>
+<br>
+Finally, NSS will always automatically negotiate the use of the strongest
+possible protocol that has been specified which is acceptable to both sides of
+a given connection.<br>
 <a href="#SSLv2">SSLv2</a> is not supported by default at this time.<br>
 <br>
 <span style="font-weight: bold;">Example</span><br>
 <br>
-<code>NSSProtocol SSLv3,TLSv1</code><br>
+<code>NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2</code><br>
 <br>
 <big><big>NSSNickname<br>
 </big></big><br>
@@ -1101,7 +1121,7 @@ was compiled against.<br>
     <tr>
       <td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
       </code></td>
-      <td style="vertical-align: top;">SSLv2, SSLv3 or TLSv1<br>
+      <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2<br>
       </td>
     </tr>
     <tr>
@@ -1443,7 +1463,7 @@ Opera, and
 Safari) support SSL 3 and TLS so there is no need for a web server to
 support
 SSL 2. There are some known attacks against SSL 2 that are handled by
-SSL 3/TLS. SSL2 also doesn't support useful features like client
+SSL 3/TLS. SSLv2 also doesn't support useful features like client
 authentication.
 <br>
 <h1><a name="FAQ"></a>Frequently Asked Questions</h1>
Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds
                 "(`[+-]XXX,...,[+-]XXX' - see manual)")
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable the various SSL protocols"
-                "(`[SSLv2|SSLv3|TLSv1|all] ...' - see manual)")
+                "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)")
     SSL_CMD_ALL(VerifyClient, TAKE1,
                 "SSL Client Authentication "
                 "(`none', `optional', `require'")
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds
                 "(`on', `off')")
     SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
                "SSL Proxy: enable or disable SSL protocol flavors "
-               "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+               "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see manual)")
     SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
                "SSL Proxy: colon-delimited list of permitted SSL ciphers "
                "(`XXX:...:XXX' - see manual)")
Index: mod_nss-1.0.8/nss_engine_init.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -610,62 +610,103 @@ static void nss_init_ctx_protocol(server
                                   apr_pool_t *ptemp,
                                   modnss_ctx_t *mctx)
 {
-    int ssl2, ssl3, tls;
+    int ssl2, ssl3, tls, tls1_1, tls1_2;
+    char *protocol_marker = NULL;
     char *lprotocols = NULL;
     SECStatus stat;
+    SSLVersionRange enabledVersions;
 
-    ssl2 = ssl3 = tls = 0;
+    ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
+
+    /*
+     * Since this routine will be invoked individually for every thread
+     * associated with each 'server' object as well as for every thread
+     * associated with each 'proxy' object, identify the protocol marker
+     * ('NSSProtocol' for 'server' versus 'NSSProxyProtocol' for 'proxy')
+     * via each thread's object type and apply this useful information to
+     * all log messages.
+     */
+    if (mctx == mctx->sc->server) {
+        protocol_marker = "NSSProtocol";
+    } else if (mctx == mctx->sc->proxy) {
+        protocol_marker = "NSSProxyProtocol";
+    }
 
     if (mctx->sc->fips) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
-            "In FIPS mode, enabling TLSv1");
-        tls = 1;
+            "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and TLSv1.2",
+            protocol_marker);
+        tls = tls1_1 = tls1_2 = 1;
     } else {
         if (mctx->auth.protocols == NULL) {
-            /*
-             * Since this routine will be invoked individually for every
-             * thread associated with each 'server' object as well as for
-             * every thread associated with each 'proxy' object, issue a
-             * single per-thread 'warning' message for either a 'server'
-             * or a 'proxy' based upon the thread's object type.
-             */
-            if (mctx == mctx->sc->server) {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                    "NSSProtocol value not set; using: SSLv3 and TLSv1");
-            } else if (mctx == mctx->sc->proxy) {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                    "NSSProxyProtocol value not set; using: SSLv3 and TLSv1");
-            }
+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                         "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2",
+                         protocol_marker);
 
-            ssl3 = tls = 1;
+            ssl3 = tls = tls1_1 = tls1_2 = 1;
         } else {
             lprotocols = strdup(mctx->auth.protocols);
             ap_str_tolower(lprotocols);
 
             if (strstr(lprotocols, "all") != NULL) {
 #ifdef WANT_SSL2
-                ssl2 = ssl3 = tls = 1;
+                ssl2 = ssl3 = tls = tls1_1= tls1_2 = 1;
 #else
-                ssl3 = tls = 1;
+                ssl3 = tls = tls1_1 = tls1_2 = 1;
 #endif
             } else {
-                if (strstr(lprotocols, "sslv2") != NULL) {
+                char *protocol_list = NULL;
+                char *saveptr = NULL;
+                char *token = NULL;
+
+                for (protocol_list = lprotocols; ; protocol_list = NULL) {
+                    token = strtok_r(protocol_list, ",", &saveptr);
+                    if (token == NULL) {
+                        break;
+                    } else if (strcmp(token, "sslv2") == 0) {
 #ifdef WANT_SSL2
-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL2");
-                    ssl2 = 1;
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling SSL2",
+                                     protocol_marker);
+                        ssl2 = 1;
 #else
-                    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "SSL2 is not supported");
+                        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                                     "%s:  SSL2 is not supported",
+                                     protocol_marker);
 #endif
-                }
-
-                if (strstr(lprotocols, "sslv3") != NULL) {
-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling SSL3");
-                    ssl3 = 1;
-                }
-
-                if (strstr(lprotocols, "tlsv1") != NULL) {
-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Enabling TLS");
-                    tls = 1;
+                    } else if (strcmp(token, "sslv3") == 0) {
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling SSL3",
+                                     protocol_marker);
+                        ssl3 = 1;
+                    } else if (strcmp(token, "tlsv1") == 0) {
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling TLSv1.0 via TLSv1",
+                                     protocol_marker);
+                        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                                     "%s:  The 'TLSv1' protocol name has been deprecated; please change 'TLSv1' to 'TLSv1.0'.",
+                                     protocol_marker);
+                        tls = 1;
+                    } else if (strcmp(token, "tlsv1.0") == 0) {
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling TLSv1.0",
+                                     protocol_marker);
+                        tls = 1;
+                    } else if (strcmp(token, "tlsv1.1") == 0) {
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling TLSv1.1",
+                                     protocol_marker);
+                        tls1_1 = 1;
+                    } else if (strcmp(token, "tlsv1.2") == 0) {
+                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                     "%s:  Enabling TLSv1.2",
+                                     protocol_marker);
+                        tls1_2 = 1;
+                    } else {
+                        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                                     "%s:  Unknown protocol '%s' not supported",
+                                     protocol_marker, token);
+                    }
                 }
             }
             free(lprotocols);
@@ -680,31 +721,110 @@ static void nss_init_ctx_protocol(server
         stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
     }
 
+    /* Set protocol version ranges:
+     *
+     *     (1) Set the minimum protocol accepted
+     *     (2) Set the maximum protocol accepted
+     *     (3) Protocol ranges extend from maximum down to minimum protocol
+     *     (4) All protocol ranges are completely inclusive;
+     *         no protocol in the middle of a range may be excluded
+     *     (5) NSS automatically negotiates the use of the strongest protocol
+     *         for a connection starting with the maximum specified protocol
+     *         and downgrading as necessary to the minimum specified protocol
+     *
+     * For example, if SSL 3.0 is chosen as the minimum protocol, and
+     * TLS 1.1 is chosen as the maximum protocol, SSL 3.0, TLS 1.0, and
+     * TLS 1.1 will all be accepted as protocols, as TLS 1.0 will not and
+     * cannot be excluded from this range. NSS will automatically negotiate
+     * to utilize the strongest acceptable protocol for a connection starting
+     * with the maximum specified protocol and downgrading as necessary to the
+     * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+     */
     if (stat == SECSuccess) {
+        /* Set minimum protocol version (lowest -> highest)
+         *
+         *     SSL 3.0 -> TLS 1.0 -> TLS 1.1
+         */
         if (ssl3 == 1) {
-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_TRUE);
+            enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [SSL 3.0] (minimum)",
+                         protocol_marker);
+        } else if (tls == 1) {
+            enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.0] (minimum)",
+                         protocol_marker);
+        } else if (tls1_1 == 1) {
+            enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.1] (minimum)",
+                         protocol_marker);
+        } else if (tls1_2 == 1) {
+            enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.2] (minimum)",
+                         protocol_marker);
         } else {
-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL3, PR_FALSE);
+            /* Set default minimum protocol version to SSL 3.0 */
+            enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [SSL 3.0] (default minimum)",
+                         protocol_marker);
         }
-    }
-    if (stat == SECSuccess) {
-        if (tls == 1) {
-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_TRUE);
+
+        /* Set maximum protocol version (highest -> lowest)
+         *
+         *     TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
+         */
+        if (tls1_2 == 1) {
+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.2] (maximum)",
+                         protocol_marker);
+        } else if (tls1_1 == 1) {
+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.1] (maximum)",
+                         protocol_marker);
+        } else if (tls == 1) {
+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.0] (maximum)",
+                         protocol_marker);
+        } else if (ssl3 == 1) {
+            enabledVersions.max = SSL_LIBRARY_VERSION_3_0;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [SSL 3.0] (maximum)",
+                         protocol_marker);
         } else {
-            stat = SSL_OptionSet(mctx->model, SSL_ENABLE_TLS, PR_FALSE);
+            /* Set default maximum protocol version to TLS 1.2 */
+            enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s:  [TLS 1.2] (default maximum)",
+                         protocol_marker);
         }
+
+        stat = SSL_VersionRangeSet(mctx->model, &enabledVersions);
     }
 
     if (stat != SECSuccess) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                "SSL protocol initialization failed.");
+                "%s:  SSL/TLS protocol initialization failed.",
+                protocol_marker);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
     }
 
     mctx->ssl2 = ssl2;
     mctx->ssl3 = ssl3;
-    mctx->tls = tls;
+    if (tls1_2 == 1) {
+        mctx->tls = tls1_2;
+    } else if (tls1_1 == 1) {
+        mctx->tls = tls1_1;
+    } else {
+        mctx->tls = tls;
+    }
 }
 
 static void nss_init_ctx_session_cache(server_rec *s,
@@ -785,6 +905,8 @@ static void nss_init_ctx_cipher_suite(se
     PRBool cipher_state[ciphernum];
     PRBool fips_state[ciphernum];
     const char *suite = mctx->auth.cipher_suite; 
+    char * object_type = NULL;
+    char * cipher_suite_marker = NULL;
     char * ciphers;
     char * fipsciphers = NULL;
     int i;
@@ -814,6 +936,23 @@ static void nss_init_ctx_cipher_suite(se
 
         nss_die();
     }
+
+    /*
+     * Since this routine will be invoked individually for every thread
+     * associated with each 'server' object as well as for every thread
+     * associated with each 'proxy' object, identify the cipher suite markers
+     * ('NSSCipherSuite' for 'server' versus 'NSSProxyCipherSuite' for 'proxy')
+     * via each thread's object type and apply this useful information to
+     * all log messages.
+     */
+    if (mctx == mctx->sc->server) {
+        object_type = "server";
+        cipher_suite_marker = "NSSCipherSuite";
+    } else if (mctx == mctx->sc->proxy) {
+        object_type = "proxy";
+        cipher_suite_marker = "NSSProxyCipherSuite";
+    }
+
     ciphers = strdup(suite);
 
 #define CIPHERSIZE 2048
@@ -848,13 +987,13 @@ static void nss_init_ctx_cipher_suite(se
         }
 
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                 "FIPS mode enabled, permitted SSL ciphers are: [%s]",
-                 fipsciphers);
+            "FIPS mode enabled on this %s, permitted SSL ciphers are: [%s]",
+            object_type, fipsciphers);
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                "Configuring permitted SSL ciphers [%s]",
-                 suite);
+                "%s:  Configuring permitted SSL ciphers [%s]",
+                 cipher_suite_marker, suite);
 
     /* Disable all NSS supported cipher suites. This is to prevent any new
      * NSS cipher suites from getting automatically and unintentionally
@@ -893,7 +1032,7 @@ static void nss_init_ctx_cipher_suite(se
         for (i=0; i<ciphernum; i++) {
             if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
                 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                    "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
+                    "Cipher %s is enabled for this %s, but this is not a FIPS cipher, disabling.", ciphers_def[i].name, object_type);
                 cipher_state[i] = PR_FALSE;
             }
         }
@@ -902,19 +1041,22 @@ static void nss_init_ctx_cipher_suite(se
     /* See if any ciphers have been enabled for a given protocol */
     if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-            "SSL2 is enabled but no SSL2 ciphers are enabled.");
+            "%s:  SSL2 is enabled but no SSL2 ciphers are enabled.",
+            cipher_suite_marker);
         nss_die();
     }
 
     if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-            "SSL3 is enabled but no SSL3 ciphers are enabled.");
+            "%s:  SSL3 is enabled but no SSL3 ciphers are enabled.",
+            cipher_suite_marker);
         nss_die();
     }
 
     if (mctx->tls && countciphers(cipher_state, TLS) == 0) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-            "TLS is enabled but no TLS ciphers are enabled.");
+            "%s:  TLS is enabled but no TLS ciphers are enabled.",
+            cipher_suite_marker);
         nss_die();
     }
 
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -722,9 +722,13 @@ static char *nss_var_lookup_protocol_ver
                 case SSL_LIBRARY_VERSION_3_0:
                     result = "SSLv3";
                     break;
-                case SSL_LIBRARY_VERSION_3_1_TLS:
+                case SSL_LIBRARY_VERSION_TLS_1_0:
+                    /* 'TLSv1' has been deprecated; specify 'TLSv1.0' */
                     result = "TLSv1";
                     break;
+                case SSL_LIBRARY_VERSION_TLS_1_1:
+                    result = "TLSv1.1";
+                    break;
             }
         }
     }