Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
apache2-mod_nss.2286
0001-Add-server-support-for-DHE-ciphers.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Add-server-support-for-DHE-ciphers.patch of Package apache2-mod_nss.2286
From 9205812071bcd7bcf098efd80b82ec2bc1a62da4 Mon Sep 17 00:00:00 2001 From: Christian Heimes <cheimes@redhat.com> Date: Mon, 8 Feb 2016 15:52:25 +0100 Subject: [PATCH] Add server support for DHE ciphers Similar patch was provided by Vitezslav Cizek <vcizek@suse.com> Heavily modified by Rob Crittenden <rcritten@redhat.com> https://fedorahosted.org/mod_nss/ticket/15 --- configure.ac | 9 +++++++++ docs/mod_nss.html | 40 +++++++++++++++++++++++++++++++++++++++- mod_nss.h | 3 +++ nss_engine_cipher.c | 20 +++++++++++++++++++- nss_engine_cipher.h | 2 ++ nss_engine_init.c | 15 +++++++++++++++ 6 files changed, 87 insertions(+), 2 deletions(-) Index: mod_nss-1.0.8/docs/mod_nss.html =================================================================== --- mod_nss-1.0.8.orig/docs/mod_nss.html 2016-03-18 14:48:47.718852738 +0100 +++ mod_nss-1.0.8/docs/mod_nss.html 2016-03-21 13:01:46.378528024 +0100 @@ -511,7 +511,7 @@ All ciphers are disabled by default. The enabled because <a href="#SSLv2">SSLv2</a> is not allowed in mod_nss.<br> <br> -Available ciphers are:<br> +Available RSA ciphers are:<br> <br> <table style="width: 70%; text-align: left;" border="1" cellpadding="2" cellspacing="2"> @@ -718,6 +718,43 @@ definition<br> </tr> </tbody> </table> +<br>The available server-side DHE ciphers are:<br> +<br> +<table style="width: 70%; text-align: left;" border="1" cellpadding="2" cellspacing="2"> +<tbody><tr><td style="vertical-align: top; font-weight: bold;">Cipher Name<br> + </td><td style="vertical-align: top; font-weight: bold;">NSS Cipher definition<br> + </td><td style="vertical-align: top; font-weight: bold;">Protocol<br> + </td></tr><tr><td style="vertical-align: top;">dhe_rsa_des_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_DES_CBC_SHA<br> +</td><td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br> + </td></tr><tr><td style="vertical-align: top;">dhe_rsa_3des_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_aes_128_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_aes_256_sha<br> + </td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_camellia_128_sha<br> +</td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_camellia_256_sha<br> +</td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA<br> + </td><td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td></tr><tr><td style="vertical-align: top;">dhe_rsa_aes_128_sha_256<br> +</td><td style="vertical-align: top;">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256<br> + </td><td style="vertical-align: top;">TLSv1.2</td></tr><tr> + <td valign="top">dhe_rsa_aes_256_sha_256<br> + </td> + <td valign="top">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<br> + </td> + <td valign="top">TLSv1.2</td> + </tr> + <tr> + <td valign="top">dhe_rsa_aes_128_gcm_sha_256<br> + </td> + <td valign="top">TLS_DHE_RSA_WITH_AES_128_GCM_SHA256<br> + </td> + <td valign="top">TLSv1.2</td> + </tr> +</tbody> +</table> <br> Additionally there are a number of ECC ciphers:<br> <br> Index: mod_nss-1.0.8/nss_engine_init.c =================================================================== --- mod_nss-1.0.8.orig/nss_engine_init.c 2016-03-18 14:48:47.725852854 +0100 +++ mod_nss-1.0.8/nss_engine_init.c 2016-03-21 11:33:35.142204451 +0100 @@ -46,6 +46,7 @@ cipher_properties ciphers_def[ciphernum] {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS}, {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, + {"dhe_rsa_des_sha", TLS_DHE_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS}, {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS}, {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS}, {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS}, @@ -63,6 +64,14 @@ cipher_properties ciphers_def[ciphernum] {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS}, {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, + {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS}, + {"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS}, + {"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS}, + {"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS}, + {"dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, + {"dhe_rsa_aes_128_sha_256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, + {"dhe_rsa_aes_256_sha_256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 0, TLS}, + {"dhe_rsa_aes_128_gcm_sha_256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, #ifdef NSS_ENABLE_ECC /* ECC ciphers.*/ @@ -845,6 +854,16 @@ static void nss_init_ctx_protocol(server } else { mctx->tls = tls; } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Enabling DHE key exchange"); + if (SSL_OptionSet(mctx->model, SSL_ENABLE_SERVER_DHE, + PR_TRUE) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to enable DHE key exchange"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } } static void nss_init_ctx_session_cache(server_rec *s, @@ -1082,6 +1101,10 @@ static void nss_init_ctx_cipher_suite(se /* Finally actually enable the selected ciphers */ for (i=0; i<ciphernum;i++) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%sable cipher: %s", + cipher_state[i] == 1 ? "En" : "Dis", + ciphers_def[i].name); SSL_CipherPrefSet(mctx->model, ciphers_def[i].num, cipher_state[i]); } } Index: mod_nss-1.0.8/mod_nss.h =================================================================== --- mod_nss-1.0.8.orig/mod_nss.h 2016-03-18 14:48:47.725852854 +0100 +++ mod_nss-1.0.8/mod_nss.h 2016-03-18 15:42:38.468872877 +0100 @@ -380,9 +380,9 @@ enum sslversion { SSL2=1, SSL3=2, TLS=4} /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 50 +#define ciphernum 59 #else -#define ciphernum 19 +#define ciphernum 28 #endif /* @@ -425,6 +425,7 @@ const char *nss_cmd_NSSSessionCacheSize( const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSPassPhraseHelper(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); +const char *nss_cmd_NSSServerDHE(cmd_parms *cmd, void *dcfg, int flag); const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *); const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor