diff options
| author | Remi Collet <fedora@famillecollet.com> | 2012-06-13 18:43:31 +0200 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2012-06-13 18:43:31 +0200 |
| commit | df36bf3f7525e3d29d7e9ea8fb4d0cc33f1075c2 (patch) | |
| tree | 5f0820f0dd869640e371ca82c42bc2c161539f0c /mod_nss-reverseproxy.patch | |
reorg repo
Diffstat (limited to 'mod_nss-reverseproxy.patch')
| -rw-r--r-- | mod_nss-reverseproxy.patch | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/mod_nss-reverseproxy.patch b/mod_nss-reverseproxy.patch new file mode 100644 index 0000000..928c92f --- /dev/null +++ b/mod_nss-reverseproxy.patch @@ -0,0 +1,182 @@ +mod_proxy now sets the requested remote host name. Use this to compare +to the CN value of the peer certificate and reject the request if they +do not match (and we are have NSSProxyCheckPeerCN set to on). + +diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html +--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 ++++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 +@@ -1028,7 +1028,21 @@ + <br> + <span style="font-weight: bold;">Example</span><br> + <br> +-<code>NSSProxyNickname beta</code><br> ++<code>NSSProxyNickname beta<br> ++<br> ++</code><big><big>NSSProxyCheckPeerCN</big></big><br> ++<br> ++Compare the CN value of the peer certificate with the hostname being ++requested. If this is set to on, the default, then the request will ++fail if they do not match. If this is set to off then this comparison ++is not done. Note that this test is your only protection against a ++man-in-the-middle attack so leaving this as on is strongly recommended.<br> ++<br> ++<span style="font-weight: bold;">Example</span><br> ++<br> ++<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code> ++on<br> ++</code><br> + <h1><a name="Environment"></a>Environment Variables</h1> + Quite a few environment variables (for CGI and SSI) may be set + depending on the NSSOptions configuration. It can be expensive to set +@@ -1435,42 +1449,9 @@ + <h1><a name="FAQ"></a>Frequently Asked Questions</h1> + Q. Does mod_nss support mod_proxy?<br> + <br> +-A. In order to use the mod_nss proxy support you will need to build +-your own mod_proxy by applying a patch found in bug <a +- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>. +-The patch is needed so we can compare the hostname contained in the +-remote certificate with the hostname you meant to visit. This prevents +-man-in-the-middle attacks.<br> +-<br> +-You also have to change the SSL functions that mod_proxy looks to use. +-You'll need to apply this patch:<br> +-<br> +-<code>1038,1039c1038,1039<br> +-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br> +-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br> +----<br> +-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br> +-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br> +-1041,1042c1041,1042<br> +-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = +-NULL;<br> +-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable +-= NULL;<br> +----<br> +-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = +-NULL;<br> +-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable +-= NULL;<br> +-1069,1070c1069,1070<br> +-< proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br> +-< proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br> +----<br> +-> proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br> +-> proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br> +-</code><br> ++A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy ++provides a single interface for SSL providers and mod_nss defers to ++mod_ssl ++if it is loaded. + </body> + </html> +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 +@@ -142,6 +142,8 @@ + SSL_CMD_SRV(ProxyNickname, TAKE1, + "SSL Proxy: client certificate Nickname to be for proxy connections " + "(`nickname')") ++ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, ++ "SSL Proxy: check the peers certificate CN") + + #ifdef IGNORE + /* Deprecated directives. */ +@@ -238,23 +240,30 @@ + SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) + { + conn_rec *c = (conn_rec *)arg; ++ SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + PRErrorCode err = PR_GetError(); + SECStatus rv = SECFailure; + CERTCertificate *peerCert = SSL_PeerCertificate(socket); ++ const char *hostname_note; + + switch (err) { + case SSL_ERROR_BAD_CERT_DOMAIN: +- if (c->remote_host != NULL) { +- rv = CERT_VerifyCertName(peerCert, c->remote_host); +- if (rv != SECSuccess) { +- char *remote = CERT_GetCommonName(&peerCert->subject); ++ if (sc->proxy_ssl_check_peer_cn == TRUE) { ++ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { ++ apr_table_unset(c->notes, "proxy-request-hostname"); ++ rv = CERT_VerifyCertName(peerCert, hostname_note); ++ if (rv != SECSuccess) { ++ char *remote = CERT_GetCommonName(&peerCert->subject); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); ++ PORT_Free(remote); ++ } ++ } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); +- PORT_Free(remote); ++ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); + } + } else { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); ++ rv = SECSuccess; + } + break; + default: +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 +@@ -306,6 +306,7 @@ + int vhost_id_len; + modnss_ctx_t *server; + modnss_ctx_t *proxy; ++ BOOL proxy_ssl_check_peer_cn; + }; + + /* +@@ -410,6 +411,7 @@ + const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c +--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 +@@ -140,6 +140,7 @@ + sc->vhost_id_len = 0; /* set during module init */ + sc->proxy = NULL; + sc->server = NULL; ++ sc->proxy_ssl_check_peer_cn = TRUE; + + modnss_ctx_init_proxy(sc, p); + +@@ -214,6 +215,7 @@ + cfgMergeBool(fips); + cfgMergeBool(enabled); + cfgMergeBool(proxy_enabled); ++ cfgMergeBool(proxy_ssl_check_peer_cn); + + modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + +@@ -544,6 +546,15 @@ + return NULL; + } + ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; ++ ++ return NULL; ++} ++ + const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, + void *dcfg, + int flag) |