1 files changed, 180 insertions, 0 deletions
diff --git a/mod_nss-negotiate.patch b/mod_nss-negotiate.patch
new file mode 100644
index 0000000..c385cfb
--- /dev/null
+++ b/mod_nss-negotiate.patch
@@ -0,0 +1,180 @@
+
+diff -up ./mod_nss.c.norego ./mod_nss.c
+--- ./mod_nss.c.norego	2010-01-28 20:42:14.000000000 +0100
++++ ./mod_nss.c	2010-01-28 20:44:49.000000000 +0100
+@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
+     SSL_CMD_SRV(Nickname, TAKE1,
+                 "SSL RSA Server Certificate nickname "
+                 "(`Server-Cert'")
++#ifdef SSL_ENABLE_RENEGOTIATION
++    SSL_CMD_SRV(Renegotiation, FLAG,
++                "Enable SSL Renegotiation (default off) "
++                "(`on', `off')")
++    SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
++                "If Rengotiation is allowed, require safe negotiation (default off) "
++                "(`on', `off')")
++#endif
+ #ifdef NSS_ENABLE_ECC
+     SSL_CMD_SRV(ECCNickname, TAKE1,
+                 "SSL ECC Server Certificate nickname "
+diff -up ./mod_nss.h.norego ./mod_nss.h
+--- ./mod_nss.h.norego	2010-01-28 20:42:14.000000000 +0100
++++ ./mod_nss.h	2010-01-28 20:44:49.000000000 +0100
+@@ -269,6 +269,10 @@ typedef struct {
+     int tls;
+     int tlsrollback;
+     int enforce;
++#ifdef SSL_ENABLE_RENEGOTIATION
++    int enablerenegotiation;
++    int requiresafenegotiation;
++#endif
+     const char *nickname;
+ #ifdef NSS_ENABLE_ECC
+     const char *eccnickname;
+@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
+ const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
++#ifdef SSL_ENABLE_RENEGOTIATION
++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
++#endif
+ #ifdef NSS_ENABLE_ECC
+ const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+ #endif
+diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
+--- ./nss_engine_config.c.norego	2010-01-28 20:42:14.000000000 +0100
++++ ./nss_engine_config.c	2010-01-28 20:44:49.000000000 +0100
+@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
+     mctx->tls                 = PR_FALSE;
+     mctx->tlsrollback         = PR_FALSE;
+ 
++#ifdef SSL_ENABLE_RENEGOTIATION
++    mctx->enablerenegotiation   = PR_FALSE;
++    mctx->requiresafenegotiation = PR_FALSE;
++#endif
+     mctx->enforce             = PR_TRUE;
+     mctx->nickname            = NULL;
+ #ifdef NSS_ENABLE_ECC
+@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
+     cfgMerge(eccnickname, NULL);
+ #endif
+     cfgMerge(enforce, PR_TRUE);
++#ifdef SSL_ENABLE_RENEGOTIATION
++    cfgMerge(enablerenegotiation, PR_FALSE);
++    cfgMerge(requiresafenegotiation, PR_FALSE);
++#endif
+ }
+ 
+ static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
+@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
+     return NULL;
+ }
+ 
++#ifdef SSL_ENABLE_RENEGOTIATION
++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
++{
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++
++    sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
++ 
++    return NULL;
++}
++
++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
++{
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++
++    sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
++ 
++    return NULL;
++}
++#endif
++
+ #ifdef NSS_ENABLE_ECC
+ const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
+                                 void *dcfg,
+diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
+--- ./nss_engine_init.c.norego	2010-01-28 20:42:14.000000000 +0100
++++ ./nss_engine_init.c	2010-01-28 20:48:42.000000000 +0100
+@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
+             nss_die();
+         }
+     }
++#ifdef SSL_ENABLE_RENEGOTIATION
++    if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
++            mctx->enablerenegotiation ?
++              SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
++              ) != SECSuccess) {
++            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                    "Unable to set SSL renegotiation");
++            nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
++            nss_die();
++    }
++    if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
++            mctx->requiresafenegotiation) != SECSuccess) {
++            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                    "Unable to set SSL safe negotiation");
++            nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
++            nss_die();
++    }
++#endif
+ }
+ 
+ static void nss_init_ctx_protocol(server_rec *s,
+
+diff -up ./nss.conf.in.norego ./nss.conf.in
+--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
++++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
+@@ -64,6 +64,17 @@
+ #NSSRandomSeed startup file:/dev/random  512
+ #NSSRandomSeed startup file:/dev/urandom 512
+ 
++#
++# TLS Negotiation configuration under RFC 5746
++#
++# Only renegotiate if the peer's hello bears the TLS renegotiation_info
++# extension. Default off.
++NSSRenegotiation off
++
++# Peer must send Signaling Cipher Suite Value (SCSV) or
++# Renegotiation Info (RI) extension in ALL handshakes.  Default: off
++NSSRequireSafeNegotiation off
++
+ ##
+ ## SSL Virtual Host Context
+ ##
+
+diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
+--- ./nss_engine_log.c.norego    17 Oct 2006 16:45:57 -0000
++++ ./nss_engine_log.c    18 Mar 2010 19:39:10 -0000
+@@ -27,7 +27,7 @@
+ #define LIBSEC_ERROR_BASE		(-8192)
+ #define LIBSEC_MAX_ERROR		(LIBSEC_ERROR_BASE + 155)
+ #define LIBSSL_ERROR_BASE		(-12288)
+-#define LIBSSL_MAX_ERROR		(LIBSSL_ERROR_BASE + 102)
++#define LIBSSL_MAX_ERROR		(LIBSSL_ERROR_BASE + 114)
+ 
+ typedef struct l_error_t {
+     int errorNumber;
+@@ -296,7 +296,19 @@
+     { 99, "Server requires ciphers more secure than those supported by client" },
+     { 100, "Peer reports it experienced an internal error" },
+     { 101, "Peer user canceled handshake" },
+-    { 102, "Peer does not permit renegotiation of SSL security parameters" }
++    { 102, "Peer does not permit renegotiation of SSL security parameters" },
++    { 103, "Server cache not configured" },
++    { 104, "Unsupported extension" },
++    { 105, "Certificate unobtainable" },
++    { 106, "Unrecognized name" },
++    { 107, "Bad certificate status" },
++    { 108, "Bad certificate hash value" },
++    { 109, "Unexpected new session ticket" },
++    { 110, "Malformed new session ticket" },
++    { 111, "Decompression failure" },
++    { 112, "Renegotiation not allowed" },
++    { 113, "Safe negotiation required but not provided by client" },
++    { 114, "Unexpected uncompressed record" },
+ };
+ 
+ void nss_die(void)