Re: [Fedora-directory-devel] TLS upgrades with mod_nss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Peter Djalaliev wrote:

Hello,
Apache/mod_ssl supports TLS upgrades (RFC2817) in version 2.2.0 and I was wondering - has anybody anybody ported this to mod_nss?
If not, I will try to implement TSL upgrades in mod_nss. I can find online the patch that was probably applied to mod_ssl to implement the TLS upgrades there and my plan is to start from there and try to make equivalent changes to mod_nss.
Does anybody have any advice as to what I should be careful about - e.g. places where mod_nss might require something more than just changes equivalent to those done to mod_ssl? Two of the significant differences b/n mod_nss and mod_ssl that I can think of right now are the NSS database vs. the mod_ssl certificate and key files, as well as that mod_nss always authenticates the whole certificate chain.
From what I see so far the main changes that need to be made to mod_nss are in the way the module configures: itself (ssl_init_Modules), the SSL engine (nss_cmd_NSSEngine) and a server (ssl_init_ConfigureServer). Also, changed would be needed in the Access handler, Authentication handler, Read Request handler, and Fixup hook functions.
An additional question is: where is the nss_cmd_NSSEngine function invoked? It's function prototype should be changed because now the NSSEngine state is not simply a boolean, but I can't find where the function is invoked from... 



Are there any browsers that support RFC 2871 yet?
In any case, no I haven't added support for this though contributions are welcome :-)
The naming of nss_cmd_NSSEngine came from mod_ssl. You'll see the definitions in mod_nss.c and mod_nss.h. Look for SSL_CMD_SRV(Engine, FLAG,...
If I understand the RFC correctly, and from a quickie look at mod_ssl in Apache 2.2 most of the code is isolated into the Engine change you mentioned, determining whether the https scheme is used (nss_hook_http_scheme & nss_hook_default_port) some checks for OPTIONAL in ssl_engine_kernel.c and the actual renegotiation code which in mod_ssl resides in ssl_engine_io.c and in mod_nss would go into nss_engine_io. You can look at nss_engine_kernel in the function nss_hook_Access() on how to force an SSL Handshake. 

good luck

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux