[Fedora-directory-devel] TLS upgrades with mod_nss

Rob Crittenden rcritten at redhat.com
Wed Mar 15 20:40:09 UTC 2006


Peter Djalaliev wrote:
> Hello,
> 
> Apache/mod_ssl supports TLS upgrades (RFC2817) in version 2.2.0 and I 
> was wondering - has anybody anybody ported this to mod_nss?
> 
> If not, I will try to implement TSL upgrades in mod_nss.  I can find 
> online the patch that was probably applied to mod_ssl to implement the 
> TLS upgrades there and my plan is to start from there and try to make 
> equivalent changes to mod_nss.
> 
> Does anybody have any advice as to what I should be careful about - e.g. 
> places where mod_nss might require something more than just changes 
> equivalent to those done to mod_ssl?  Two of the significant differences 
> b/n mod_nss and mod_ssl that I can think of right now are the NSS 
> database vs. the mod_ssl certificate and key files, as well as that 
> mod_nss always authenticates the whole certificate chain.
> 
>  From what I see so far the main changes that need to be made to mod_nss 
> are in the way the module configures: itself (ssl_init_Modules), the SSL 
> engine (nss_cmd_NSSEngine) and a server (ssl_init_ConfigureServer).  
> Also, changed would be needed in the Access handler, Authentication 
> handler, Read Request handler, and Fixup hook functions.
> 
> An additional question is: where is the nss_cmd_NSSEngine function 
> invoked?  It's function prototype should be changed because now the 
> NSSEngine state is not simply a boolean, but I can't find where the 
> function is invoked from...
> 

Are there any browsers that support RFC 2871 yet?

In any case, no I haven't added support for this though contributions 
are welcome :-)

The naming of nss_cmd_NSSEngine came from mod_ssl. You'll see the 
definitions in mod_nss.c and mod_nss.h. Look for SSL_CMD_SRV(Engine, 
FLAG,...

If I understand the RFC correctly, and from a quickie look at mod_ssl in 
Apache 2.2 most of the code is isolated into the Engine change you 
mentioned, determining whether the https scheme is used 
(nss_hook_http_scheme & nss_hook_default_port) some checks for OPTIONAL 
in ssl_engine_kernel.c and the actual renegotiation code which in 
mod_ssl resides in ssl_engine_io.c and in mod_nss would go into 
nss_engine_io. You can look at nss_engine_kernel in the function 
nss_hook_Access() on how to force an SSL Handshake.

good luck

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20060315/bd175cc3/attachment.bin>


More information about the Fedora-directory-devel mailing list