On 31.10.2014 23:10, Niels Thykier wrote:
> On 2014-10-31 10:28, Timo Aaltonen wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian....@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package libapache2-mod-nss
>>
>> [...]
>>
>>
>
>
> Hi Timo,
>
> Sorry, I had missed that you uploaded libapache2-mod-nss today.
>
> I have decided to age this package so it only needs 2 days. That said,
> I got a couple of remarks:
>
> * The 1.0.10-1 upload does not mention CVE-2014-3566 in d/changelog
> despite upstream listing it in their upstream.
> * We want the full debdiff between unstable and testing, as that is
> what we are approving.
ok, diff attached
--
t
diff --git a/ChangeLog b/ChangeLog
index d40ce8b..97bf4b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-10-16 Rob Crittenden <rcrit...@redhat.com
+ * Add support for enabling TLS v1.2
+ * Don't enable SSL 3 by default (CVE-2014-3566)
+ * Improve protocol testing
+
2014-02-20 Rob Crittenden <rcrit...@redhat.com
* Sync with Fedora builds which were basicaly the defacto upstream.
* Add nss_pcache man page
diff --git a/Makefile.am b/Makefile.am
index 5a94c2f..986048d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-VERSION = 1.0.9
+VERSION = 1.0.10
## This is the shared library to be built
lib_LTLIBRARIES = libmodnss.la
diff --git a/README b/README
index 8581698..542e114 100644
--- a/README
+++ b/README
@@ -122,4 +122,4 @@ TESTING
From the source tree run:
- % make test
+ % make check
diff --git a/debian/changelog b/debian/changelog
index cd4f1c1..d027154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+libapache2-mod-nss (1.0.10-2) unstable; urgency=medium
+
+ * rules: Don't enable the module by default.
+
+ -- Timo Aaltonen <tjaal...@debian.org> Tue, 28 Oct 2014 15:11:45 +0200
+
+libapache2-mod-nss (1.0.10-1) unstable; urgency=medium
+
+ * mod_nss-conf.patch: Fix IfModule header so it'll actually load when
+ the module is enabled.
+ * gencert: Revert back to default legacy db's.
+ * Update project homepage and watch file to match.
+
+ -- Timo Aaltonen <tjaal...@debian.org> Tue, 21 Oct 2014 18:52:59 +0300
+
libapache2-mod-nss (1.0.9-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/control b/debian/control
index bd6b8e1..c621cc6 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends:
libnss3-dev,
pkg-config
Standards-Version: 3.9.5
-Homepage: http://directory.fedoraproject.org
+Homepage: http://fedorahosted.org/mod_nss
Vcs-Git: git://anonscm.debian.org/pkg-fedora-ds/libapache2-mod-nss.git
Vcs-Browser:
http://anonscm.debian.org/gitweb/?p=pkg-fedora-ds/libapache2-mod-nss.git
diff --git a/debian/copyright b/debian/copyright
index b0bd62a..818e21e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,6 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
UPstream-name: mod_nss
-Source: http://directory.fedoraproject.org/sources/
+Source: http://fedorahosted.org/mod_nss
Files: *
Copyright: 2001-2004 The Apache Software Foundation
diff --git a/debian/libapache2-mod-nss.postinst
b/debian/libapache2-mod-nss.postinst
index dccc887..c586db3 100644
--- a/debian/libapache2-mod-nss.postinst
+++ b/debian/libapache2-mod-nss.postinst
@@ -4,7 +4,7 @@ set -e
CERTDIR=/etc/apache2/nssdb
if [ "$1" = configure ]; then
- if [ ! -e $CERTDIR/key4.db ]; then
+ if [ ! -e $CERTDIR/key3.db ]; then
/usr/share/libapache2-mod-nss/gencert \
$CERTDIR > $CERTDIR/install.log 2>&1
echo "libapache2-mod-nss certificate database generated."
diff --git a/debian/patches/mod_nss-conf.patch
b/debian/patches/mod_nss-conf.patch
index bb1d4aa..d3a6480 100644
--- a/debian/patches/mod_nss-conf.patch
+++ b/debian/patches/mod_nss-conf.patch
@@ -1,7 +1,7 @@
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -1,3 +1,4 @@
-+<IfModule mod_nss>
++<IfModule mod_nss.c>
#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin. It contains the configuration directives to instruct
diff --git a/debian/patches/mod_nss-gencert.patch
b/debian/patches/mod_nss-gencert.patch
index 0da316d..c2b2f4d 100644
--- a/debian/patches/mod_nss-gencert.patch
+++ b/debian/patches/mod_nss-gencert.patch
@@ -1,6 +1,6 @@
--- a/gencert.in
+++ b/gencert.in
-@@ -83,14 +83,13 @@ fi
+@@ -83,12 +83,11 @@ fi
DEST=$1
@@ -13,65 +13,8 @@
-echo "is httptest"
+echo "Generating new server certificate and key database."
echo "#####################################################################"
--$CERTUTIL -N -d $DEST -f $DEST/pw.txt
-+$CERTUTIL -N -d sql:$DEST -f $DEST/pw.txt
+ $CERTUTIL -N -d $DEST -f $DEST/pw.txt
- echo ""
- echo "#####################################################################"
-@@ -102,7 +101,7 @@ let CERTSERIAL=CERTSERIAL+1
- # y 10 y -> basic constraints: CA cert
- # 5 6 7 9 n -> SSL, S/MIME, Object signing CA
- echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \
--$CERTUTIL -S -d $DEST -n cacert \
-+$CERTUTIL -S -d sql:$DEST -n cacert \
- -s "$CA_CERTDN" \
- -x \
- -t CTu,CTu,CTu \
-@@ -124,7 +123,7 @@ let CERTSERIAL=CERTSERIAL+1
- # 0 2 9 n -> Key usage: Key Encipherment, Digital Signature
- # 0 9 n -> SSL Client
- echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
--$CERTUTIL -S -d $DEST -n alpha \
-+$CERTUTIL -S -d sql:$DEST -n alpha \
- -s "$ALPHA_CERTDN" \
- -c cacert \
- -t u,pu,u \
-@@ -145,7 +144,7 @@ let CERTSERIAL=CERTSERIAL+1
- # 0 2 9 n -> Key usage: Key Encipherment, Digital Signature
- # 0 9 n -> SSL Client
- echo -e "0\n2\n9\nn\n0\n9\nn\n" | \
--$CERTUTIL -S -d $DEST -n beta \
-+$CERTUTIL -S -d sql:$DEST -n beta \
- -s "$BETA_CERTDN" \
- -c cacert \
- -t u,pu,u \
-@@ -162,7 +161,7 @@ echo "##################################
- echo "Generating server certificate request"
- echo "#####################################################################"
- (ps -elf; date; netstat -a) > $DEST/noise
--$CERTUTIL -R -d $DEST \
-+$CERTUTIL -R -d sql:$DEST \
- -s "$SERVER_CERTDN" \
- -o $DEST/tmpcertreq \
- -g $KEYSIZE \
-@@ -175,7 +174,7 @@ echo "Generating server certificate"
- echo "#####################################################################"
- let CERTSERIAL=CERTSERIAL+1
- echo -e "2\n9\nn\n1\n9\nn\n" | \
--$CERTUTIL -C -d $DEST \
-+$CERTUTIL -C -d sql:$DEST \
- -c cacert \
- -i $DEST/tmpcertreq \
- -o $DEST/tmpcert.der \
-@@ -191,7 +190,7 @@ echo ""
- echo "#####################################################################"
- echo "Importing server certificate into server cert DB"
- echo "#####################################################################"
--$CERTUTIL -A -d $DEST -n Server-Cert \
-+$CERTUTIL -A -d sql:$DEST -n Server-Cert \
- -t u,u,u \
- -i $DEST/tmpcert.der \
- -f $DEST/pw.txt
@@ -205,8 +204,4 @@ echo "##################################
rm $DEST/pw.txt
rm $DEST/noise
diff --git a/debian/rules b/debian/rules
index 7a0cdaf..7b44508 100755
--- a/debian/rules
+++ b/debian/rules
@@ -26,6 +26,9 @@ override_dh_install:
# too many fedoraisms in the tests to bother
override_dh_auto_test:
+override_dh_apache2:
+ dh_apache2 -e
+
gentarball: UV=$(shell dpkg-parsechangelog|awk '/^Version:/ {print $$2}'|sed
's/-.*$$//')
gentarball:
git archive --format=tar upstream --prefix=$(SOURCE)-$(UV)/ | xz --best
> ../$(SOURCE)_$(UV).orig.tar.xz
diff --git a/debian/watch b/debian/watch
index 3e6d5a1..28d189d 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
#git=git://git.fedorahosted.org/mod_nss.git
version=3
-http://directory.fedoraproject.org/sources/mod_nss-(.*).tar.gz
+http://fedorahosted.org/released/mod_nss/mod_nss-(.*).tar.gz
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index b2fda6c..3d7c121 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -470,8 +470,8 @@ Example</span><br>
<br>
Enables or disables FIPS 140 mode. This replaces the standard
internal PKCS#11 module with a FIPS-enabled one. It also forces the
-enabled protocols to TLSv1.1 and TLS v1.0 and disables all ciphers but the
-FIPS ones. You may still select which ciphers you would like
+enabled protocols to TLSv1.2, TLSv1.1 and TLS v1.0 and disables all ciphers
+but the FIPS ones. You may still select which ciphers you would like
limited to those that are FIPS-certified. Any non-FIPS that are
included in the NSSCipherSuite entry are automatically disabled.
The allowable ciphers are:<br>
@@ -572,7 +572,7 @@ Available ciphers are:<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_3DES_EDE_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1<br>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2<br>
</td>
</tr>
<tr>
@@ -580,106 +580,106 @@ Available ciphers are:<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_null_md5<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_null_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_WITH_NULL_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc2_40_md5</td>
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_128_md5</td>
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_128_sha</td>
<td style="vertical-align: top;">SSL_RSA_WITH_RC4_128_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_40_md5</td>
<td style="vertical-align: top;">SSL_RSA_EXPORT_WITH_RC4_40_MD5<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza<br>
</td>
<td style="vertical-align:
top;">SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_rc4_128_sha<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_RC4_128_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fortezza_null<br>
</td>
<td style="vertical-align: top;">SSL_FORTEZZA_DMS_WITH_NULL_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">fips_3des_sha<br>
</td>
<td style="vertical-align: top;">SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_des_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_rc4_56_sha</td>
<td style="vertical-align: top;">TLS_RSA_EXPORT1024_WITH_RC4_56_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_128_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td style="vertical-align: top;">rsa_aes_256_sha<br>
</td>
<td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA<br>
</td>
- <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1</td>
+ <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
</tbody>
</table>
@@ -699,127 +699,127 @@ Additionally there are a number of ECC ciphers:<br>
<tr>
<td>ecdh_ecdsa_null_sha</td>
<td>TLS_ECDH_ECDSA_WITH_NULL_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_rc4_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_3des_sha</td>
<td>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_128_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_ecdsa_aes_256_sha</td>
<td>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_null_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_NULL_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_rc4_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_3des_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_aes_128_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_ecdsa_aes_256_sha</td>
<td>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_null_sha</td>
<td>TLS_ECDH_RSA_WITH_NULL_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_128_sha</td>
<td>TLS_ECDH_RSA_WITH_RC4_128_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_3des_sha</td>
<td>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_aes_128_sha</td>
<td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_rsa_aes_256_sha</td>
<td>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>echde_rsa_null</td>
<td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_rc4_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_RC4_128_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_3des_sha</td>
<td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_128_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdhe_rsa_aes_256_sha</td>
<td>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_null_sha</td>
<td>TLS_ECDH_anon_WITH_NULL_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_rc4_128sha</td>
<td>TLS_ECDH_anon_WITH_RC4_128_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_3des_sha</td>
<td>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_128_sha</td>
<td>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
<tr>
<td>ecdh_anon_aes_256_sha</td>
<td>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</td>
- <td>TLSv1.0/TLSv1.1</td>
+ <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
</tr>
</tbody>
</table>
@@ -843,15 +843,16 @@ Options are:<br>
<li><code>TLSv1 (legacy only; replaced by TLSv1.0)</code></li>
<li><code>TLSv1.0</code></li>
<li><code>TLSv1.1</code></li>
+ <li><code>TLSv1.2</code></li>
<li><code>All</code></li>
</ul>
Note that this differs from mod_ssl in that you can't add or subtract
protocols.<br>
<br>
If no NSSProtocol is specified, mod_nss will default to allowing the use of
-the SSLv3, TLSv1.0, and TLSv1.1 protocols, where SSLv3 will be set to be the
-minimum protocol allowed, and TLSv1.1 will be set to be the maximum protocol
-allowed.
+the TLSv1.0, TLSv1.1 and TLSv1.2 protocols, where TLSv1.0 will be set to
+be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum
+protocol allowed.
<br>
If values for NSSProtocol are specified, mod_nss will set both the minimum
and the maximum allowed protocols based upon these entries allowing for the
@@ -1030,7 +1031,7 @@ syntax is identical to NSSProtocol.<br>
</code><br>
<big><big>NSSProxyCipherSuite</big></big><br>
<br>
-Specifies the SSL ciphers available for proxy connections. They syntax
+Specifies the SSL ciphers available for proxy connections. The syntax
is identical to NSSCipherSuite.<br>
<br>
<span style="font-weight: bold;">Example</span><br>
@@ -1118,7 +1119,7 @@ was compiled against.<br>
<tr>
<td style="vertical-align: top; width: 45%;"><code>SSL_PROTOCOL<br>
</code></td>
- <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, or TLSv1.1<br>
+ <td style="vertical-align: top;">SSLv2, SSLv3, TLSv1.0, TLSv1.1 or
TLSv1.2<br>
</td>
</tr>
<tr>
diff --git a/gencert.8 b/gencert.8
index f2017c3..191375a 100644
--- a/gencert.8
+++ b/gencert.8
@@ -26,7 +26,7 @@ A tool used to generate a self\-signed CA as well as server
and user certificate
.PP
This is used to generate a default NSS database for the mod_nss Apache module.
It does not test to see if an existing database already exists, so use with
care.
.PP
-\fBgencert\fP will generate a new NSS database and set an empty database
password.
+\fBgencert\fP will generate a new NSS database with the password "httptest".
.PP
It generates a self\-signed CA with the subject "CN=Certificate Shack,
O=example.com, C=US"
.PP
diff --git a/mod_nss.c b/mod_nss.c
index 8ccc604..0f74892 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -90,7 +90,7 @@ static const command_rec nss_config_cmds[] = {
"(`[+-]XXX,...,[+-]XXX' - see manual)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable the various SSL protocols"
- "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|all] ...' - see manual)")
+ "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see
manual)")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client Authentication "
"(`none', `optional', `require'")
@@ -135,7 +135,7 @@ static const command_rec nss_config_cmds[] = {
"(`on', `off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1] ...' - see manual)")
+ "(`[+-][SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2] ...' - see
manual)")
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"(`XXX:...:XXX' - see manual)")
diff --git a/nss.conf.in b/nss.conf.in
index c941ecf..79f6511 100644
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -118,7 +118,7 @@ NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
-NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 32b095a..d74f002 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -616,13 +616,13 @@ static void nss_init_ctx_protocol(server_rec *s,
apr_pool_t *ptemp,
modnss_ctx_t *mctx)
{
- int ssl2, ssl3, tls, tls1_1;
+ int ssl2, ssl3, tls, tls1_1, tls1_2;
char *protocol_marker = NULL;
char *lprotocols = NULL;
SECStatus stat;
SSLVersionRange enabledVersions;
- ssl2 = ssl3 = tls = tls1_1 = 0;
+ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0;
/*
* Since this routine will be invoked individually for every thread
@@ -640,24 +640,24 @@ static void nss_init_ctx_protocol(server_rec *s,
if (mctx->sc->fips) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "In FIPS mode ignoring %s list, enabling TLSv1.0 and TLSv1.1",
+ "In FIPS mode ignoring %s list, enabling TLSv1.0, TLSv1.1 and
TLSv1.2",
protocol_marker);
- tls = tls1_1 = 1;
+ tls = tls1_1 = tls1_2 = 1;
} else {
if (mctx->auth.protocols == NULL) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
- "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",
+ "%s value not set; using: TLSv1.0, TLSv1.1 and TLSv1.2",
protocol_marker);
- ssl3 = tls = tls1_1 = 1;
+ tls = tls1_1 = tls1_2 = 1;
} else {
lprotocols = strdup(mctx->auth.protocols);
ap_str_tolower(lprotocols);
if (strstr(lprotocols, "all") != NULL) {
#ifdef WANT_SSL2
- ssl2 = ssl3 = tls = tls1_1 = 1;
+ ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 1;
#else
- ssl3 = tls = tls1_1 = 1;
+ ssl3 = tls = tls1_1 = tls1_2 = 1;
#endif
} else {
char *protocol_list = NULL;
@@ -702,6 +702,11 @@ static void nss_init_ctx_protocol(server_rec *s,
"%s: Enabling TLSv1.1",
protocol_marker);
tls1_1 = 1;
+ } else if (strcmp(token, "tlsv1.2") == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Enabling TLSv1.2",
+ protocol_marker);
+ tls1_2 = 1;
} else {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"%s: Unknown protocol '%s' not
supported",
@@ -738,12 +743,12 @@ static void nss_init_ctx_protocol(server_rec *s,
* cannot be excluded from this range. NSS will automatically negotiate
* to utilize the strongest acceptable protocol for a connection starting
* with the maximum specified protocol and downgrading as necessary to the
- * minimum specified protocol (TLS 1.1 -> TLS 1.0 -> SSL 3.0).
+ * minimum specified protocol (TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0).
*/
if (stat == SECSuccess) {
/* Set minimum protocol version (lowest -> highest)
*
- * SSL 3.0 -> TLS 1.0 -> TLS 1.1
+ * SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2
*/
if (ssl3 == 1) {
enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
@@ -760,6 +765,11 @@ static void nss_init_ctx_protocol(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: [TLS 1.1] (minimum)",
protocol_marker);
+ } else if (tls1_2 == 1) {
+ enabledVersions.min = SSL_LIBRARY_VERSION_TLS_1_2;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.2] (minimum)",
+ protocol_marker);
} else {
/* Set default minimum protocol version to SSL 3.0 */
enabledVersions.min = SSL_LIBRARY_VERSION_3_0;
@@ -770,9 +780,14 @@ static void nss_init_ctx_protocol(server_rec *s,
/* Set maximum protocol version (highest -> lowest)
*
- * TLS 1.1 -> TLS 1.0 -> SSL 3.0
+ * TLS 1.2 -> TLS 1.1 -> TLS 1.0 -> SSL 3.0
*/
- if (tls1_1 == 1) {
+ if (tls1_2 == 1) {
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: [TLS 1.2] (maximum)",
+ protocol_marker);
+ } else if (tls1_1 == 1) {
enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: [TLS 1.1] (maximum)",
@@ -788,10 +803,10 @@ static void nss_init_ctx_protocol(server_rec *s,
"%s: [SSL 3.0] (maximum)",
protocol_marker);
} else {
- /* Set default maximum protocol version to TLS 1.1 */
- enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_1;
+ /* Set default maximum protocol version to TLS 1.2 */
+ enabledVersions.max = SSL_LIBRARY_VERSION_TLS_1_2;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: [TLS 1.1] (default maximum)",
+ "%s: [TLS 1.2] (default maximum)",
protocol_marker);
}
@@ -808,11 +823,7 @@ static void nss_init_ctx_protocol(server_rec *s,
mctx->ssl2 = ssl2;
mctx->ssl3 = ssl3;
- if (tls1_1 == 1) {
- mctx->tls = tls1_1;
- } else {
- mctx->tls = tls;
- }
+ mctx->tls = tls || tls1_1 || tls1_2;
}
static void nss_init_ctx_session_cache(server_rec *s,
diff --git a/nss_engine_vars.c b/nss_engine_vars.c
index 8ecf43a..15fc9b4 100644
--- a/nss_engine_vars.c
+++ b/nss_engine_vars.c
@@ -192,9 +192,14 @@ char *nss_var_lookup(apr_pool_t *p, server_rec *s,
conn_rec *c, request_rec *r,
return othermod_var_lookup(p, s, c, r, var);
}
- if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
- && sslconn && sslconn->ssl)
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl) {
result = nss_var_lookup_ssl(p, c, var+4);
+#ifdef VAR_DEBUG
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "%s: %s", var, result);
+#endif
+ }
else if (strcEQ(var, "REMOTE_ADDR"))
result = c->client_ip;
else if (strcEQ(var, "HTTPS")) {
@@ -747,6 +752,9 @@ static char *nss_var_lookup_protocol_version(apr_pool_t *p,
conn_rec *c)
case SSL_LIBRARY_VERSION_TLS_1_1:
result = "TLSv1.1";
break;
+ case SSL_LIBRARY_VERSION_TLS_1_2:
+ result = "TLSv1.2";
+ break;
}
}
}
diff --git a/test/README b/test/README
new file mode 100644
index 0000000..bd29b1f
--- /dev/null
+++ b/test/README
@@ -0,0 +1,39 @@
+Overview
+--------
+Some basic Apache tests using a local instance of Apache that goes into
+the work subdirectory.
+
+suite1.tmpl defines the basic configuration for the tests.
+
+This tries to load libmodnss.so from the parent directory so you must do
+a 'make' first before trying to run the tests.
+
+Run the tests
+-------------
+./setup.sh
+nosetests -v test.py
+
+Adding tests
+------------
+
+1. Create a new Location in suite1.tmpl with a local configuration to test
+ against.
+
+2. Add a call to this location in test.py
+
+Here are the things that can be tested for:
+
+expected = HTTP response code or SSLError() exception
+protocol =
+cipher = OpenSSL cipher name
+
+
+3. If you make a change to the mod_nss code you'll need to either copy
+ the new module to work/httpd/lib or rm -rf work and re-run setup.sh
+ otherwise you'll be testing against old code.
+
+When testing with NSSRequire I sometimes found it difficult to figure out
+why a request was being rejected. I added a new compile-time define,
+VAR_DEBUG. If this is set then whenever a SSL_ variable is looked up the
+result is logged. This is way too much for a running server but great for
+debugging tests.
diff --git a/test/createinstance.sh b/test/createinstance.sh
index 1eaa644..fac0a7d 100755
--- a/test/createinstance.sh
+++ b/test/createinstance.sh
@@ -13,6 +13,7 @@ mkdir -p $target
cd $target
mkdir alias
+mkdir bin
mkdir conf
mkdir conf.d
mkdir logs
@@ -24,6 +25,11 @@ mkdir lib
# Create the content
mkdir content/rc4_cipher
mkdir content/acl
+mkdir content/protocolssl2
+mkdir content/protocolssl3
+mkdir content/protocoltls1
+mkdir content/protocoltls11
+mkdir content/protocoltls12
cat > content/index.html << EOF
<html>
@@ -34,6 +40,11 @@ cp content/index.html content/acl/aclS01.html
cp content/index.html content/acl/aclS02.html
cp content/index.html content/acl/aclS03.html
cp content/index.html content/secret-test.html
+cp content/index.html content/protocolssl2/index.html
+cp content/index.html content/protocolssl3/index.html
+cp content/index.html content/protocoltls1/index.html
+cp content/index.html content/protocoltls11/index.html
+cp content/index.html content/protocoltls12/index.html
ln -s /etc/httpd/modules modules
diff --git a/test/setup.sh b/test/setup.sh
index 693d603..32f2b8e 100755
--- a/test/setup.sh
+++ b/test/setup.sh
@@ -20,6 +20,7 @@ fi
./createinstance.sh ${test_root}
cp ../.libs/libmodnss.so ${test_root}/lib
+cp ../nss_pcache ${test_root}/bin
../gencert ${test_root}/alias
echo internal:httptest > ${test_root}/conf/password.conf
diff --git a/test/suite1.tmpl b/test/suite1.tmpl
index 999c4d7..8c9e7a3 100644
--- a/test/suite1.tmpl
+++ b/test/suite1.tmpl
@@ -1,3 +1,17 @@
+# Global SSL configuration
+NSSPassPhraseDialog file:$SERVER_ROOT/conf/password.conf
+
+NSSPassPhraseHelper $SERVER_ROOT/bin/nss_pcache
+
+NSSSessionCacheSize 10000
+NSSSessionCacheTimeout 100
+NSSSession3CacheTimeout 86400
+
+Listen 0.0.0.0:$SERVER_PORT
+Listen 0.0.0.0:8001
+
+LogLevel debug
+
<VirtualHost *:$SERVER_PORT>
NSSEngine on
@@ -51,15 +65,46 @@ NSSUserName SSL_CLIENT_S_DN_UID
<Location "/secret-test-impossible.html">
NSSRequire %{SSL_CIPHER_USEKEYSIZE} > 4000
</Location>
+
+<Location "/protocolssl3">
+ NSSRequire %{SSL_PROTOCOL} eq "SSLv3"
+</Location>
+
+<Location "/protocoltls1">
+ NSSRequire %{SSL_PROTOCOL} eq "TLSv1"
+</Location>
+
+<Location "/protocoltls11">
+ NSSRequire %{SSL_PROTOCOL} eq "TLSv1.1"
+</Location>
+
+<Location "/protocoltls12">
+ NSSRequire %{SSL_PROTOCOL} eq "TLSv1.2"
+</Location>
</VirtualHost>
-# SSL configuration
-NSSPassPhraseDialog file:$SERVER_ROOT/conf/password.conf
+#
+# For testing protocol handling
+#
+<VirtualHost *:8001>
-NSSPassPhraseHelper /usr/sbin/nss_pcache
+NSSEngine on
+NSSFIPS off
+NSSOCSP off
+NSSRenegotiation on
-NSSSessionCacheSize 10000
-NSSSessionCacheTimeout 100
-NSSSession3CacheTimeout 86400
+NSSCipherSuite
+rc4,+rc4export,+rc2,+rc2export,+des,+desede3,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_null_md5,+rsa_des_56_sha,+rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,+fips_des_sha,+fips_3des_sha
-Listen 0.0.0.0:$SERVER_PORT
+NSSProtocol TLSv1.2
+
+NSSNickname Server-Cert
+
+NSSCertificateDatabase $SERVER_ROOT/alias
+
+NSSVerifyClient none
+
+# A bit redundant since the initial handshake should fail if no TLSv1.2
+<Location "/protocoltls12">
+ NSSRequire %{SSL_PROTOCOL} eq "TLSv1.2"
+</Location>
+</VirtualHost>
diff --git a/test/test.py b/test/test.py
index e7136e6..93e8518 100644
--- a/test/test.py
+++ b/test/test.py
@@ -1,5 +1,6 @@
from test_config import Declarative, write_template_file, restart_apache
from test_config import stop_apache
+import ssl
import requests.exceptions
class test_suite1(Declarative):
@@ -135,4 +136,92 @@ class test_suite1(Declarative):
expected=403,
),
+ # Only SSLv3-TLSv1.1 enabled on 8000
+ dict(
+ desc='Requires TLS v1.2, no support',
+ request=('/protocoltls12/index.html', {}),
+ expected=403,
+ ),
+
+ dict(
+ desc='Try SSLv2 on default server',
+ request=('/protocoltls12/index.html',
+ {'ssl_version': ssl.PROTOCOL_SSLv2}
+ ),
+ expected=requests.exceptions.SSLError(),
+ ),
+
+ dict(
+ desc='Try SSLv23 client on SSLv3 location',
+ request=('/protocolssl3/index.html',
+ {'ssl_version': ssl.PROTOCOL_SSLv23}
+ ),
+ expected=403, # connects as TLSv1
+ ),
+
+ dict(
+ desc='Try TLSv1 client on SSLv3 location',
+ request=('/protocoltls1/index.html',
+ {'ssl_version': ssl.PROTOCOL_TLSv1}
+ ),
+ expected=200,
+ ),
+
+ dict(
+ desc='Try TLSv1 client on TLSv1.1 location',
+ request=('/protocoltls11/index.html',
+ {'ssl_version': ssl.PROTOCOL_TLSv1}
+ ),
+ expected=403,
+ ),
+
+ dict(
+ desc='Try SSLv23 client on TLSv1 location',
+ request=('/protocoltls1/index.html',
+ {'ssl_version': ssl.PROTOCOL_SSLv23}
+ ),
+ expected=200,
+ ),
+
+ dict(
+ desc='Try SSLv23 client on 1.2-only location',
+ request=('/protocoltls12/index.html',
+ {'ssl_version': ssl.PROTOCOL_SSLv23}
+ ),
+ expected=403,
+ ),
+
+ dict(
+ desc='Requires TLSv1.2 on VH that provides it',
+ request=('/protocoltls12/index.html', {'port': 8001}),
+ expected=200,
+ ),
+
+ dict(
+ desc='Try SSLv2 client on 1.2-only VH',
+ request=('/protocoltls12/index.html',
+ {'port': 8001,
+ 'ssl_version': ssl.PROTOCOL_SSLv2}
+ ),
+ expected=requests.exceptions.SSLError(),
+ ),
+
+ dict(
+ desc='Try SSLv3 client on 1.2-only VH',
+ request=('/protocoltls12/index.html',
+ {'port': 8001,
+ 'ssl_version': ssl.PROTOCOL_SSLv3}
+ ),
+ expected=requests.exceptions.SSLError(),
+ ),
+
+ dict(
+ desc='Try TLSv1 client on 1.2-only VH',
+ request=('/protocoltls12/index.html',
+ {'port': 8001,
+ 'ssl_version': ssl.PROTOCOL_TLSv1}
+ ),
+ expected=requests.exceptions.SSLError(),
+ ),
+
]
diff --git a/test/test_config.py b/test/test_config.py
index 9990a92..838ebd7 100644
--- a/test/test_config.py
+++ b/test/test_config.py
@@ -29,11 +29,11 @@ import test_request
# Utility functions to assist in creating Apache configuration based
# on test suite
-PORT=8000
+DEF_PORT=8000
FQDN = socket.gethostname()
default_vars = dict(
- SERVER_PORT = PORT,
+ SERVER_PORT = DEF_PORT,
SERVER_NAME = FQDN,
TEST_ROOT = '%s/work/httpd' % os.getcwd(),
SERVER_ROOT = '%s/work/httpd' % os.getcwd(),
@@ -82,7 +82,7 @@ def restart_apache():
p = subprocess.Popen(['./start'],
close_fds=True)
os.chdir(cwd)
- test_util.wait_for_open_ports(FQDN, PORT)
+ test_util.wait_for_open_ports(FQDN, DEF_PORT)
EXPECTED = """Expected %r to raise %s.
options = %r
@@ -134,7 +134,8 @@ class Declarative(object):
session = requests.Session()
session.mount('https://', test_request.MyAdapter())
verify = dict(verify = options)
- request = session.get('https://%s:%d%s' % (FQDN, PORT, uri), **verify)
+ port = options.get('port', DEF_PORT)
+ request = session.get('https://%s:%d%s' % (FQDN, port, uri), **verify)
return request
@@ -178,7 +179,7 @@ class Declarative(object):
client_cipher = request.raw._pool._get_conn().client_cipher
if protocol != client_cipher[1]:
raise AssertionError(
- 'Expected cipher %s, got %s' % (cipher, client_cipher[1])
+ 'Expected protocol %s, got %s' % (protocol,
client_cipher[1])
)
if expected != request.status_code:
raise AssertionError(
diff --git a/test/test_request.py b/test/test_request.py
index 40d8024..bac2a2d 100644
--- a/test/test_request.py
+++ b/test/test_request.py
@@ -141,7 +141,8 @@ class MyVerifiedHTTPSConnection(HTTPSConnection):
match_hostname(self.sock.getpeercert(), self.host)
def close(self):
- self.client_cipher = self.sock.cipher()
+ if self.sock:
+ self.client_cipher = self.sock.cipher()
HTTPSConnection.close(self)
class MyAdapter(requests.adapters.HTTPAdapter):
@@ -177,7 +178,7 @@ class MyAdapter(requests.adapters.HTTPAdapter):
s = requests.Session()
s.mount('https://', MyAdapter())
try:
- r = s.get('https://darlene.greyoak.com:8000/', verify={'verify': False,
'ssl_version': ssl.PROTOCOL_SSLv23, 'ciphers': 'HIGH'})
+ r = s.get('https://test.example.com:8000/', verify={'verify': False,
'ssl_version': ssl.PROTOCOL_SSLv23, 'ciphers': 'HIGH'})
cipher = r.raw._pool._get_conn().client_cipher
except requests.exceptions.SSLError, e:
print e.message
@@ -185,6 +186,6 @@ else:
print r.status_code
print cipher
-#request = requests.get('https://darlene.greyoak.com:8000/', verify=False)
+#request = requests.get('https://test.example.com:8000/', verify=False)
#print request.status_code
"""
