Rob Crittenden wrote:
Vitezslav Cizek wrote:
Hi Rob,
* Dne Pátek 18. březen 2016, 15:44:34 [CET] Rob Crittenden napsal:
Thanks for the patch! I created
https://fedorahosted.org/mod_nss/ticket/25
to track this.
Thanks, I updated the patch in there.
Ok thanks, I'll take a look.
The new patch incorporates suggestions from your first email.
Some comments:
I think it would be best to completely drop get_ciphers and the
lines that
were calling it.
There is a problem though.
I sort of expected that this step may cause some problems, that's why
I left the code in, but commented it out.
In Fedora/RHEL/CentOS there is a movement towards a
system-level SSL/TLS configuration. This leaves an unusable
configuration of:
NSSCipherSuite PROFILE=SYSTEM
NSSProxyCipherSuite PROFILE=SYSTEM
This is because NSS is almost, but not quite, there when it comes to
system-level config and it is going to be configured differently.
The OpenSSL policy file in Fedora is
/etc/crypto-policies/back-ends/openssl.config. I don't know how
safe it is
to slurp that in and use it. On my box it is just a cipher string.
So either the system config needs to be read and the values
replaced or
get_ciphers needs to be updated big time. I'd prefer the former.
If centralized cipher settings are in place, then the migrate.pl script
should definitely be aware of them.
This is however Fedora/RHEL specific.
I think, we can keep the cipher string on other distributions.
Yup. I think we can just look for PROFILE=SYSTEM and slurp in
/etc/crypto-policies/back-ends/openssl.config. I can add this on
after your
patch if you'd prefer.
I wouldn't, feel free to modify the patch.
Ok. I need to remove/comment out SSLRandomSeed connect builtin too.
I'm going to try to make some of the wording less platform-specific.
I've been guilty of this too :-( I might convert this into a generated
file so configure can set this up properly. What do you think? The
alternative is distro-specific patches that change the paths. Given the
infrequency that this is updated it might be preferable.
Here is what I came up with.
I dropped a bit of info from the summary after conversion because it was
distro specific and I didn't really see the need. Why would a
VirtualHost be ok in mod_ssl and not mod_nss?
I also dropped get_ciphers(). It will be in git if there is ever a need
to revive it.
This should apply on top of your latest patch. Let me know what you think.
rob
>From e4c76fb76121d83bf82a57ec12cc7f9506c38cf8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Fri, 18 Mar 2016 18:16:50 -0400
Subject: [PATCH] Handle migrating Fedora-specific policy, cleanup output
* SSLRandomSeed connect isn't supported, exclude it
* If the ciphers are PROFILE=SYSTEM try reading them
* Clean up output, remove distro-specific paths
* Add -r/-w to help output
---
migrate.pl | 151 ++++++++++++-------------------------------------------------
1 file changed, 29 insertions(+), 122 deletions(-)
diff --git a/migrate.pl b/migrate.pl
index cf9c328..fcbe9a5 100755
--- a/migrate.pl
+++ b/migrate.pl
@@ -45,6 +45,9 @@ getopts('chr:w:' , \%opt );
sub usage() {
print STDERR "Usage: migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>\n";
print STDERR "\t-c converts the certificates\n";
+ print STDERR "\t-r path to mod_ssl configuration file\n";
+ print STDERR "\t-w path to new mod_nss configuration file\n";
+ print STDERR "\n";
print STDERR "This conversion script is not aware of apache's configuration blocks\n";
print STDERR "and nestable conditional directives. Please check the output of the\n";
print STDERR "conversion and adjust manually if necessary!\n";
@@ -53,7 +56,7 @@ sub usage() {
usage() if ($opt{h} || !$opt{r} || !$opt{w});
-print STDERR "input: $opt{r} output: $opt{w}\n";
+print STDERR "input: $opt{r}\noutput: $opt{w}\n";
open (SSL, "<", $opt{r} ) or die "Unable to open $opt{r}: $!.\n";
open (NSS, ">", $opt{w} ) or die "Unable to open $opt{w}: $!.\n";
@@ -96,11 +99,25 @@ while (<SSL>) {
next;
}
+ if ($stmt eq "SSLRandomSeed" && $value eq "connect builtin") {
+ print NSS "## mod_nss doesn't do per-connection random seeding\n";
+ print NSS "##$_";
+ next;
+ }
+
# we support OpenSSL cipher strings now, keeping the string as is
- #if ($stmt eq "SSLCipherSuite") {
- #print NSS "NSSCipherSuite ", get_ciphers($val), "\n";
- #print NSS "NSSProtocol SSLv3,TLSv1\n";
- #$comment = 1;
+ # unless using system-wide crypto policy
+ if (($stmt eq "SSLCipherSuite" || $stmt eq "SSLProxyCipherSuite") &&
+ $value eq "PROFILE=SYSTEM") {
+ my $fname = "/etc/crypto-policies/back-ends/openssl.config";
+ open (my $fh, "<", $fname) or die "Unable to open $fname: $!.\n";
+ my $ciphers = <$fh>;
+ close($fh);
+
+ (my $newstmt = $stmt) =~ s/SSL/NSS/;
+ print NSS $newstmt, " ", $ciphers, "\n";
+ next;
+ }
if ($stmt eq "SSLProtocol" ) {
print NSS "## we ignore the arguments to SSLProtocol. The original value was:\n";
print NSS "##$_";
@@ -245,126 +262,16 @@ if ($opt{c}) {
}
}
-print STDERR "\n\nConversion complete.\n";
-print STDERR "The output file should contain a valid mod_nss configuration based on\n";
-print STDERR "the mod_ssl directives from the input file.\n";
-print STDERR "Recommended directory: /etc/apache2/mod_nss.d , suffix .conf!\n";
-print STDERR "Also make sure to edit /etc/apache2/conf.d/mod_nss.conf and to remove the\n";
-print STDERR "<VirtualHost> section if you do not need it.\n\n";
-print STDERR "Also, do not forget to rename the ssl based apache config file";
-print STDERR "(our example: myhost-ssl.conf) to a file that does not end in .conf\n";
-print STDERR "(our example: myhost-ssl.conf-disabled-for-nss)\n\n";
-print STDERR "Then, restart apache (rcapache2 restart) and have a look into the error logs.\n";
-
-exit(0);
-
-
-# Migrate configuration from OpenSSL to NSS
-sub get_ciphers {
- my $str = shift;
-
- %cipher_list = (
- "rc4" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC4:",
- "rc4export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC4:",
- "rc2" => ":ALL:SSLv2:RSA:MD5:MEDIUM:RC2:",
- "rc2export" => ":ALL:SSLv2:RSA:EXP:EXPORT40:MD5:RC2:",
- "des" => ":ALL:SSLv2:RSA:EXP:EXPORT56:MD5:DES:LOW:",
- "desede3" => ":ALL:SSLv2:RSA:MD5:3DES:HIGH:",
- "rsa_rc4_128_md5" => ":ALL:SSLv3:TLSv1:RSA:MD5:RC4:MEDIUM:",
- "rsa_rc4_128_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:RC4:MEDIUM:",
- "rsa_3des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:3DES:HIGH:",
- "rsa_des_sha" => ":ALL:SSLv3:TLSv1:RSA:SHA:DES:LOW:",
- "rsa_rc4_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC4:",
- "rsa_rc2_40_md5" => ":ALL:SSLv3:TLSv1:RSA:EXP:EXPORT40:RC2:",
- "rsa_null_md5" => ":SSLv3:TLSv1:RSA:MD5:NULL:",
- "rsa_null_sha" => ":SSLv3:TLSv1:RSA:SHA:NULL:",
- "rsa_des_56_sha" => ":ALL:SSLv3:TLSv1:RSA:DES:SHA:EXP:EXPORT56:",
- "rsa_rc4_56_sha" => ":ALL:SSLv3:TLSv1:RSA:RC4:SHA:EXP:EXPORT56:",
- );
-
- $NUM_CIPHERS = 16;
-
- for ($i = 0; $i < $NUM_CIPHERS; $i++) {
- $selected[$i] = 0;
- }
-
- # Don't need to worry about the ordering properties of "+" because
- # NSS always chooses the "best" cipher anyway. You can't specify
- # preferred order.
-
- # -1: this cipher is completely out
- # 0: this cipher is currently unselected, but maybe added later
- # 1: this cipher is selected
-
- @s = split(/:/, $str);
-
- for ($i = 0; $i <= $#s; $i++) {
- $j = 0;
- $val = 1;
-
- # ! means this cipher is disabled forever
- if ($s[$i] =~ /^!/) {
- $val = -1;
- ($s[$i] =~ s/^!//);
- } elsif ($s[$i] =~ /^-/) {
- $val = 0;
- ($s[$i] =~ s/^-//);
- } elsif ($s[$i] =~ /^+/) {
- ($s[$i] =~ s/^+//);
- }
-
- for $cipher (sort keys %cipher_list) {
- $match = 0;
-
- # For embedded + we do an AND for all options
- if ($s[$i] =~ m/(\w+\+)+/) {
- @sub = split(/^\+/, $s[$i]);
- $match = 1;
- for ($k = 0; $k <=$#sub; $k++) {
- if ($cipher_list{$cipher} !=~ m/:$sub[$k]:/) {
- $match = 0;
- }
- }
- } else { # straightforward match
- if ($cipher_list{$cipher} =~ m/:$s[$i]:/) {
- $match = 1;
- }
- }
-
- if ($match && $selected[$j] != -1) {
- $selected[$j] = $val;
- }
- $j++;
- }
- }
+print STDERR "\nConversion complete.\n\n";
+print STDERR "The output file should contain a valid mod_nss configuration\n";
+print STDERR "based on the mod_ssl directives from the input file.\n\n";
- # NSS doesn't honor the order of a cipher list, it uses the "strongest"
- # cipher available. So we'll print out the ciphers as SSLv2, SSLv3 and
- # the NSS ciphers not available in OpenSSL.
- $str = "SSLv2:SSLv3";
- @s = split(/:/, $str);
-
- $ciphersuite = "";
-
- for ($i = 0; $i <= $#s; $i++) {
- $j = 0;
- for $cipher (sort keys %cipher_list) {
- if ($cipher_list{$cipher} =~ m/:$s[$i]:/) {
- if ($selected[$j]) {
- $ciphersuite .= "+";
- } else {
- $ciphersuite .= "-";
- }
- $ciphersuite .= $cipher . ",";
- }
- $j++;
- }
- }
+print STDERR "Do not forget to rename the mod_ssl based apache config file\n";
+print STDERR "to a name that does not end in .conf\n\n";
- $ciphersuite .= "-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha";
+print STDERR "Restart apache and check the server error logs for problems.\n";
- return $ciphersuite;
-}
+exit(0);
# Given the filename of a PEM file, use openssl to fetch the certificate
# subject
--
2.5.0
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
