Vitezslav Cizek wrote:
Hi,
I can't log in to fedorahosted for some reason, so I can't create a
ticket there.
I'm attaching a patch for the migrate.pl script.
The changes are:
* Use a whitelist instead of a blacklist for migrated directives,
because more of them are specific to mod_ssl than common
* Don't translate SSLCipherSuite, we support OpenSSL strings now
* Add input (-r) and output options (-w) for the configuration files,
instead of using ssl.conf and nss.conf
* Commented lines are now recognized even if they begin with whitespace
* The script keeps nestable apache configuration block directives
* Print more verbose disclaimer
* Set NSSProtocol unconditionally
Thanks for the patch! I created
https://fedorahosted.org/mod_nss/ticket/25 to track this.
Some comments:
I think it would be best to completely drop get_ciphers and the lines
that were calling it.
There is a problem though. In Fedora/RHEL/CentOS there is a movement
towards a system-level SSL/TLS configuration. This leaves an unusable
configuration of:
NSSCipherSuite PROFILE=SYSTEM
NSSProxyCipherSuite PROFILE=SYSTEM
This is because NSS is almost, but not quite, there when it comes to
system-level config and it is going to be configured differently.
The OpenSSL policy file in Fedora is
/etc/crypto-policies/back-ends/openssl.config. I don't know how safe it
is to slurp that in and use it. On my box it is just a cipher string.
So either the system config needs to be read and the values replaced or
get_ciphers needs to be updated big time. I'd prefer the former.
Need to force a value for NSSProxyProtocol like NSSProtocol.
I think SSLFIPS can be removed from the whitelist.
The header written to the mod_nss output file needs to be changed
because the comments are no longer omitted.
regards
rob
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
