According to https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html paragraph 'NSSCipherSuite' mod_nss also supports OpenSSL-style configuration of cipher suites. I tried to it but it didn't work for me.
It took me a while that '+' qualifier is not supported in OpenSSL style configuration. In fact a '+' prefix causes parse_openssl_ciphers() to abort silently. https://git.fedorahosted.org/cgit/mod_nss.git/tree/nss_engine_cipher.c#n196
Please update the documentation and mention that only '-' and '!' are supported.
This ticket resulted in CVE-2016-3099 because stopping on the + meant that merely trying to add in a cipher would cause the string to start parsing so if subsequent values disabled DES for example, it could be left enabled.
Fixed in 2127071
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue priority set to: None (was: 4) - Issue set to the milestone: mod_nss-1.0.14 - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.