Issue #20: [Doc] OpenSSL-style NSSCipherSuite configuration stops on '+' - mod_nss

mod_nss

#20 [Doc] OpenSSL-style NSSCipherSuite configuration stops on '+'

Closed: fixed 7 years ago Opened 8 years ago by cheimes.

According to https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html paragraph 'NSSCipherSuite' mod_nss also supports OpenSSL-style configuration of cipher suites. I tried to it but it didn't work for me.

It took me a while that '+' qualifier is not supported in OpenSSL style configuration. In fact a '+' prefix causes parse_openssl_ciphers() to abort silently. https://git.fedorahosted.org/cgit/mod_nss.git/tree/nss_engine_cipher.c#n196

Please update the documentation and mention that only '-' and '!' are supported.

rcritten commented 7 years ago

This ticket resulted in CVE-2016-3099 because stopping on the + meant that merely trying to add in a cipher would cause the string to start parsing so if subsequent values disabled DES for example, it could be left enabled.

Fixed in 2127071

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue priority set to: None (was: 4)
- Issue set to the milestone: mod_nss-1.0.14
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Milestone

mod_nss-1.0.14

None

keywords

None

rhbz

None

type

task

component

core

mod_nss

Source Code

#20 [Doc] OpenSSL-style NSSCipherSuite configuration stops on '+' Closed: fixed 7 years ago Opened 8 years ago by cheimes.

Metadata

#20 [Doc] OpenSSL-style NSSCipherSuite configuration stops on '+'

Closed: fixed 7 years ago Opened 8 years ago by cheimes.