Product SiteDocumentation Site

1.146.  mod_nss

1.146.1.  RHEA-2009:0403: enhancement update

Note

This update has already been released (prior to the GA of this release) as errata RHEA-2009:0403
An enhanced mod_nss package is now available.
mod_nss provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.
This update back-ports the PassphraseDialog "defer" configuration option in NSS. When this parameter is set to "defer", only those tokens listed in the file are authenticated at startup. With the "builtin" and "file" options for the PassphraseDialog parameter, all tokens are authenticated, even if the token password is not defined. That can cause an authentication failure which prevents the Apache server from starting.

1.146.2.  RHBA-2009:1365: bug fix update

An update mod_nss package that fixes a bug in proxy handling is now available.
mod_nss provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.
This update addresses a proxy handling bug in mod_nss. mod_nss was not handling blocked reads properly. Rather than attempting the read again, it failed with an "End of File" message. When used with mod_proxy in a reverse proxy configuration, this would sometimes result in returning only part of the remote content. (Bugzilla #484380)
mod_proxy has a single API for SSL handling, and mod_nss doesn't register to handle SSL proxy requests if mod_ssl is loaded. In order for mod_nss to work with mod_proxy, mod_ssl must be removed or disabled. It can be disabled in one of two ways:
  • By removing the mod_ssl package
  • By removing or renaming /etc/httpd/conf.d/ssl.conf
Apache users requiring SSL and TLS cryptography are advised to install this updated package.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.