4.182. mod_nss

When the NSS library was not initialized and mod_nss tried to clear its SSL cache on start-up, mod_nss terminated unexpectedly when the NSS library was built with debugging enabled. With this update, mod_nss does not try to clear the SSL cache in the described scenario, thus preventing this bug.

Previously, a static array containing the arguments for launching the nss_pcache command was overflowing the size by one. This could lead to a variety of issues including unexpected termination. This bug has been fixed, and mod_nss now uses properly sized static array when launching nss_pcache.

Prior to this update, client certificates were only retrieved during the initial SSL handshake if the NSSVerifyClient option was set to "require" or "optional". Also, the FakeBasicAuth option only retrieved Common Name rather than the entire certificate subject. Consequently, it was possible to spoof an identity using that option. This bug has been fixed, the FakeBasicAuth option is now prefixed with "/" and is thus compatible with OpenSSL, and certificates are now retrieved on all subsequent requests beyond the first one.

The RHBA-2011:1656 errata advisory released a patch that fixed a problem of mod_nss crashing when clearing its SSL cache on startup without the NSS library initialized. However, that patch placed the fix in the improper location in the code, which caused a file descriptor leak in the Apache httpd daemon. With this update, the necessary fix has been relocated to the appropriate location in the code so that the problem is fixed and the file descriptor leak no longer occurs.