SUSE-SU-2016:2285-1

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements:

• Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099)
• Created valgrind suppression files to ease debugging.
• Implement SSLPPTYPEFILTER to call executables to get the key password pins.
• Improvements to migrate.pl.
• Update default ciphers to something more modern and secure.
• Check for host and netstat commands in gencert before trying to use them.
• Add server support for DHE ciphers.
• Extract SAN from server/client certificates into env
• Fix memory leaks and other coding issues caught by clang analyzer.
• Add support for Server Name Indication (SNI).
• Add support for SNI for reverse proxy connections.
• Add RenegBufferSize? option.
• Add support for TLS Session Tickets (RFC 5077).
• Fix logical AND support in OpenSSL cipher compatibility.
• Correctly handle disabled ciphers. (CVE-2015-5244)
• Implement a slew more OpenSSL cipher macros.
• Fix a number of illegal memory accesses and memory leaks.
• Support for SHA384 ciphers if they are available in NSS.
• Add compatibility for mod_ssl-style cipher definitions.
• Add TLSv1.2-specific ciphers.
• Completely remove support for SSLv2.
• Add support for sqlite NSS databases.
• Compare subject CN and VS hostname during server start up.
• Add support for enabling TLS v1.2.
• Don't enable SSL 3 by default. (CVE-2014-3566)
• Fix CVE-2013-4566.
• Move nss_pcache to /usr/libexec.
• Support httpd 2.4+.
• Use apache2-systemd-ask-pass to prompt for a certificate passphrase. (bsc#972968, bsc#975394)