diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index f015296..7755864 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Sep 10 11:01:45 UTC 2019 - Vítězslav Čížek + +- Use a stronger password in gencert to pass the stricter tests in + FIPS mode (bsc#1150133) + * https://pagure.io/mod_nss/pull-request/48 + * add mod_nss-gencert_stronger_password.patch + ------------------------------------------------------------------- Fri Jun 28 11:15:10 UTC 2019 - Petr Gajdos diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index 9d5f811..6d4b5fb 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -39,6 +39,7 @@ Source5: vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch +Patch5: mod_nss-gencert_stronger_password.patch BuildRequires: apache-rex BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 @@ -74,9 +75,7 @@ security library. %prep %setup -q -n mod_nss-%{version} -%patch1 -p1 -%patch2 -p1 -%patch4 -p1 +%autopatch -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] diff --git a/mod_nss-gencert_stronger_password.patch b/mod_nss-gencert_stronger_password.patch new file mode 100644 index 0000000..a54dfad --- /dev/null +++ b/mod_nss-gencert_stronger_password.patch @@ -0,0 +1,42 @@ +Index: mod_nss-1.0.18/gencert.in +=================================================================== +--- mod_nss-1.0.18.orig/gencert.in 2019-09-10 13:43:27.548434070 +0200 ++++ mod_nss-1.0.18/gencert.in 2019-09-10 13:43:53.424589071 +0200 +@@ -75,6 +75,10 @@ VALIDITY=48 + # 3 is the server cert "Server-Cert". + CERTSERIAL=0 + ++# Password for the certificate. Uses special characters and mixed case in order ++# to pass the strict NSS FIPS mode check ++PASSWORD="hTtp.Te5t" ++ + if [ $# -lt 1 ] + then + echo "usage: $0 " 1>&2 +@@ -115,7 +119,7 @@ done + echo "TEST = $TEST" + echo "SNI = $SNI" + +-echo "httptest" > $DEST/pw.txt ++echo "$PASSWORD" > $DEST/pw.txt + + function generate_server_sni_cert { + hostname=$1 +@@ -173,7 +177,7 @@ function generate_server_sni_cert { + echo "" + echo "#####################################################################" + echo "Generating new server certificate and key database. The password" +-echo "is httptest" ++echo "is $PASSWORD" + echo "#####################################################################" + $CERTUTIL -N -d $DBDIR -f $DEST/pw.txt + +@@ -329,7 +333,7 @@ rm $DEST/pw.txt + rm $DEST/noise + + echo "" +-echo "The database password is httptest" ++echo "The database password is $PASSWORD" + echo "" + + # change the ownership of the NSS database so apache can access it