Accepting request 584463 from home:vitezslav_cizek:branches:Apache:Modules
- Since the update to NSS 3.35, the default NSS certificate database format changed from Berkley DB to SQLite - use %license tag - Update to 1.0.15 * Try to auto-detect the NSS database format if not specified * Update nss_pcache.8 man page to drop directory and prefix * When a token is configured in password file only authenticate once * Return an error when NSSPassPhraseDialog is invalid * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ * Add -Werror=implicit-function-declaration to CFLAGS * Handle group membership when testing for file permissions * NSS system-wide policy now disables SSLv3, don't use it in tests * Add missing error messages for libssl errors * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name * When including additional test config use specific extension * Fix the TLS Session ID cache * Make an invalid protocol setting fatal * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() * Add info log message when FIPS is enabled * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types * Fix removal of CR from PEM certificates * Add OCSP caching and timeout tuning knobs * Check the NSS database directory permissions as well as the files inside it for read access on startup. * Add in simple aliases for ciphers to fix those that don't follow the pattern (dhe_rsa_aes_128_sha256, dhe_rsa_aes_256_sha256) and those with typos (camelia_128_sha, camelia_256_sha) * Fix semaphore leak OBS-URL: https://build.opensuse.org/request/show/584463 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=40
This commit is contained in:
parent
15ff3d41f2
commit
39ebee229b
@ -0,0 +1,57 @@
|
||||
From 6d1f6dd0c2b2cd80559b61779254e1b3d39aa5cd Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 19 Jan 2018 15:36:40 -0500
|
||||
Subject: [PATCH] Fix up some broken cipher strings from a bad merge
|
||||
|
||||
---
|
||||
nss_engine_cipher.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
|
||||
index b78e32c..3eda72a 100644
|
||||
--- a/nss_engine_cipher.c
|
||||
+++ b/nss_engine_cipher.c
|
||||
@@ -59,7 +59,7 @@ cipher_properties ciphers_def[] =
|
||||
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_MEDIUM, 112, 168, NULL},
|
||||
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56, NULL},
|
||||
#ifdef ENABLE_SERVER_DHE
|
||||
- {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "EDH-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
+ {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "DHE-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
{"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "DHE-RSA-AES128-SHA", SSL_kDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
{"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "DHE-RSA-AES256-SHA", SSL_kDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
|
||||
{"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "DHE-RSA-CAMELLIA128-SHA", SSL_kDHE|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
@@ -74,21 +74,21 @@ cipher_properties ciphers_def[] =
|
||||
#endif
|
||||
#endif /* ENABLE_SERVER_DHE */
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
- {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
|
||||
- {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
|
||||
- {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
- {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
- {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
|
||||
+ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHE|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
|
||||
+ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHE|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
|
||||
+ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHE|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
+ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
+ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
|
||||
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, "ECDHE-ECDSA-NULL-SHA", SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
|
||||
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "ECDHE-ECDSA-RC4-SHA", SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
|
||||
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-ECDSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "ECDHE-ECDSA-AES128-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "ECDHE-ECDSA-AES256-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
|
||||
- {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
|
||||
- {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
|
||||
- {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
- {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
- {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
|
||||
+ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
|
||||
+ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
|
||||
+ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
+ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
|
||||
+ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
|
||||
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, "ECDHE-RSA-NULL-SHA", SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
|
||||
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, "ECDHE-RSA-RC4-SHA", SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
|
||||
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-RSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
|
||||
--
|
||||
2.16.2
|
||||
|
@ -1,121 +0,0 @@
|
||||
From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 23 Feb 2017 13:06:21 -0500
|
||||
Subject: [PATCH] Handle group membership when testing for file permissions
|
||||
|
||||
This was a bit of a corner case but group membership wasn't
|
||||
considered when trying to determine if the NSS databases are
|
||||
readable.
|
||||
|
||||
Resolves BZ 1395300
|
||||
---
|
||||
nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
|
||||
1 file changed, 33 insertions(+), 12 deletions(-)
|
||||
|
||||
Index: mod_nss-1.0.14/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100
|
||||
+++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100
|
||||
@@ -29,6 +29,7 @@
|
||||
#include "cert.h"
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
|
||||
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
||||
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
||||
@@ -57,22 +58,38 @@ static char *version_components[] = {
|
||||
* Return 0 on failure or file doesn't exist
|
||||
* Return 1 on success
|
||||
*/
|
||||
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
|
||||
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
|
||||
+ apr_pool_t *p)
|
||||
{
|
||||
apr_finfo_t finfo;
|
||||
- int rv;
|
||||
+ PRBool in_group = PR_FALSE;
|
||||
+ struct group *gr;
|
||||
+ int i = 0;
|
||||
+
|
||||
+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
|
||||
+ == APR_SUCCESS) {
|
||||
+ if ((gr = getgrgid(finfo.group)) == NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
|
||||
- p)) == APR_SUCCESS) {
|
||||
+ if (gid == finfo.group) {
|
||||
+ in_group = PR_TRUE;
|
||||
+ } else {
|
||||
+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
|
||||
+ if (!strcasecmp(user, gr->gr_mem[i++])) {
|
||||
+ in_group = PR_TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
if (((uid == finfo.user) &&
|
||||
((finfo.protection & APR_FPROT_UREAD))) ||
|
||||
- ((gid == finfo.group) &&
|
||||
- ((finfo.protection & APR_FPROT_GREAD)))
|
||||
+ (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
|
||||
+ (finfo.protection & APR_FPROT_WREAD)
|
||||
)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
- return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
|
||||
apr_snprintf(filepath, 1024, "%s/key4.db",
|
||||
mc->pCertificateDatabase+4);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS key "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
}
|
||||
apr_snprintf(filepath, 1024, "%s/cert9.db",
|
||||
mc->pCertificateDatabase+4);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS cert "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
} else {
|
||||
apr_snprintf(filepath, 1024, "%s/key3.db",
|
||||
mc->pCertificateDatabase);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS key "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
}
|
||||
apr_snprintf(filepath, 1024, "%s/cert8.db",
|
||||
mc->pCertificateDatabase);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS cert "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r
|
||||
}
|
||||
apr_snprintf(filepath, 1024, "%s/secmod.db",
|
||||
mc->pCertificateDatabase);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS secmod "
|
||||
"database %s.", mc->user, filepath);
|
@ -1,3 +1,45 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 8 13:15:32 UTC 2018 - vcizek@suse.com
|
||||
|
||||
- Since the update to NSS 3.35, the default NSS certificate
|
||||
database format changed from Berkley DB to SQLite
|
||||
- use %license tag
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 7 16:35:56 UTC 2018 - vcizek@suse.com
|
||||
|
||||
- Update to 1.0.15
|
||||
* Try to auto-detect the NSS database format if not specified
|
||||
* Update nss_pcache.8 man page to drop directory and prefix
|
||||
* When a token is configured in password file only authenticate once
|
||||
* Return an error when NSSPassPhraseDialog is invalid
|
||||
* Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
|
||||
* Add -Werror=implicit-function-declaration to CFLAGS
|
||||
* Handle group membership when testing for file permissions
|
||||
* NSS system-wide policy now disables SSLv3, don't use it in tests
|
||||
* Add missing error messages for libssl errors
|
||||
* Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
|
||||
* When including additional test config use specific extension
|
||||
* Fix the TLS Session ID cache
|
||||
* Make an invalid protocol setting fatal
|
||||
* Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
|
||||
* Add info log message when FIPS is enabled
|
||||
* Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
|
||||
* Fix removal of CR from PEM certificates
|
||||
* Add OCSP caching and timeout tuning knobs
|
||||
* Check the NSS database directory permissions as well as the files
|
||||
inside it for read access on startup.
|
||||
* Add in simple aliases for ciphers to fix those that
|
||||
don't follow the pattern (dhe_rsa_aes_128_sha256,
|
||||
dhe_rsa_aes_256_sha256) and those with typos
|
||||
(camelia_128_sha, camelia_256_sha)
|
||||
* Fix semaphore leak
|
||||
* Don't set remote user in fixup hook
|
||||
* Drop SSLv2 tests because it is completely disabled now
|
||||
- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch
|
||||
(upstream)
|
||||
- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 19 13:13:22 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package apache2-mod_nss
|
||||
#
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -25,7 +25,7 @@
|
||||
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
|
||||
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
|
||||
Name: apache2-mod_nss
|
||||
Version: 1.0.14
|
||||
Version: 1.0.15
|
||||
Release: 0
|
||||
Summary: SSL/TLS module for the Apache HTTP server
|
||||
License: Apache-2.0
|
||||
@ -38,8 +38,8 @@ Source4: README-SUSE.txt
|
||||
Source5: vhost-nss.template
|
||||
Patch1: mod_nss-migrate.patch
|
||||
Patch2: mod_nss-gencert-correct-ownership.patch
|
||||
Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
|
||||
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
|
||||
Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
|
||||
BuildRequires: apache-rpm-macros
|
||||
BuildRequires: apache2-devel >= 2.2.12
|
||||
BuildRequires: apr-devel
|
||||
@ -51,7 +51,6 @@ BuildRequires: findutils
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: iproute2
|
||||
BuildRequires: iproute2
|
||||
BuildRequires: libtool
|
||||
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
||||
BuildRequires: mozilla-nss-devel >= 3.25
|
||||
@ -62,7 +61,6 @@ Requires: %{apache_suse_maintenance_mmn}
|
||||
Requires: apache2 >= 2.2.12
|
||||
Requires: findutils
|
||||
Requires: iproute2
|
||||
Requires: iproute2
|
||||
Requires: mozilla-nss >= 3.25
|
||||
Requires(post): mozilla-nss-tools
|
||||
Provides: mod_nss
|
||||
@ -77,8 +75,8 @@ security library.
|
||||
%setup -q -n mod_nss-%{version}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
# Touch expression parser sources to prevent regenerating it
|
||||
touch nss_expr_*.[chyl]
|
||||
@ -132,9 +130,15 @@ install -m 755 gencert %{buildroot}%{_sbindir}/
|
||||
install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl
|
||||
|
||||
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
|
||||
%if 0%{?suse_version} < 1330
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/key3.db
|
||||
%else
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/pkcs11.txt
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/cert9.db
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/key4.db
|
||||
%endif
|
||||
touch %{buildroot}%{apache_sysconf_nssdir}/install.log
|
||||
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert
|
||||
|
||||
@ -195,7 +199,9 @@ exit $exit_code
|
||||
|
||||
%post
|
||||
umask 077
|
||||
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
|
||||
# generate a self-signed certificate if there isn't either
|
||||
# key3.db (old DBM format) or key4.db (new SQLite format)
|
||||
if [ ! -e %{apache_sysconf_nssdir}/key3.db -a ! -e %{apache_sysconf_nssdir}/key4.db ]; then
|
||||
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
|
||||
echo ""
|
||||
echo "%{name} certificate database generated."
|
||||
@ -206,16 +212,23 @@ find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {}
|
||||
find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} +
|
||||
|
||||
%files
|
||||
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
|
||||
%license LICENSE
|
||||
%doc README docs/mod_nss.html README-SUSE.txt
|
||||
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
|
||||
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
||||
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
|
||||
%dir %{apache_libexecdir}
|
||||
%{apache_libexecdir}/mod_nss.so
|
||||
%dir %{apache_sysconf_nssdir}/
|
||||
%if 0%{?suse_version} < 1330
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
|
||||
%else
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/pkcs11.txt
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert9.db
|
||||
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key4.db
|
||||
%endif
|
||||
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
|
||||
%{_sbindir}/nss_pcache
|
||||
%{_sbindir}/gencert
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b5d148314d28dc47028b22944769de26fb553f08888d3f9a41e3621f4bcfb16c
|
||||
size 179628
|
3
mod_nss-1.0.15.tar.gz
Normal file
3
mod_nss-1.0.15.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5a33734ecd6e1fa44bffb359b0a08431a3b5c8e81a4958d90200bbb2ce2c0fe9
|
||||
size 183083
|
@ -49,7 +49,7 @@ NSSNickname Server-Cert
|
||||
|
||||
# Server Certificate Database:
|
||||
# The NSS security database directory that holds the certificates and
|
||||
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
|
||||
# keys. The database consists of 3 files: cert9.db, key4.db and secmod.db.
|
||||
# Provide the directory that these files exist.
|
||||
NSSCertificateDatabase /etc/apache2/mod_nss.d
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user