pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 585105 from Apache:Modules

Browse Source 
- Since the update to NSS 3.35, the default NSS certificate
  database format changed from Berkley DB to SQLite
- use %license tag

- Update to 1.0.15
  * Try to auto-detect the NSS database format if not specified
  * Update nss_pcache.8 man page to drop directory and prefix
  * When a token is configured in password file only authenticate once
  * Return an error when NSSPassPhraseDialog is invalid
  * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
  * Add -Werror=implicit-function-declaration to CFLAGS
  * Handle group membership when testing for file permissions
  * NSS system-wide policy now disables SSLv3, don't use it in tests
  * Add missing error messages for libssl errors
  * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
  * When including additional test config use specific extension
  * Fix the TLS Session ID cache
  * Make an invalid protocol setting fatal
  * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
  * Add info log message when FIPS is enabled
      * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
  * Fix removal of CR from PEM certificates
  * Add OCSP caching and timeout tuning knobs
  * Check the NSS database directory permissions as well as the files
    inside it for read access on startup.
  * Add in simple aliases for ciphers to fix those that
    don't follow the pattern (dhe_rsa_aes_128_sha256,
    dhe_rsa_aes_256_sha256) and those with typos
    (camelia_128_sha, camelia_256_sha)
  * Fix semaphore leak (forwarded request 584463 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/585105
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=28
This commit is contained in:
Dominique Leuenberger 2018-03-11 14:25:26 +00:00 committed by Git OBS Bridge
commit 996315919e
7 changed files with 124 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch Normal file
View File

@ -0,0 +1,57 @@
From 6d1f6dd0c2b2cd80559b61779254e1b3d39aa5cd Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 19 Jan 2018 15:36:40 -0500
Subject: [PATCH] Fix up some broken cipher strings from a bad merge
---
nss_engine_cipher.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index b78e32c..3eda72a 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -59,7 +59,7 @@ cipher_properties ciphers_def[] =
{"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_MEDIUM, 112, 168, NULL},
{"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56, NULL},
#ifdef ENABLE_SERVER_DHE
- {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "EDH-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
+ {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "DHE-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
{"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "DHE-RSA-AES128-SHA", SSL_kDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
{"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "DHE-RSA-AES256-SHA", SSL_kDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
{"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "DHE-RSA-CAMELLIA128-SHA", SSL_kDHE|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
@@ -74,21 +74,21 @@ cipher_properties ciphers_def[] =
#endif
#endif /* ENABLE_SERVER_DHE */
#ifdef NSS_ENABLE_ECC
- {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
- {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
- {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
- {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
- {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
+ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHE|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
+ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHE|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
+ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHE|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
+ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
+ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
{"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, "ECDHE-ECDSA-NULL-SHA", SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
{"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "ECDHE-ECDSA-RC4-SHA", SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
{"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-ECDSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
{"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "ECDHE-ECDSA-AES128-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
{"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "ECDHE-ECDSA-AES256-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
- {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
- {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
- {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
- {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
- {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
+ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
+ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
+ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
+ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL},
+ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL},
{"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, "ECDHE-RSA-NULL-SHA", SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
{"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, "ECDHE-RSA-RC4-SHA", SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
{"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-RSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL},
--
2.16.2

121
0001-Handle-group-membership-when-testing-for-file-permis.patch
View File

@ -1,121 +0,0 @@
From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 23 Feb 2017 13:06:21 -0500
Subject: [PATCH] Handle group membership when testing for file permissions
This was a bit of a corner case but group membership wasn't
considered when trying to determine if the NSS databases are
readable.
Resolves BZ 1395300
---
nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
1 file changed, 33 insertions(+), 12 deletions(-)
Index: mod_nss-1.0.14/nss_engine_init.c
===================================================================
--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100
+++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100
@@ -29,6 +29,7 @@
#include "cert.h"
#include <sys/types.h>
#include <pwd.h>
+#include <grp.h>
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -57,22 +58,38 @@ static char *version_components[] = {
* Return 0 on failure or file doesn't exist
* Return 1 on success
*/
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
+ apr_pool_t *p)
{
apr_finfo_t finfo;
- int rv;
+ PRBool in_group = PR_FALSE;
+ struct group *gr;
+ int i = 0;
+
+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
+ == APR_SUCCESS) {
+ if ((gr = getgrgid(finfo.group)) == NULL) {
+ return 0;
+ }
- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
- p)) == APR_SUCCESS) {
+ if (gid == finfo.group) {
+ in_group = PR_TRUE;
+ } else {
+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
+ if (!strcasecmp(user, gr->gr_mem[i++])) {
+ in_group = PR_TRUE;
+ break;
+ }
+ }
+ }
if (((uid == finfo.user) &&
((finfo.protection & APR_FPROT_UREAD))) ||
- ((gid == finfo.group) &&
- ((finfo.protection & APR_FPROT_GREAD)))
+ (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
+ (finfo.protection & APR_FPROT_WREAD)
)
{
return 1;
}
- return 0;
}
return 0;
}
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
apr_snprintf(filepath, 1024, "%s/key4.db",
mc->pCertificateDatabase+4);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS key "
"database %s.", mc->user, filepath);
@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r
}
apr_snprintf(filepath, 1024, "%s/cert9.db",
mc->pCertificateDatabase+4);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS cert "
"database %s.", mc->user, filepath);
@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r
} else {
apr_snprintf(filepath, 1024, "%s/key3.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS key "
"database %s.", mc->user, filepath);
@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r
}
apr_snprintf(filepath, 1024, "%s/cert8.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS cert "
"database %s.", mc->user, filepath);
@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r
}
apr_snprintf(filepath, 1024, "%s/secmod.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS secmod "
"database %s.", mc->user, filepath);

42
apache2-mod_nss.changes
View File

@ -1,3 +1,45 @@
-------------------------------------------------------------------
Thu Mar 8 13:15:32 UTC 2018 - vcizek@suse.com
- Since the update to NSS 3.35, the default NSS certificate
database format changed from Berkley DB to SQLite
- use %license tag
-------------------------------------------------------------------
Wed Mar 7 16:35:56 UTC 2018 - vcizek@suse.com
- Update to 1.0.15
* Try to auto-detect the NSS database format if not specified
* Update nss_pcache.8 man page to drop directory and prefix
* When a token is configured in password file only authenticate once
* Return an error when NSSPassPhraseDialog is invalid
* Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
* Add -Werror=implicit-function-declaration to CFLAGS
* Handle group membership when testing for file permissions
* NSS system-wide policy now disables SSLv3, don't use it in tests
* Add missing error messages for libssl errors
* Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
* When including additional test config use specific extension
* Fix the TLS Session ID cache
* Make an invalid protocol setting fatal
* Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
* Add info log message when FIPS is enabled
* Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
* Fix removal of CR from PEM certificates
* Add OCSP caching and timeout tuning knobs
* Check the NSS database directory permissions as well as the files
inside it for read access on startup.
* Add in simple aliases for ciphers to fix those that
don't follow the pattern (dhe_rsa_aes_128_sha256,
dhe_rsa_aes_256_sha256) and those with typos
(camelia_128_sha, camelia_256_sha)
* Fix semaphore leak
* Don't set remote user in fixup hook
* Drop SSLv2 tests because it is completely disabled now
- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch
(upstream)
- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
-------------------------------------------------------------------
Tue Dec 19 13:13:22 UTC 2017 - pgajdos@suse.com

29
apache2-mod_nss.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -25,7 +25,7 @@
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
Name: apache2-mod_nss
Version: 1.0.14
Version: 1.0.15
Release: 0
Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0
@ -38,8 +38,8 @@ Source4: README-SUSE.txt
Source5: vhost-nss.template
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: apr-devel
@ -51,7 +51,6 @@ BuildRequires: findutils
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: iproute2
BuildRequires: iproute2
BuildRequires: libtool
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.25
@ -62,7 +61,6 @@ Requires: %{apache_suse_maintenance_mmn}
Requires: apache2 >= 2.2.12
Requires: findutils
Requires: iproute2
Requires: iproute2
Requires: mozilla-nss >= 3.25
Requires(post): mozilla-nss-tools
Provides: mod_nss
@ -77,8 +75,8 @@ security library.
%setup -q -n mod_nss-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@ -132,9 +130,15 @@ install -m 755 gencert %{buildroot}%{_sbindir}/
install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
%if 0%{?suse_version} < 1330
touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db
touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db
touch %{buildroot}%{apache_sysconf_nssdir}/key3.db
%else
touch %{buildroot}%{apache_sysconf_nssdir}/pkcs11.txt
touch %{buildroot}%{apache_sysconf_nssdir}/cert9.db
touch %{buildroot}%{apache_sysconf_nssdir}/key4.db
%endif
touch %{buildroot}%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert
@ -195,7 +199,9 @@ exit $exit_code
%post
umask 077
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
# generate a self-signed certificate if there isn't either
# key3.db (old DBM format) or key4.db (new SQLite format)
if [ ! -e %{apache_sysconf_nssdir}/key3.db -a ! -e %{apache_sysconf_nssdir}/key4.db ]; then
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
@ -206,16 +212,23 @@ find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {}
find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} +
%files
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%license LICENSE
%doc README docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
%if 0%{?suse_version} < 1330
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%else
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/pkcs11.txt
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert9.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key4.db
%endif
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
%{_sbindir}/nss_pcache
%{_sbindir}/gencert

3
mod_nss-1.0.14.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b5d148314d28dc47028b22944769de26fb553f08888d3f9a41e3621f4bcfb16c
size 179628

3
mod_nss-1.0.15.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5a33734ecd6e1fa44bffb359b0a08431a3b5c8e81a4958d90200bbb2ce2c0fe9
size 183083

2
vhost-nss.template
View File

@ -49,7 +49,7 @@ NSSNickname Server-Cert
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# keys. The database consists of 3 files: cert9.db, key4.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase /etc/apache2/mod_nss.d