From 39ebee229b978ec9569017166fd8d9435d82829f60ffb4a5fa89326874561620 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Fri, 9 Mar 2018 16:02:16 +0000 Subject: [PATCH] Accepting request 584463 from home:vitezslav_cizek:branches:Apache:Modules - Since the update to NSS 3.35, the default NSS certificate database format changed from Berkley DB to SQLite - use %license tag - Update to 1.0.15 * Try to auto-detect the NSS database format if not specified * Update nss_pcache.8 man page to drop directory and prefix * When a token is configured in password file only authenticate once * Return an error when NSSPassPhraseDialog is invalid * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ * Add -Werror=implicit-function-declaration to CFLAGS * Handle group membership when testing for file permissions * NSS system-wide policy now disables SSLv3, don't use it in tests * Add missing error messages for libssl errors * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name * When including additional test config use specific extension * Fix the TLS Session ID cache * Make an invalid protocol setting fatal * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() * Add info log message when FIPS is enabled * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types * Fix removal of CR from PEM certificates * Add OCSP caching and timeout tuning knobs * Check the NSS database directory permissions as well as the files inside it for read access on startup. * Add in simple aliases for ciphers to fix those that don't follow the pattern (dhe_rsa_aes_128_sha256, dhe_rsa_aes_256_sha256) and those with typos (camelia_128_sha, camelia_256_sha) * Fix semaphore leak OBS-URL: https://build.opensuse.org/request/show/584463 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=40 --- ...oken-cipher-strings-from-a-bad-merge.patch | 57 +++++++++ ...bership-when-testing-for-file-permis.patch | 121 ------------------ apache2-mod_nss.changes | 42 ++++++ apache2-mod_nss.spec | 29 +++-- mod_nss-1.0.14.tar.gz | 3 - mod_nss-1.0.15.tar.gz | 3 + vhost-nss.template | 2 +- 7 files changed, 124 insertions(+), 133 deletions(-) create mode 100644 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch delete mode 100644 0001-Handle-group-membership-when-testing-for-file-permis.patch delete mode 100644 mod_nss-1.0.14.tar.gz create mode 100644 mod_nss-1.0.15.tar.gz diff --git a/0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch b/0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch new file mode 100644 index 0000000..4154d61 --- /dev/null +++ b/0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch @@ -0,0 +1,57 @@ +From 6d1f6dd0c2b2cd80559b61779254e1b3d39aa5cd Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 19 Jan 2018 15:36:40 -0500 +Subject: [PATCH] Fix up some broken cipher strings from a bad merge + +--- + nss_engine_cipher.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c +index b78e32c..3eda72a 100644 +--- a/nss_engine_cipher.c ++++ b/nss_engine_cipher.c +@@ -59,7 +59,7 @@ cipher_properties ciphers_def[] = + {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_MEDIUM, 112, 168, NULL}, + {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56, NULL}, + #ifdef ENABLE_SERVER_DHE +- {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "EDH-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, ++ {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "DHE-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, + {"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "DHE-RSA-AES128-SHA", SSL_kDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, + {"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "DHE-RSA-AES256-SHA", SSL_kDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, + {"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "DHE-RSA-CAMELLIA128-SHA", SSL_kDHE|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, +@@ -74,21 +74,21 @@ cipher_properties ciphers_def[] = + #endif + #endif /* ENABLE_SERVER_DHE */ + #ifdef NSS_ENABLE_ECC +- {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, +- {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, +- {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, +- {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, +- {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, ++ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHE|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, ++ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHE|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, ++ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHE|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, ++ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, ++ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, + {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, "ECDHE-ECDSA-NULL-SHA", SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, + {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "ECDHE-ECDSA-RC4-SHA", SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, + {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-ECDSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, + {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "ECDHE-ECDSA-AES128-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, + {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "ECDHE-ECDSA-AES256-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, +- {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, +- {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, +- {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, +- {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, +- {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, ++ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, ++ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, ++ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, ++ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, ++ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, + {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, "ECDHE-RSA-NULL-SHA", SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, + {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, "ECDHE-RSA-RC4-SHA", SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, + {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-RSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, +-- +2.16.2 + diff --git a/0001-Handle-group-membership-when-testing-for-file-permis.patch b/0001-Handle-group-membership-when-testing-for-file-permis.patch deleted file mode 100644 index 750b50d..0000000 --- a/0001-Handle-group-membership-when-testing-for-file-permis.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 23 Feb 2017 13:06:21 -0500 -Subject: [PATCH] Handle group membership when testing for file permissions - -This was a bit of a corner case but group membership wasn't -considered when trying to determine if the NSS databases are -readable. - -Resolves BZ 1395300 ---- - nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------ - 1 file changed, 33 insertions(+), 12 deletions(-) - -Index: mod_nss-1.0.14/nss_engine_init.c -=================================================================== ---- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100 -+++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100 -@@ -29,6 +29,7 @@ - #include "cert.h" - #include - #include -+#include - - static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); - static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); -@@ -57,22 +58,38 @@ static char *version_components[] = { - * Return 0 on failure or file doesn't exist - * Return 1 on success - */ --static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) -+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, -+ apr_pool_t *p) - { - apr_finfo_t finfo; -- int rv; -+ PRBool in_group = PR_FALSE; -+ struct group *gr; -+ int i = 0; -+ -+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) -+ == APR_SUCCESS) { -+ if ((gr = getgrgid(finfo.group)) == NULL) { -+ return 0; -+ } - -- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, -- p)) == APR_SUCCESS) { -+ if (gid == finfo.group) { -+ in_group = PR_TRUE; -+ } else { -+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { -+ if (!strcasecmp(user, gr->gr_mem[i++])) { -+ in_group = PR_TRUE; -+ break; -+ } -+ } -+ } - if (((uid == finfo.user) && - ((finfo.protection & APR_FPROT_UREAD))) || -- ((gid == finfo.group) && -- ((finfo.protection & APR_FPROT_GREAD))) -+ (in_group && (finfo.protection & APR_FPROT_GREAD)) || -+ (finfo.protection & APR_FPROT_WREAD) - ) - { - return 1; - } -- return 0; - } - return 0; - } -@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r - if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { - apr_snprintf(filepath, 1024, "%s/key4.db", - mc->pCertificateDatabase+4); -- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { -+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, -+ p))) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, - "Server user %s lacks read access to NSS key " - "database %s.", mc->user, filepath); -@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r - } - apr_snprintf(filepath, 1024, "%s/cert9.db", - mc->pCertificateDatabase+4); -- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { -+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, -+ p))) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, - "Server user %s lacks read access to NSS cert " - "database %s.", mc->user, filepath); -@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r - } else { - apr_snprintf(filepath, 1024, "%s/key3.db", - mc->pCertificateDatabase); -- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { -+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, -+ p))) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, - "Server user %s lacks read access to NSS key " - "database %s.", mc->user, filepath); -@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r - } - apr_snprintf(filepath, 1024, "%s/cert8.db", - mc->pCertificateDatabase); -- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { -+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, -+ p))) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, - "Server user %s lacks read access to NSS cert " - "database %s.", mc->user, filepath); -@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r - } - apr_snprintf(filepath, 1024, "%s/secmod.db", - mc->pCertificateDatabase); -- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { -+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, - "Server user %s lacks read access to NSS secmod " - "database %s.", mc->user, filepath); diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index 0ae3f84..eb1b16a 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,45 @@ +------------------------------------------------------------------- +Thu Mar 8 13:15:32 UTC 2018 - vcizek@suse.com + +- Since the update to NSS 3.35, the default NSS certificate + database format changed from Berkley DB to SQLite +- use %license tag + +------------------------------------------------------------------- +Wed Mar 7 16:35:56 UTC 2018 - vcizek@suse.com + +- Update to 1.0.15 + * Try to auto-detect the NSS database format if not specified + * Update nss_pcache.8 man page to drop directory and prefix + * When a token is configured in password file only authenticate once + * Return an error when NSSPassPhraseDialog is invalid + * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ + * Add -Werror=implicit-function-declaration to CFLAGS + * Handle group membership when testing for file permissions + * NSS system-wide policy now disables SSLv3, don't use it in tests + * Add missing error messages for libssl errors + * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name + * When including additional test config use specific extension + * Fix the TLS Session ID cache + * Make an invalid protocol setting fatal + * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() + * Add info log message when FIPS is enabled + * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types + * Fix removal of CR from PEM certificates + * Add OCSP caching and timeout tuning knobs + * Check the NSS database directory permissions as well as the files + inside it for read access on startup. + * Add in simple aliases for ciphers to fix those that + don't follow the pattern (dhe_rsa_aes_128_sha256, + dhe_rsa_aes_256_sha256) and those with typos + (camelia_128_sha, camelia_256_sha) + * Fix semaphore leak + * Don't set remote user in fixup hook + * Drop SSLv2 tests because it is completely disabled now +- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch + (upstream) +- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch + ------------------------------------------------------------------- Tue Dec 19 13:13:22 UTC 2017 - pgajdos@suse.com diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index ece341f..509455a 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version: 1.0.14 +Version: 1.0.15 Release: 0 Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 @@ -38,8 +38,8 @@ Source4: README-SUSE.txt Source5: vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch -Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch +Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apr-devel @@ -51,7 +51,6 @@ BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: iproute2 -BuildRequires: iproute2 BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.25 @@ -62,7 +61,6 @@ Requires: %{apache_suse_maintenance_mmn} Requires: apache2 >= 2.2.12 Requires: findutils Requires: iproute2 -Requires: iproute2 Requires: mozilla-nss >= 3.25 Requires(post): mozilla-nss-tools Provides: mod_nss @@ -77,8 +75,8 @@ security library. %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 -%patch3 -p1 %patch4 -p1 +%patch5 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -132,9 +130,15 @@ install -m 755 gencert %{buildroot}%{_sbindir}/ install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ +%if 0%{?suse_version} < 1330 touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db touch %{buildroot}%{apache_sysconf_nssdir}/key3.db +%else +touch %{buildroot}%{apache_sysconf_nssdir}/pkcs11.txt +touch %{buildroot}%{apache_sysconf_nssdir}/cert9.db +touch %{buildroot}%{apache_sysconf_nssdir}/key4.db +%endif touch %{buildroot}%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert @@ -195,7 +199,9 @@ exit $exit_code %post umask 077 -if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then +# generate a self-signed certificate if there isn't either +# key3.db (old DBM format) or key4.db (new SQLite format) +if [ ! -e %{apache_sysconf_nssdir}/key3.db -a ! -e %{apache_sysconf_nssdir}/key4.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." @@ -206,16 +212,23 @@ find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {} find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} + %files -%doc README LICENSE docs/mod_nss.html README-SUSE.txt +%license LICENSE +%doc README docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ +%if 0%{?suse_version} < 1330 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db +%else +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/pkcs11.txt +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert9.db +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key4.db +%endif %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log %{_sbindir}/nss_pcache %{_sbindir}/gencert diff --git a/mod_nss-1.0.14.tar.gz b/mod_nss-1.0.14.tar.gz deleted file mode 100644 index 373295c..0000000 --- a/mod_nss-1.0.14.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b5d148314d28dc47028b22944769de26fb553f08888d3f9a41e3621f4bcfb16c -size 179628 diff --git a/mod_nss-1.0.15.tar.gz b/mod_nss-1.0.15.tar.gz new file mode 100644 index 0000000..2c609c3 --- /dev/null +++ b/mod_nss-1.0.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a33734ecd6e1fa44bffb359b0a08431a3b5c8e81a4958d90200bbb2ce2c0fe9 +size 183083 diff --git a/vhost-nss.template b/vhost-nss.template index 8fd8996..b3d3a7a 100644 --- a/vhost-nss.template +++ b/vhost-nss.template @@ -49,7 +49,7 @@ NSSNickname Server-Cert # Server Certificate Database: # The NSS security database directory that holds the certificates and -# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# keys. The database consists of 3 files: cert9.db, key4.db and secmod.db. # Provide the directory that these files exist. NSSCertificateDatabase /etc/apache2/mod_nss.d