Accepting request 427944 from home:vitezslav_cizek:branches:Apache:Modules

- don't disable SSLV2, because it doesn't work with NSS 3.24 (boo#993642) * add mod_nss-dont_disable_SSLV2.patch - remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in (bsc#998176) - change ownership of the gencert generated NSS database so apache can read it (bsc#998180) * add mod_nss-gencert-correct-ownership.patch - use correct configuration path in mod_nss.conf.in (bsc#996282) - remove %post migration code from the old alias directory - generate dummy certificates if there aren't any in mod_nss.d OBS-URL: https://build.opensuse.org/request/show/427944 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=28
2016-09-16 07:23:46 +00:00 · 2016-09-16 07:23:46 +00:00 · dab7162805
commit dab7162805
parent c64dd6a747
5 changed files with 59 additions and 47 deletions
--- a/apache2-mod_nss.changes
+++ b/apache2-mod_nss.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Sep 15 10:44:06 UTC 2016 - vcizek@suse.com
+
+- don't disable SSLV2, because it doesn't work with NSS 3.24
+  (boo#993642)
+  * add mod_nss-dont_disable_SSLV2.patch
+- remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in
+  (bsc#998176)
+- change ownership of the gencert generated NSS database so apache
+  can read it (bsc#998180)
+  * add mod_nss-gencert-correct-ownership.patch
+- use correct configuration path in mod_nss.conf.in (bsc#996282)
+- remove %post migration code from the old alias directory
+- generate dummy certificates if there aren't any in mod_nss.d
+
 -------------------------------------------------------------------
 Fri Jul 29 18:04:55 UTC 2016 - vcizek@suse.com

--- a/apache2-mod_nss.spec
+++ b/apache2-mod_nss.spec
@ -52,6 +52,8 @@ BuildRequires:  mozilla-nss-tools
 BuildRequires:  pkgconfig

 Patch1:         mod_nss-migrate.patch
+Patch2:         mod_nss-gencert-correct-ownership.patch
+Patch3:         mod_nss-dont_disable_SSLV2.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define    apxs /usr/sbin/apxs2
@ -72,6 +74,8 @@ security library.
 %prep
 %setup -q -n mod_nss-%{version}
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1

 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
@ -188,48 +192,15 @@ exit $exit_code

 %post
 umask 077
-if [ "$1" -eq 1 ] ; then
-    # this is first time installation.
-    if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
-        %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
-        echo ""
-        echo "%{name} certificate database generated."
-        echo ""
-    fi
-    # Make sure that the database ownership is setup properly.
-    find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
-    find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
-fi
-if [ "$1" -eq 2 ]; then
-    # this is the upgrade case for this %post:
-    if [ -d %{apache_sysconfdir}/alias ]; then
-	copied_files=""
-	for dbfile in *.db; do
-	    if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
-		cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
-		copied_files="$copied_files $dbfile"
-	    fi
-	done
-	if [ "$copied_files" != "" ]; then
-		{
-		echo "This notice was written by the post-install script of the package"
-		echo "%{name}."
-		echo ""
-		echo "The files $copied_files"
-		echo "have been copied to the directory %{apache_sysconf_nssdir},"
-		echo "as this directory is not referenced by the default configuration any longer,"
-		echo "and because these files did not exist in %{apache_sysconf_nssdir}."
-		echo "Existing files have not been modified."
-		echo ""
-		echo "Please check your configuration and remove or move your certificate and"
-		echo "key storage to your desired place, and adjust your module configuration"
-		echo "accordingly."
-		echo ""
-		echo "Thank you."
-		} > %{apache_sysconfdir}/alias/README-dbfiles.txt
-	fi
-    fi
+if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
+    %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
+    echo ""
+    echo "%{name} certificate database generated."
+    echo ""
 fi
+# Make sure that the database ownership is setup properly.
+find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
+find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;

 %files
 %defattr(-,root,root,-)
@ -244,7 +215,6 @@ fi
 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
 %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
-#%%{apache_sysconf_nssdir}/libnssckbi.so
 %{_sbindir}/nss_pcache
 %{_sbindir}/gencert
 %{_sbindir}/mod_nss_migrate.pl
--- a/mod_nss-dont_disable_SSLV2.patch
+++ b/mod_nss-dont_disable_SSLV2.patch
@ -0,0 +1,14 @@
+Index: mod_nss-1.0.14/nss_engine_init.c
+===================================================================
+--- mod_nss-1.0.14.orig/nss_engine_init.c	2016-04-15 20:27:59.000000000 +0200
+++ mod_nss-1.0.14/nss_engine_init.c	2016-09-15 13:34:23.723723904 +0200
+@@ -796,7 +796,8 @@ static void nss_init_ctx_protocol(server
+         }
+     }
+ 
+-    stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
+    //stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE);
+    stat = SECSuccess;
+ 
+     /* Set protocol version ranges:
+      *
--- a/mod_nss-gencert-correct-ownership.patch
+++ b/mod_nss-gencert-correct-ownership.patch
@ -0,0 +1,15 @@
+Index: mod_nss-1.0.14/gencert.in
+===================================================================
+--- mod_nss-1.0.14.orig/gencert.in	2016-04-15 20:27:59.000000000 +0200
+++ mod_nss-1.0.14/gencert.in	2016-09-13 17:11:20.810502756 +0200
+@@ -332,4 +332,10 @@ echo ""
+ echo "The database password is httptest"
+ echo ""
+ 
+# change the ownership of the NSS database so apache can access it
+echo "Setting the ownership of the NSS database to root:www"
+chmod 640 $DBDIR/*.db
+chown root:www $DBDIR/*.db
+
+
+ exit 0
--- a/mod_nss.conf.in
+++ b/mod_nss.conf.in
@ -50,13 +50,13 @@
 #    it is recommended to decide for one and deactivate the other.
 #
 # Certificates:
-# The directory /etc/apache/mod_nss.d contains everything that mod_nss
+# The directory /etc/apache2/mod_nss.d contains everything that mod_nss
 # needs: keys, certificates. The default configuration has reference
-# to .db files in /etc/apache/mod_nss.d that shall illustrate how the
+# to .db files in /etc/apache2/mod_nss.d that shall illustrate how the
 # configuration should/could look like.
 #
 # In addition to providing a central location to store keys and certificates,
-# /etc/apache/mod_nss.d may also contain configuration files that are
+# /etc/apache2/mod_nss.d may also contain configuration files that are
 # included directly after this documentation text. Note that only files
 # named *.conf are included!
 #
@ -141,10 +141,8 @@ NSSPassPhraseHelper @apache_bin@/nss_pcache

 #   Configure the SSL Session Cache. 
 #   NSSSessionCacheSize is the number of entries in the cache.
-#   NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
 #   NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
 NSSSessionCacheSize 10000
-NSSSessionCacheTimeout 100
 NSSSession3CacheTimeout 86400

 #