# # spec file for package apache2-mod_nss # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define apxs %{_sbindir}/apxs2 %define apache apache2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_includedir %(%{apxs} -q INCLUDEDIR) %define apache_serverroot %(%{apxs} -q PREFIX) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss Version: 1.0.18 Release: 0 Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers Url: https://pagure.io/mod_nss Source: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz Source1: mod_nss.conf.in Source2: listen_nss.conf Source4: README-SUSE.txt Source5: vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apr-devel BuildRequires: apr-util-devel BuildRequires: automake BuildRequires: bison BuildRequires: curl BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: iproute2 BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.25 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} Requires: apache2 >= 2.2.12 Requires: findutils Requires: iproute2 Requires: mozilla-nss >= 3.25 Requires(post): mozilla-nss-tools Provides: mod_nss %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 %patch4 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="%{optflags}" export CFLAGS NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nss` NSS_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nss` NSS_BIN=`%{_bindir}/pkg-config --variable=exec_prefix nss` # For some reason mod_nss can't find nss on SUSE unless we do the following C_INCLUDE_PATH="%{_includedir}/nss3:%{_includedir}/nspr4:%{_includedir}/apache2-prefork/" export C_INCLUDE_PATH # no more patching a config file... cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE4} . chmod 644 ./nss.conf.in autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ --with-nspr-lib=$NSPR_LIB_DIR \ --with-nspr-inc=$NSPR_INCLUDE_DIR \ --with-apxs=%{apxs} \ --enable-ecc \ --with-apr-config make %{?_smp_mflags} all %install # The install target of the Makefile isn't used because that uses apxs # which tries to enable the module in the build host httpd instead of in # the build root. mkdir -p %{buildroot}/%{apache_libexecdir} mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d mkdir -p %{buildroot}%{apache_sysconfdir}/vhosts.d mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{apache_sysconf_nssdir} %if 0%{?suse_version} perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf %endif install -m 644 nss.conf %{buildroot}%{apache_sysconfdir}/conf.d/mod_nss.conf install -m 644 %{SOURCE5} %{buildroot}%{apache_sysconfdir}/vhosts.d/vhost-nss.template install -m 644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/listen_nss.conf install -m 755 .libs/libmodnss.so %{buildroot}%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache %{buildroot}%{_sbindir}/ install -m 755 gencert %{buildroot}%{_sbindir}/ install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ %if 0%{?suse_version} <= 1500 touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db touch %{buildroot}%{apache_sysconf_nssdir}/key3.db %else touch %{buildroot}%{apache_sysconf_nssdir}/pkcs11.txt touch %{buildroot}%{apache_sysconf_nssdir}/cert9.db touch %{buildroot}%{apache_sysconf_nssdir}/key4.db %endif touch %{buildroot}%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert %check set +x mkdir -p %{apache_test_module_dir} # create password file including internal token to suppress apache 'builtin dialog' cat << EOF > %{apache_test_module_dir}/password.conf internal:httptest EOF # create test configuration cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf NSSEngine on NSSNickname Server-Cert NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf NSSPassPhraseHelper %{buildroot}%{_sbindir}/nss_pcache NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 %if 0%{?apache_branch} >= 204 Require local %else Allow from localhost %endif EOF # create test certificate mkdir -p %{apache_test_module_dir}/mod_nss.d # bend gencert to use ServerName of apache test instance cp %{buildroot}%{_sbindir}/gencert . sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert ./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1 # create test document mkdir -p %{apache_test_module_dir}/htdocs cat << EOF > %{apache_test_module_dir}/htdocs/index.html HTTPS HELLO EOF exit_code=0 # run apache test instance %apache_test_module_start_apache -m nss -i mod_nss-test.conf # get test document %apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt echo echo 'Testing /index.html output' grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1 if [ $exit_code -eq 0 ]; then echo 'SUCCESS' else echo 'FAILED, error_log:' cat %{apache_test_module_dir}/error_log fi echo # stop apache test instance %apache_test_module_stop_apache set -x exit $exit_code %post umask 077 # generate a self-signed certificate if there isn't either # key3.db (old DBM format) or key4.db (new SQLite format) if [ ! -e %{apache_sysconf_nssdir}/key3.db -a ! -e %{apache_sysconf_nssdir}/key4.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {} + find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} + %files %license LICENSE %doc README docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ %if 0%{?suse_version} <= 1500 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db %else %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/pkcs11.txt %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert9.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key4.db %endif %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log %{_sbindir}/nss_pcache %{_sbindir}/gencert %{_sbindir}/mod_nss_migrate.pl %changelog