# # spec file for package apache2-mod_nss # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers Version: 1.0.8 Release: 0.4.8 Url: https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Source1: mod_nss.conf.in Source2: listen_nss.conf Source3: mod_nss_migrate.pl Source4: README-SUSE.txt Source5: vhost-nss.template Provides: mod_nss Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} Requires: apache2 >= 2.2.12 Requires: findutils Requires: mozilla-nss >= 3.15.1 PreReq: mozilla-nss-tools BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: bison BuildRequires: curl BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig # [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout # Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch. #Patch1: mod_nss-conf.patch Patch2: mod_nss-gencert.patch Patch3: mod_nss-wouldblock.patch Patch4: mod_nss-negotiate.patch Patch5: mod_nss-reverseproxy.patch Patch6: mod_nss-pcachesignal.h Patch7: mod_nss-reseterror.patch Patch8: mod_nss-lockpcache.patch # Fix build with apache 2.4 Patch9: mod_nss-httpd24.patch Patch10: mod_nss-proxyvariables.patch Patch11: mod_nss-tlsv1_1.patch Patch12: mod_nss-array_overrun.patch Patch13: mod_nss-clientauth.patch Patch14: mod_nss-no_shutdown_if_not_init_2.patch Patch15: mod_nss-PK11_ListCerts_2.patch Patch16: mod_nss-sslmultiproxy.patch Patch17: mod_nss-overlapping_memcpy.patch Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19: mod_nss-cipherlist_update_for_tls12.diff Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff Patch23: mod_nss-bnc863518-reopen_dev_tty.diff # PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch # PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2 Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch # PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support Patch26: 0001-SNI-check-with-NameVirtualHosts.patch Patch27: update-ciphers.patch Patch28: mod_nss-reverse_proxy_send_SNI.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_includedir %(%{apxs} -q INCLUDEDIR) %define apache_serverroot %(%{apxs} -q PREFIX) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q -n mod_nss-%{version} ##%patch1 -p1 -b .conf.rpmpatch %patch2 -p1 -b .gencert.rpmpatch %patch3 -p1 -b .wouldblock.rpmpatch %patch4 -p1 -b .negotiate.rpmpatch %patch5 -p1 -b .reverseproxy.rpmpatch %patch6 -p1 -b .pcachesignal.h.rpmpatch %patch7 -p1 -b .reseterror.rpmpatch %patch8 -p1 -b .lockpcache.rpmpatch %patch10 -p1 -b .proxyvariables.rpmpatch %patch11 -p1 -b .tlsv1_1.rpmpatch %patch12 -p1 -b .array_overrun.rpmpatch %patch13 -p1 -b .clientauth.rpmpatch %patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch %patch15 -p1 -b .PK11_ListCerts_2.rpmpatch %patch16 -p1 -b .sslmultiproxy.rpmpatch %patch17 -p1 -b .overlapping_memcpy.rpmpatch %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch %patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch %patch26 -p1 -b .SNI_support.rpmpatch %patch27 -p1 -b .update-ciphers.rpmpatch %patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch # keep this last, otherwise we get fuzzyness from above %if %{apache_branch} >= 204 %patch9 -p1 -b .http24 %endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="$RPM_OPT_FLAGS" export CFLAGS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` # For some reason mod_nss can't find nss on SUSE unless we do the following C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/" export C_INCLUDE_PATH # no more patching a config file... cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE4} . chmod 644 ./nss.conf.in #autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ --with-nspr-lib=$NSPR_LIB_DIR \ --with-nspr-inc=$NSPR_INCLUDE_DIR \ --with-apxs=%{apxs} \ --enable-ecc \ --with-apr-config make %{?_smp_mflags} all %install # The install target of the Makefile isn't used because that uses apxs # which tries to enable the module in the build host httpd instead of in # the build root. mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir} %if 0%{?suse_version} perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf %endif install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/ #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert %check set +x mkdir -p %{apache_test_module_dir} # create test configuration cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf NSSEngine on NSSNickname Server-Cert NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 %if 0%{?apache_branch} >= 204 Require local %else Allow from localhost %endif EOF # create test certificate mkdir -p %{apache_test_module_dir}/mod_nss.d # bend gencert to use ServerName of apache test instance cp %{buildroot}%{_sbindir}/gencert . sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert ./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1 # create test document mkdir -p %{apache_test_module_dir}/htdocs cat << EOF > %{apache_test_module_dir}/htdocs/index.html HTTPS HELLO EOF exit_code=0 # run apache test instance %apache_test_module_start_apache -m nss -i mod_nss-test.conf # get test document %apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt echo echo 'Testing /index.html output' grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1 if [ $exit_code -eq 0 ]; then echo 'SUCCESS' else echo 'FAILED, error_log:' cat %{apache_test_module_dir}/error_log fi echo # stop apache test instance %apache_test_module_stop_apache set -x exit $exit_code %post umask 077 if [ "$1" -eq 1 ] ; then # this is first time installation. if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \; find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \; fi if [ "$1" -eq 2 ]; then # this is the upgrade case for this %post: if [ -d %{apache_sysconfdir}/alias ]; then copied_files="" for dbfile in *.db; do if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile" copied_files="$copied_files $dbfile" fi done if [ "$copied_files" != "" ]; then { echo "This notice was written by the post-install script of the package" echo "%{name}." echo "" echo "The files $copied_files" echo "have been copied to the directory %{apache_sysconf_nssdir}," echo "as this directory is not referenced by the default configuration any longer," echo "and because these files did not exist in %{apache_sysconf_nssdir}." echo "Existing files have not been modified." echo "" echo "Please check your configuration and remove or move your certificate and" echo "key storage to your desired place, and adjust your module configuration" echo "accordingly." echo "" echo "Thank you." } > %{apache_sysconfdir}/alias/README-dbfiles.txt fi fi fi %files %defattr(-,root,root,-) %doc README LICENSE docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log #%%{apache_sysconf_nssdir}/libnssckbi.so %{_sbindir}/nss_pcache %{_sbindir}/gencert %{_sbindir}/mod_nss_migrate.pl %changelog