# # spec file for package apache2-mod_nss # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 Group: Productivity/Networking/Web/Servers Version: 1.0.14 Release: 0.4.8 Url: https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Source1: mod_nss.conf.in Source2: listen_nss.conf Source4: README-SUSE.txt Source5: vhost-nss.template Provides: mod_nss Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} Requires: apache2 >= 2.2.12 Requires: findutils Requires: mozilla-nss >= 3.15.1 PreReq: mozilla-nss-tools BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: automake BuildRequires: bison BuildRequires: curl BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch Patch3: mod_nss-dont_disable_SSLV2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_includedir %(%{apxs} -q INCLUDEDIR) %define apache_serverroot %(%{apxs} -q PREFIX) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 %patch3 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="$RPM_OPT_FLAGS" export CFLAGS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` # For some reason mod_nss can't find nss on SUSE unless we do the following C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/" export C_INCLUDE_PATH # no more patching a config file... cp -a %{SOURCE1} ./nss.conf.in cp -a %{SOURCE4} . chmod 644 ./nss.conf.in autoreconf -fvi %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ --with-nspr-lib=$NSPR_LIB_DIR \ --with-nspr-inc=$NSPR_INCLUDE_DIR \ --with-apxs=%{apxs} \ --enable-ecc \ --with-apr-config make %{?_smp_mflags} all %install # The install target of the Makefile isn't used because that uses apxs # which tries to enable the module in the build host httpd instead of in # the build root. mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir} %if 0%{?suse_version} perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf %endif install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert %check set +x mkdir -p %{apache_test_module_dir} # create password file including internal token to suppress apache 'builtin dialog' cat << EOF > %{apache_test_module_dir}/password.conf internal:httptest EOF # create test configuration cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf NSSEngine on NSSNickname Server-Cert NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 %if 0%{?apache_branch} >= 204 Require local %else Allow from localhost %endif EOF # create test certificate mkdir -p %{apache_test_module_dir}/mod_nss.d # bend gencert to use ServerName of apache test instance cp %{buildroot}%{_sbindir}/gencert . sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert ./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1 # create test document mkdir -p %{apache_test_module_dir}/htdocs cat << EOF > %{apache_test_module_dir}/htdocs/index.html HTTPS HELLO EOF exit_code=0 # run apache test instance %apache_test_module_start_apache -m nss -i mod_nss-test.conf # get test document %apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt echo echo 'Testing /index.html output' grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1 if [ $exit_code -eq 0 ]; then echo 'SUCCESS' else echo 'FAILED, error_log:' cat %{apache_test_module_dir}/error_log fi echo # stop apache test instance %apache_test_module_stop_apache set -x exit $exit_code %post umask 077 if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \; find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \; %files %defattr(-,root,root,-) %doc README LICENSE docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log %{_sbindir}/nss_pcache %{_sbindir}/gencert %{_sbindir}/mod_nss_migrate.pl %changelog