pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
530af8399e
apache2-mod_nss/apache2-mod_nss.spec

307 lines
12 KiB
RPMSpec
Raw Blame History

#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
Version: 1.0.8
Release: 0.4.8
Url: https://fedorahosted.org/mod_nss
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1: mod_nss.conf.in
Source2: listen_nss.conf
Source3: mod_nss_migrate.pl
Source4: README-SUSE.txt
Source5: vhost-nss.template
Provides: mod_nss
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
Requires: apache2 >= 2.2.12
Requires: findutils
Requires: mozilla-nss >= 3.15.1
PreReq: mozilla-nss-tools
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: bison
BuildRequires: curl
BuildRequires: findutils
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
#Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
Patch6: mod_nss-pcachesignal.h
Patch7: mod_nss-reseterror.patch
Patch8: mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9: mod_nss-httpd24.patch
Patch10: mod_nss-proxyvariables.patch
Patch11: mod_nss-tlsv1_1.patch
Patch12: mod_nss-array_overrun.patch
Patch13: mod_nss-clientauth.patch
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
Patch15: mod_nss-PK11_ListCerts_2.patch
Patch16: mod_nss-sslmultiproxy.patch
Patch17: mod_nss-overlapping_memcpy.patch
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19: mod_nss-cipherlist_update_for_tls12.diff
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
Patch24: mod_nss-compare_subject_CN_and_VS_hostname.patch
# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
Patch25: mod_nss-add_support_for_enabling_TLS_v1.2.patch
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreitova@suse.com -- add Server Name Indication support
Patch26: 0001-SNI-check-with-NameVirtualHosts.patch
Patch27: update-ciphers.patch
Patch28: mod_nss-reverse_proxy_send_SNI.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
%define apache apache2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
%define apache_serverroot %(%{apxs} -q PREFIX)
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.
%prep
%setup -q -n mod_nss-%{version}
##%patch1 -p1 -b .conf.rpmpatch
%patch2 -p1 -b .gencert.rpmpatch
%patch3 -p1 -b .wouldblock.rpmpatch
%patch4 -p1 -b .negotiate.rpmpatch
%patch5 -p1 -b .reverseproxy.rpmpatch
%patch6 -p1 -b .pcachesignal.h.rpmpatch
%patch7 -p1 -b .reseterror.rpmpatch
%patch8 -p1 -b .lockpcache.rpmpatch
%patch10 -p1 -b .proxyvariables.rpmpatch
%patch11 -p1 -b .tlsv1_1.rpmpatch
%patch12 -p1 -b .array_overrun.rpmpatch
%patch13 -p1 -b .clientauth.rpmpatch
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
%patch16 -p1 -b .sslmultiproxy.rpmpatch
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
%patch26 -p1 -b .SNI_support.rpmpatch
%patch27 -p1 -b .update-ciphers.rpmpatch
%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if %{apache_branch} >= 204
%patch9 -p1 -b .http24
%endif
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
# For some reason mod_nss can't find nss on SUSE unless we do the following
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
export C_INCLUDE_PATH
# no more patching a config file...
cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in
#autoreconf -fvi
%configure \
--with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
--with-apxs=%{apxs} \
--enable-ecc \
--with-apr-config
make %{?_smp_mflags} all
%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
%if 0%{?suse_version}
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
%endif
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
%check
set +x
mkdir -p %{apache_test_module_dir}
# create test configuration
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
NSSEngine on
NSSNickname Server-Cert
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
<Directory /tmp/apache2-mod_nss_test/htdocs>
%if 0%{?apache_branch} >= 204
Require local
%else
Allow from localhost
%endif
</Directory>
EOF
# create test certificate
mkdir -p %{apache_test_module_dir}/mod_nss.d
# bend gencert to use ServerName of apache test instance
cp %{buildroot}%{_sbindir}/gencert .
sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1
# create test document
mkdir -p %{apache_test_module_dir}/htdocs
cat << EOF > %{apache_test_module_dir}/htdocs/index.html
HTTPS HELLO
EOF
exit_code=0
# run apache test instance
%apache_test_module_start_apache -m nss -i mod_nss-test.conf
# get test document
%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
echo
echo 'Testing /index.html output'
grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
if [ $exit_code -eq 0 ]; then
echo 'SUCCESS'
else
echo 'FAILED, error_log:'
cat %{apache_test_module_dir}/error_log
fi
echo
# stop apache test instance
%apache_test_module_stop_apache
set -x
exit $exit_code
%post
umask 077
if [ "$1" -eq 1 ] ; then
# this is first time installation.
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
fi
# Make sure that the database ownership is setup properly.
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
fi
if [ "$1" -eq 2 ]; then
# this is the upgrade case for this %post:
if [ -d %{apache_sysconfdir}/alias ]; then
copied_files=""
for dbfile in *.db; do
if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
copied_files="$copied_files $dbfile"
fi
done
if [ "$copied_files" != "" ]; then
{
echo "This notice was written by the post-install script of the package"
echo "%{name}."
echo ""
echo "The files $copied_files"
echo "have been copied to the directory %{apache_sysconf_nssdir},"
echo "as this directory is not referenced by the default configuration any longer,"
echo "and because these files did not exist in %{apache_sysconf_nssdir}."
echo "Existing files have not been modified."
echo ""
echo "Please check your configuration and remove or move your certificate and"
echo "key storage to your desired place, and adjust your module configuration"
echo "accordingly."
echo ""
echo "Thank you."
} > %{apache_sysconfdir}/alias/README-dbfiles.txt
fi
fi
fi
%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
#%%{apache_sysconf_nssdir}/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%{_sbindir}/mod_nss_migrate.pl
%changelog
Reference in New Issue View Git Blame Copy Permalink