Petr Gajdos
97948eaa24
- Fix NSS database startup permission check (bsc#1057776) * add 0001-Handle-group-membership-when-testing-for-file-permis.patch OBS-URL: https://build.opensuse.org/request/show/556094 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=36
225 lines
8.3 KiB
RPMSpec
225 lines
8.3 KiB
RPMSpec
#
|
|
# spec file for package apache2-mod_nss
|
|
#
|
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define apxs %{_sbindir}/apxs2
|
|
%define apache apache2
|
|
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
|
|
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
|
|
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
|
|
%define apache_serverroot %(%{apxs} -q PREFIX)
|
|
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
|
|
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
|
|
Name: apache2-mod_nss
|
|
Version: 1.0.14
|
|
Release: 0
|
|
Summary: SSL/TLS module for the Apache HTTP server
|
|
License: Apache-2.0
|
|
Group: Productivity/Networking/Web/Servers
|
|
Url: https://pagure.io/mod_nss
|
|
Source: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz
|
|
Source1: mod_nss.conf.in
|
|
Source2: listen_nss.conf
|
|
Source4: README-SUSE.txt
|
|
Source5: vhost-nss.template
|
|
Patch1: mod_nss-migrate.patch
|
|
Patch2: mod_nss-gencert-correct-ownership.patch
|
|
Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
|
|
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
|
|
BuildRequires: apache-rpm-macros
|
|
BuildRequires: apache2-devel >= 2.2.12
|
|
BuildRequires: automake
|
|
BuildRequires: bison
|
|
BuildRequires: curl
|
|
BuildRequires: findutils
|
|
BuildRequires: flex
|
|
BuildRequires: gcc-c++
|
|
BuildRequires: iproute2
|
|
BuildRequires: iproute2
|
|
BuildRequires: libapr-util1-devel
|
|
BuildRequires: libapr1-devel
|
|
BuildRequires: libtool
|
|
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
|
BuildRequires: mozilla-nss-devel >= 3.25
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: pkgconfig
|
|
Requires: %{apache_mmn}
|
|
Requires: %{apache_suse_maintenance_mmn}
|
|
Requires: apache2 >= 2.2.12
|
|
Requires: findutils
|
|
Requires: iproute2
|
|
Requires: iproute2
|
|
Requires: mozilla-nss >= 3.25
|
|
Requires(post): mozilla-nss-tools
|
|
Provides: mod_nss
|
|
|
|
%description
|
|
The mod_nss module provides strong cryptography for the Apache Web
|
|
server via the Secure Sockets Layer (SSL) and Transport Layer
|
|
Security (TLS) protocols using the Network Security Services (NSS)
|
|
security library.
|
|
|
|
%prep
|
|
%setup -q -n mod_nss-%{version}
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch3 -p1
|
|
%patch4 -p1
|
|
|
|
# Touch expression parser sources to prevent regenerating it
|
|
touch nss_expr_*.[chyl]
|
|
|
|
%build
|
|
CFLAGS="%{optflags}"
|
|
export CFLAGS
|
|
NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr`
|
|
NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr`
|
|
NSS_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nss`
|
|
NSS_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nss`
|
|
NSS_BIN=`%{_bindir}/pkg-config --variable=exec_prefix nss`
|
|
# For some reason mod_nss can't find nss on SUSE unless we do the following
|
|
C_INCLUDE_PATH="%{_includedir}/nss3:%{_includedir}/nspr4:%{_includedir}/apache2-prefork/"
|
|
export C_INCLUDE_PATH
|
|
# no more patching a config file...
|
|
cp -a %{SOURCE1} ./nss.conf.in
|
|
cp -a %{SOURCE4} .
|
|
chmod 644 ./nss.conf.in
|
|
autoreconf -fvi
|
|
%configure \
|
|
--with-nss-lib=$NSS_LIB_DIR \
|
|
--with-nss-inc=$NSS_INCLUDE_DIR \
|
|
--with-nspr-lib=$NSPR_LIB_DIR \
|
|
--with-nspr-inc=$NSPR_INCLUDE_DIR \
|
|
--with-apxs=%{apxs} \
|
|
--enable-ecc \
|
|
--with-apr-config
|
|
make %{?_smp_mflags} all
|
|
|
|
%install
|
|
# The install target of the Makefile isn't used because that uses apxs
|
|
# which tries to enable the module in the build host httpd instead of in
|
|
# the build root.
|
|
mkdir -p %{buildroot}/%{apache_libexecdir}
|
|
mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d
|
|
mkdir -p %{buildroot}%{apache_sysconfdir}/vhosts.d
|
|
mkdir -p %{buildroot}%{_sbindir}
|
|
mkdir -p %{buildroot}%{apache_sysconf_nssdir}
|
|
|
|
%if 0%{?suse_version}
|
|
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
|
|
%endif
|
|
|
|
install -m 644 nss.conf %{buildroot}%{apache_sysconfdir}/conf.d/mod_nss.conf
|
|
install -m 644 %{SOURCE5} %{buildroot}%{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
|
install -m 644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/listen_nss.conf
|
|
install -m 755 .libs/libmodnss.so %{buildroot}%{apache_libexecdir}/mod_nss.so
|
|
install -m 755 nss_pcache %{buildroot}%{_sbindir}/
|
|
install -m 755 gencert %{buildroot}%{_sbindir}/
|
|
install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl
|
|
|
|
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
|
|
touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db
|
|
touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db
|
|
touch %{buildroot}%{apache_sysconf_nssdir}/key3.db
|
|
touch %{buildroot}%{apache_sysconf_nssdir}/install.log
|
|
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert
|
|
|
|
%check
|
|
set +x
|
|
mkdir -p %{apache_test_module_dir}
|
|
# create password file including internal token to suppress apache 'builtin dialog'
|
|
cat << EOF > %{apache_test_module_dir}/password.conf
|
|
internal:httptest
|
|
EOF
|
|
# create test configuration
|
|
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
|
|
NSSEngine on
|
|
NSSNickname Server-Cert
|
|
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
|
|
NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
|
|
NSSPassPhraseHelper %{buildroot}%{_sbindir}/nss_pcache
|
|
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
|
|
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
|
<Directory /tmp/apache2-mod_nss_test/htdocs>
|
|
%if 0%{?apache_branch} >= 204
|
|
Require local
|
|
%else
|
|
Allow from localhost
|
|
%endif
|
|
</Directory>
|
|
EOF
|
|
# create test certificate
|
|
mkdir -p %{apache_test_module_dir}/mod_nss.d
|
|
# bend gencert to use ServerName of apache test instance
|
|
cp %{buildroot}%{_sbindir}/gencert .
|
|
sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
|
|
./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1
|
|
# create test document
|
|
mkdir -p %{apache_test_module_dir}/htdocs
|
|
cat << EOF > %{apache_test_module_dir}/htdocs/index.html
|
|
HTTPS HELLO
|
|
EOF
|
|
exit_code=0
|
|
# run apache test instance
|
|
%apache_test_module_start_apache -m nss -i mod_nss-test.conf
|
|
# get test document
|
|
%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
|
|
echo
|
|
echo 'Testing /index.html output'
|
|
grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
|
|
if [ $exit_code -eq 0 ]; then
|
|
echo 'SUCCESS'
|
|
else
|
|
echo 'FAILED, error_log:'
|
|
cat %{apache_test_module_dir}/error_log
|
|
fi
|
|
echo
|
|
# stop apache test instance
|
|
%apache_test_module_stop_apache
|
|
set -x
|
|
exit $exit_code
|
|
|
|
%post
|
|
umask 077
|
|
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
|
|
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
|
|
echo ""
|
|
echo "%{name} certificate database generated."
|
|
echo ""
|
|
fi
|
|
# Make sure that the database ownership is setup properly.
|
|
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {} +
|
|
find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} +
|
|
|
|
%files
|
|
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
|
|
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
|
|
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
|
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
|
|
%dir %{apache_libexecdir}
|
|
%{apache_libexecdir}/mod_nss.so
|
|
%dir %{apache_sysconf_nssdir}/
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
|
|
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
|
|
%{_sbindir}/nss_pcache
|
|
%{_sbindir}/gencert
|
|
%{_sbindir}/mod_nss_migrate.pl
|
|
|
|
%changelog
|