d206ad095d
- use a whitelist approach for keeping directives in the migration script (bsc#961907) * modify mod_nss_migrate.pl - fix test: add NSSPassPhraseDialog, point it to plain file - update to 1.0.13 Update default ciphers to something more modern and secure Check for host and netstat commands in gencert before trying to use them Add server support for DHE ciphers Extract SAN from server/client certificates into env Fix memory leaks and other coding issues caught by clang analyzer Add support for Server Name Indication (SNI) (#1010751) Add support for SNI for reverse proxy connections Add RenegBufferSize? option Add support for TLS Session Tickets (RFC 5077) Fix logical AND support in OpenSSL cipher compatibility Correctly handle disabled ciphers (CVE-2015-5244) Implement a slew more OpenSSL cipher macros Fix a number of illegal memory accesses and memory leaks Support for SHA384 ciphers if they are available in NSS Add compatibility for mod_ssl-style cipher definitions (#862938) Add TLSv1.2-specific ciphers Completely remove support for SSLv2 Add support for sqlite NSS databases (#1057650) Compare subject CN and VS hostname during server start up Add support for enabling TLS v1.2 Don't enable SSL 3 by default (CVE-2014-3566) Fix CVE-2013-4566 Move nss_pcache to /usr/libexec OBS-URL: https://build.opensuse.org/request/show/375069 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=22
256 lines
9.4 KiB
RPMSpec
256 lines
9.4 KiB
RPMSpec
#
|
|
# spec file for package apache2-mod_nss
|
|
#
|
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
Name: apache2-mod_nss
|
|
Summary: SSL/TLS module for the Apache HTTP server
|
|
License: Apache-2.0
|
|
Group: Productivity/Networking/Web/Servers
|
|
Version: 1.0.13
|
|
Release: 0.4.8
|
|
Url: https://fedorahosted.org/mod_nss
|
|
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
|
|
Source1: mod_nss.conf.in
|
|
Source2: listen_nss.conf
|
|
Source3: mod_nss_migrate.pl
|
|
Source4: README-SUSE.txt
|
|
Source5: vhost-nss.template
|
|
Provides: mod_nss
|
|
Requires: %{apache_mmn}
|
|
Requires: %{apache_suse_maintenance_mmn}
|
|
Requires: apache2 >= 2.2.12
|
|
Requires: findutils
|
|
Requires: mozilla-nss >= 3.15.1
|
|
PreReq: mozilla-nss-tools
|
|
BuildRequires: apache-rpm-macros
|
|
BuildRequires: apache2-devel >= 2.2.12
|
|
BuildRequires: automake
|
|
BuildRequires: bison
|
|
BuildRequires: curl
|
|
BuildRequires: findutils
|
|
BuildRequires: flex
|
|
BuildRequires: gcc-c++
|
|
BuildRequires: libapr-util1-devel
|
|
BuildRequires: libapr1-devel
|
|
BuildRequires: libtool
|
|
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
|
BuildRequires: mozilla-nss-devel >= 3.15.1
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: pkgconfig
|
|
|
|
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
%define apxs /usr/sbin/apxs2
|
|
%define apache apache2
|
|
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
|
|
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
|
|
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
|
|
%define apache_serverroot %(%{apxs} -q PREFIX)
|
|
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
|
|
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
|
|
|
|
%description
|
|
The mod_nss module provides strong cryptography for the Apache Web
|
|
server via the Secure Sockets Layer (SSL) and Transport Layer
|
|
Security (TLS) protocols using the Network Security Services (NSS)
|
|
security library.
|
|
|
|
%prep
|
|
%setup -q -n mod_nss-%{version}
|
|
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
|
|
|
# Touch expression parser sources to prevent regenerating it
|
|
touch nss_expr_*.[chyl]
|
|
|
|
%build
|
|
CFLAGS="$RPM_OPT_FLAGS"
|
|
export CFLAGS
|
|
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
|
|
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
|
|
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
|
|
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
|
|
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
|
|
# For some reason mod_nss can't find nss on SUSE unless we do the following
|
|
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
|
|
export C_INCLUDE_PATH
|
|
# no more patching a config file...
|
|
cp -a %{SOURCE1} ./nss.conf.in
|
|
cp -a %{SOURCE4} .
|
|
chmod 644 ./nss.conf.in
|
|
autoreconf -fvi
|
|
%configure \
|
|
--with-nss-lib=$NSS_LIB_DIR \
|
|
--with-nss-inc=$NSS_INCLUDE_DIR \
|
|
--with-nspr-lib=$NSPR_LIB_DIR \
|
|
--with-nspr-inc=$NSPR_INCLUDE_DIR \
|
|
--with-apxs=%{apxs} \
|
|
--enable-ecc \
|
|
--with-apr-config
|
|
make %{?_smp_mflags} all
|
|
|
|
%install
|
|
# The install target of the Makefile isn't used because that uses apxs
|
|
# which tries to enable the module in the build host httpd instead of in
|
|
# the build root.
|
|
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
|
|
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
|
|
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
|
|
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
|
|
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
|
|
|
|
%if 0%{?suse_version}
|
|
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
|
|
%endif
|
|
|
|
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
|
|
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
|
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
|
|
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
|
|
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
|
|
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
|
|
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
|
|
|
|
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
|
|
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
|
|
|
%check
|
|
set +x
|
|
mkdir -p %{apache_test_module_dir}
|
|
# create password file including internal token to suppress
|
|
# apache 'builtin dialog', see NSSPassPhraseDialog below
|
|
# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
|
|
cat << EOF > %{apache_test_module_dir}/password.conf
|
|
internal:httptest
|
|
EOF
|
|
# create test configuration
|
|
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
|
|
NSSEngine on
|
|
NSSNickname Server-Cert
|
|
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
|
|
NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
|
|
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
|
|
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
|
|
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
|
|
<Directory /tmp/apache2-mod_nss_test/htdocs>
|
|
%if 0%{?apache_branch} >= 204
|
|
Require local
|
|
%else
|
|
Allow from localhost
|
|
%endif
|
|
</Directory>
|
|
EOF
|
|
# create test certificate
|
|
mkdir -p %{apache_test_module_dir}/mod_nss.d
|
|
# bend gencert to use ServerName of apache test instance
|
|
cp %{buildroot}%{_sbindir}/gencert .
|
|
sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
|
|
./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1
|
|
# create test document
|
|
mkdir -p %{apache_test_module_dir}/htdocs
|
|
cat << EOF > %{apache_test_module_dir}/htdocs/index.html
|
|
HTTPS HELLO
|
|
EOF
|
|
exit_code=0
|
|
# run apache test instance
|
|
%apache_test_module_start_apache -m nss -i mod_nss-test.conf
|
|
# get test document
|
|
%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
|
|
echo
|
|
echo 'Testing /index.html output'
|
|
grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
|
|
if [ $exit_code -eq 0 ]; then
|
|
echo 'SUCCESS'
|
|
else
|
|
echo 'FAILED, error_log:'
|
|
cat %{apache_test_module_dir}/error_log
|
|
fi
|
|
echo
|
|
# stop apache test instance
|
|
%apache_test_module_stop_apache
|
|
set -x
|
|
exit $exit_code
|
|
|
|
%post
|
|
umask 077
|
|
if [ "$1" -eq 1 ] ; then
|
|
# this is first time installation.
|
|
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
|
|
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
|
|
echo ""
|
|
echo "%{name} certificate database generated."
|
|
echo ""
|
|
fi
|
|
# Make sure that the database ownership is setup properly.
|
|
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
|
|
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
|
|
fi
|
|
if [ "$1" -eq 2 ]; then
|
|
# this is the upgrade case for this %post:
|
|
if [ -d %{apache_sysconfdir}/alias ]; then
|
|
copied_files=""
|
|
for dbfile in *.db; do
|
|
if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
|
|
cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
|
|
copied_files="$copied_files $dbfile"
|
|
fi
|
|
done
|
|
if [ "$copied_files" != "" ]; then
|
|
{
|
|
echo "This notice was written by the post-install script of the package"
|
|
echo "%{name}."
|
|
echo ""
|
|
echo "The files $copied_files"
|
|
echo "have been copied to the directory %{apache_sysconf_nssdir},"
|
|
echo "as this directory is not referenced by the default configuration any longer,"
|
|
echo "and because these files did not exist in %{apache_sysconf_nssdir}."
|
|
echo "Existing files have not been modified."
|
|
echo ""
|
|
echo "Please check your configuration and remove or move your certificate and"
|
|
echo "key storage to your desired place, and adjust your module configuration"
|
|
echo "accordingly."
|
|
echo ""
|
|
echo "Thank you."
|
|
} > %{apache_sysconfdir}/alias/README-dbfiles.txt
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
|
|
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
|
|
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
|
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
|
|
%dir %{apache_libexecdir}
|
|
%{apache_libexecdir}/mod_nss.so
|
|
%dir %{apache_sysconf_nssdir}/
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
|
|
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
|
|
#%%{apache_sysconf_nssdir}/libnssckbi.so
|
|
%{_sbindir}/nss_pcache
|
|
%{_sbindir}/gencert
|
|
%{_sbindir}/mod_nss_migrate.pl
|
|
|
|
%changelog
|