forked from pool/apache2-mod_nss
Accepting request 416355 from Apache:Modules
- use systemd-ask-password to prompt for a certificate passphrase (bsc#972968) * drop obsolete mod_nss-bnc863518-reopen_dev_tty.diff (forwarded request 415922 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/416355 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=21
This commit is contained in:
commit
969f417986
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 29 18:04:55 UTC 2016 - vcizek@suse.com
|
||||
|
||||
- use systemd-ask-password to prompt for a certificate passphrase
|
||||
(bsc#972968)
|
||||
* drop obsolete mod_nss-bnc863518-reopen_dev_tty.diff
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Apr 16 09:12:29 UTC 2016 - vcizek@suse.com
|
||||
|
||||
|
@ -51,7 +51,6 @@ BuildRequires: mozilla-nss-devel >= 3.15.1
|
||||
BuildRequires: mozilla-nss-tools
|
||||
BuildRequires: pkgconfig
|
||||
|
||||
Patch0: mod_nss-bnc863518-reopen_dev_tty.diff
|
||||
Patch1: mod_nss-migrate.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -72,7 +71,6 @@ security library.
|
||||
|
||||
%prep
|
||||
%setup -q -n mod_nss-%{version}
|
||||
%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
||||
%patch1 -p1
|
||||
|
||||
# Touch expression parser sources to prevent regenerating it
|
||||
@ -136,9 +134,7 @@ perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
||||
%check
|
||||
set +x
|
||||
mkdir -p %{apache_test_module_dir}
|
||||
# create password file including internal token to suppress
|
||||
# apache 'builtin dialog', see NSSPassPhraseDialog below
|
||||
# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
|
||||
# create password file including internal token to suppress apache 'builtin dialog'
|
||||
cat << EOF > %{apache_test_module_dir}/password.conf
|
||||
internal:httptest
|
||||
EOF
|
||||
|
@ -1,37 +0,0 @@
|
||||
Index: nss_engine_pphrase.c
|
||||
===================================================================
|
||||
--- nss_engine_pphrase.c.orig 2016-04-15 20:27:59.000000000 +0200
|
||||
+++ nss_engine_pphrase.c 2016-04-16 11:11:49.472862662 +0200
|
||||
@@ -230,6 +230,7 @@ static char *nss_get_password(FILE *inpu
|
||||
char line[1024];
|
||||
unsigned char phrase[200];
|
||||
int infd = fileno(input);
|
||||
+ int tmpfd;
|
||||
int isTTY = isatty(infd);
|
||||
|
||||
token_name = PK11_GetTokenName(slot);
|
||||
@@ -351,6 +352,24 @@ static char *nss_get_password(FILE *inpu
|
||||
if (pwdstr)
|
||||
return pwdstr;
|
||||
|
||||
+ /* It happens that stdin is not opened with O_RDONLY. Better make sure
|
||||
+ * it is and re-open /dev/tty.
|
||||
+ */
|
||||
+ close(infd); /* is 0 normally. open(2) will return first available. */
|
||||
+ tmpfd = open("/dev/tty", O_RDONLY);
|
||||
+ if( tmpfd == -1) {
|
||||
+ fprintf(output, "Cannot open /dev/tty for reading the passphrase.\n");
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ if(tmpfd != infd) {
|
||||
+ if( dup2(tmpfd, infd) != infd) {
|
||||
+ fprintf(output, "Problem duplicating /dev/tty file descriptor.\n");
|
||||
+ close(tmpfd);
|
||||
+ nss_die();
|
||||
+ }
|
||||
+ close(tmpfd);
|
||||
+ }
|
||||
+
|
||||
for (;;) {
|
||||
/* Prompt for password */
|
||||
if (isTTY) {
|
@ -26,7 +26,7 @@
|
||||
# VirtualHosts on the same IP Address and port is not possible.
|
||||
#
|
||||
# Reason:
|
||||
# The brwoser/client connects to the web server's port 443 and initializes
|
||||
# The browser/client connects to the web server's port 443 and initializes
|
||||
# an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the
|
||||
# client to specify the host that it wants to connect to, unless the crypto
|
||||
# has been fully initialized already. Similarly, the server cannot present
|
||||
@ -132,8 +132,7 @@ AddType application/x-pkcs7-crl .crl
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
NSSPassPhraseDialog builtin
|
||||
|
||||
NSSPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
|
||||
|
||||
# Pass Phrase Helper:
|
||||
# This helper program stores the token password pins between
|
||||
@ -188,35 +187,9 @@ NSSRequireSafeNegotiation off
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_nss documentation for a complete list.
|
||||
|
||||
# SSL 3 ciphers. SSL 2 is disabled
|
||||
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
|
||||
|
||||
# The following ciphers are available in SUSE's package after June 2014;
|
||||
# The GCM mode aes ciphers are of particular interest.
|
||||
# You may want to add them if so desired:
|
||||
#
|
||||
# rsa_aes_128_gcm_sha
|
||||
# ecdh_ecdsa_aes_128_gcm_sha
|
||||
# ecdhe_ecdsa_aes_128_gcm_sha
|
||||
# ecdh_rsa_aes_128_gcm_sha
|
||||
# ecdhe_rsa_aes_128_gcm_sha
|
||||
|
||||
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
|
||||
#
|
||||
# Comment out the NSSCipherSuite line above and use the one below if you have
|
||||
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
|
||||
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
|
||||
|
||||
# The following is taken as default with the apache2-mod_nss package, as
|
||||
# provided with the August 2014 update (which features the GCM mode ciphers
|
||||
# along with server side SNI support).
|
||||
# Ideas:
|
||||
# * cipher mode may be more important than key length
|
||||
# (AES-GCM is 128 bit, vs AES256 on a different mode)
|
||||
# * no rc4, no 3des, no des
|
||||
# * ephemeral is what you want (PFS).
|
||||
# * EC has precedence over RSA
|
||||
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha
|
||||
# The following cipher suite is the default that comes with mod_nss 1.0.14,
|
||||
# plus some additional ciphers
|
||||
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdh_rsa_aes_128_sha
|
||||
|
||||
# SSL Protocol:
|
||||
# Cryptographic protocols that provide communication security.
|
||||
|
Loading…
Reference in New Issue
Block a user