rpm/apache2-mod_nss
SHA256
1
0
Fork 0
forked from pool/apache2-mod_nss
Code Pull Requests Activity
1d3e419a19
apache2-mod_nss/apache2-mod_nss.spec
Wolfgang Rosenauer 1d3e419a19 Accepting request 222758 from home:draht:branches:mozilla:Factory 
- mod_nss-cipherlist_update_for_tls12-doc.diff
  mod_nss-cipherlist_update_for_tls12.diff
  GCM mode and Camellia ciphers added to the supported ciphers list.
  The additional ciphers are: 
  rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
  rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  [bnc#863035]

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
  If 'NSSVerifyClient none' is set in the server / vhost context
  (i.e. when server is configured to not request or require client
  certificate authentication on the initial connection), and client
  certificate authentication is expected to be required for a 
  specific directory via 'NSSVerifyClient require' setting, 
  mod_nss fails to properly require certificate authentication.
  Remote attacker can use this to access content of the restricted
  directories. [bnc#853039]

- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
  * simultaneaous usage of mod_ssl and mod_nss
  * SNI concurrency
  * SUSE framework for apache configuration, Listen directive
  * module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
  or mod_nss.conf, respectively. This also leads to the removal of

OBS-URL: https://build.opensuse.org/request/show/222758
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/apache2-mod_nss?expand=0&rev=8
2014-02-20 21:12:44 +00:00

236 lines
8.8 KiB
RPMSpec
Raw Blame History

#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
Version: 1.0.8
Release: 0.4.<RELEASE7>
Url: http://directory.fedoraproject.org/wiki/Mod_nss
Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
Source1: mod_nss.conf.in
Source2: listen_nss.conf
Source3: mod_nss_migrate.pl
Source4: README-SUSE.txt
Provides: mod_nss
Requires: apache2 >= 2.2.12
Requires: findutils
Requires: mozilla-nss >= 3.15.1
PreReq: mozilla-nss-tools
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: bison
BuildRequires: findutils
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
#Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
Patch6: mod_nss-pcachesignal.h
Patch7: mod_nss-reseterror.patch
Patch8: mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9: mod_nss-httpd24.patch
Patch10: mod_nss-proxyvariables.patch
Patch11: mod_nss-tlsv1_1.patch
Patch12: mod_nss-array_overrun.patch
Patch13: mod_nss-clientauth.patch
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
Patch15: mod_nss-PK11_ListCerts_2.patch
Patch16: mod_nss-sslmultiproxy.patch
Patch17: mod_nss-overlapping_memcpy.patch
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19: mod_nss-cipherlist_update_for_tls12.diff
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
%define apache apache2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
%define apache_serverroot %(%{apxs} -q PREFIX)
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.
%prep
%setup -q -n mod_nss-%{version}
#%patch1 -p1 -b .conf.rpmpatch
%patch2 -p1 -b .gencert.rpmpatch
%patch3 -p1 -b .wouldblock.rpmpatch
%patch4 -p1 -b .negotiate.rpmpatch
%patch5 -p1 -b .reverseproxy.rpmpatch
%patch6 -p1 -b .pcachesignal.h.rpmpatch
%patch7 -p1 -b .reseterror.rpmpatch
%patch8 -p1 -b .lockpcache.rpmpatch
%patch10 -p1 -b .proxyvariables.rpmpatch
%patch11 -p1 -b .tlsv1_1.rpmpatch
%patch12 -p1 -b .array_overrun.rpmpatch
%patch13 -p1 -b .clientauth.rpmpatch
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
%patch16 -p1 -b .sslmultiproxy.rpmpatch
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} >= 1300
%patch9 -p1 -b .http24
%endif
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
# For some reason mod_nss can't find nss on SUSE unless we do the following
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
export C_INCLUDE_PATH
# no more patching a config file...
cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in
#autoreconf -fvi
%configure \
--with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
--with-apxs=%{apxs} \
--enable-ecc \
--with-apr-config
make %{?_smp_mflags} all
%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
%if 0%{?suse_version}
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
%endif
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
%clean
rm -rf $RPM_BUILD_ROOT
%post
umask 077
if [ "$1" -eq 1 ] ; then
# this is first time installation.
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
fi
# Make sure that the database ownership is setup properly.
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
fi
if [ "$1" -eq 2 ]; then
# this is the upgrade case for this %post:
if [ -d %{apache_sysconfdir}/alias ]; then
copied_files=""
for dbfile in *.db; do
if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
copied_files="$copied_files $dbfile"
fi
done
if [ "$copied_files" != "" ]; then
{
echo "This notice was written by the post-install script of the package"
echo "%{name}."
echo ""
echo "The files $copied_files"
echo "have been copied to the directory %{apache_sysconf_nssdir},"
echo "as this directory is not referenced by the default configuration any longer,"
echo "and because these files did not exist in %{apache_sysconf_nssdir}."
echo "Existing files have not been modified."
echo ""
echo "Please check your configuration and remove or move your certificate and"
echo "key storage to your desired place, and adjust your module configuration"
echo "accordingly."
echo ""
echo "Thank you."
} > %{apache_sysconfdir}/alias/README-dbfiles.txt
fi
fi
fi
%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
#%%{apache_sysconf_nssdir}/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%{_sbindir}/mod_nss_migrate.pl
%changelog
View Git Blame Copy Permalink