rpm/apache2-mod_nss
SHA256
1
0
Fork 0
forked from pool/apache2-mod_nss
Code Pull Requests Activity
3620ab2c4f
apache2-mod_nss/apache2-mod_nss.spec
Petr Gajdos 3620ab2c4f Accepting request 390295 from home:vitezslav_cizek:branches:Apache:Modules 
- update to 1.0.14 (fixes boo#973996)
  * OpenSSL ciphers stopped parsing at +, CVE-2016-3099
  * Created valgrind suppression files to ease debugging
  * Implement SSL_PPTYPE_FILTER to call executables to get
    the key password pins. Can be used to prompt with systemd.
  * Improvements to migrate.pl
- drop mod_nss_migrate.pl and use upstream migrate script instead
  * add mod_nss-migrate.patch

OBS-URL: https://build.opensuse.org/request/show/390295
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=24
2016-04-19 08:42:55 +00:00

257 lines
9.5 KiB
RPMSpec
Raw Blame History

#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
Version: 1.0.14
Release: 0.4.8
Url: https://fedorahosted.org/mod_nss
Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1: mod_nss.conf.in
Source2: listen_nss.conf
Source4: README-SUSE.txt
Source5: vhost-nss.template
Provides: mod_nss
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
Requires: apache2 >= 2.2.12
Requires: findutils
Requires: mozilla-nss >= 3.15.1
PreReq: mozilla-nss-tools
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: automake
BuildRequires: bison
BuildRequires: curl
BuildRequires: findutils
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel
BuildRequires: libtool
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
Patch0: mod_nss-bnc863518-reopen_dev_tty.diff
Patch1: mod_nss-migrate.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apxs /usr/sbin/apxs2
%define apache apache2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
%define apache_serverroot %(%{apxs} -q PREFIX)
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.
%prep
%setup -q -n mod_nss-%{version}
%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch1 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
# For some reason mod_nss can't find nss on SUSE unless we do the following
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
export C_INCLUDE_PATH
# no more patching a config file...
cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in
autoreconf -fvi
%configure \
--with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
--with-apxs=%{apxs} \
--enable-ecc \
--with-apr-config
make %{?_smp_mflags} all
%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
%if 0%{?suse_version}
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
%endif
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
%check
set +x
mkdir -p %{apache_test_module_dir}
# create password file including internal token to suppress
# apache 'builtin dialog', see NSSPassPhraseDialog below
# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
cat << EOF > %{apache_test_module_dir}/password.conf
internal:httptest
EOF
# create test configuration
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
NSSEngine on
NSSNickname Server-Cert
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
<Directory /tmp/apache2-mod_nss_test/htdocs>
%if 0%{?apache_branch} >= 204
Require local
%else
Allow from localhost
%endif
</Directory>
EOF
# create test certificate
mkdir -p %{apache_test_module_dir}/mod_nss.d
# bend gencert to use ServerName of apache test instance
cp %{buildroot}%{_sbindir}/gencert .
sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1
# create test document
mkdir -p %{apache_test_module_dir}/htdocs
cat << EOF > %{apache_test_module_dir}/htdocs/index.html
HTTPS HELLO
EOF
exit_code=0
# run apache test instance
%apache_test_module_start_apache -m nss -i mod_nss-test.conf
# get test document
%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
echo
echo 'Testing /index.html output'
grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
if [ $exit_code -eq 0 ]; then
echo 'SUCCESS'
else
echo 'FAILED, error_log:'
cat %{apache_test_module_dir}/error_log
fi
echo
# stop apache test instance
%apache_test_module_stop_apache
set -x
exit $exit_code
%post
umask 077
if [ "$1" -eq 1 ] ; then
# this is first time installation.
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
fi
# Make sure that the database ownership is setup properly.
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
fi
if [ "$1" -eq 2 ]; then
# this is the upgrade case for this %post:
if [ -d %{apache_sysconfdir}/alias ]; then
copied_files=""
for dbfile in *.db; do
if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
copied_files="$copied_files $dbfile"
fi
done
if [ "$copied_files" != "" ]; then
{
echo "This notice was written by the post-install script of the package"
echo "%{name}."
echo ""
echo "The files $copied_files"
echo "have been copied to the directory %{apache_sysconf_nssdir},"
echo "as this directory is not referenced by the default configuration any longer,"
echo "and because these files did not exist in %{apache_sysconf_nssdir}."
echo "Existing files have not been modified."
echo ""
echo "Please check your configuration and remove or move your certificate and"
echo "key storage to your desired place, and adjust your module configuration"
echo "accordingly."
echo ""
echo "Thank you."
} > %{apache_sysconfdir}/alias/README-dbfiles.txt
fi
fi
fi
%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
#%%{apache_sysconf_nssdir}/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%{_sbindir}/mod_nss_migrate.pl
%changelog
View Git Blame Copy Permalink