forked from pool/apache2-mod_nss
ac78b1824b
open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. - mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=1
246 lines
9.4 KiB
RPMSpec
246 lines
9.4 KiB
RPMSpec
#
|
|
# spec file for package apache2-mod_nss
|
|
#
|
|
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
Name: apache2-mod_nss
|
|
Summary: SSL/TLS module for the Apache HTTP server
|
|
License: Apache-2.0
|
|
Group: Productivity/Networking/Web/Servers
|
|
Version: 1.0.8
|
|
Release: 0.4.8
|
|
Url: http://directory.fedoraproject.org/wiki/Mod_nss
|
|
Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
|
|
Source1: mod_nss.conf.in
|
|
Source2: listen_nss.conf
|
|
Source3: mod_nss_migrate.pl
|
|
Source4: README-SUSE.txt
|
|
Source5: vhost-nss.template
|
|
Provides: mod_nss
|
|
Requires: apache2 >= 2.2.12
|
|
Requires: findutils
|
|
Requires: mozilla-nss >= 3.15.1
|
|
PreReq: mozilla-nss-tools
|
|
BuildRequires: apache2-devel >= 2.2.12
|
|
BuildRequires: bison
|
|
BuildRequires: findutils
|
|
BuildRequires: flex
|
|
BuildRequires: gcc-c++
|
|
BuildRequires: libapr-util1-devel
|
|
BuildRequires: libapr1-devel
|
|
BuildRequires: mozilla-nspr-devel >= 4.6.3
|
|
BuildRequires: mozilla-nss-devel >= 3.15.1
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: pkgconfig
|
|
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
|
|
# Fri Nov 8 14:10:04 CET 2013 - draht: patch disabled, nss.conf.in is now scratch.
|
|
#Patch1: mod_nss-conf.patch
|
|
Patch2: mod_nss-gencert.patch
|
|
Patch3: mod_nss-wouldblock.patch
|
|
Patch4: mod_nss-negotiate.patch
|
|
Patch5: mod_nss-reverseproxy.patch
|
|
Patch6: mod_nss-pcachesignal.h
|
|
Patch7: mod_nss-reseterror.patch
|
|
Patch8: mod_nss-lockpcache.patch
|
|
# Fix build with apache 2.4
|
|
Patch9: mod_nss-httpd24.patch
|
|
|
|
Patch10: mod_nss-proxyvariables.patch
|
|
Patch11: mod_nss-tlsv1_1.patch
|
|
Patch12: mod_nss-array_overrun.patch
|
|
Patch13: mod_nss-clientauth.patch
|
|
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
|
|
Patch15: mod_nss-PK11_ListCerts_2.patch
|
|
Patch16: mod_nss-sslmultiproxy.patch
|
|
Patch17: mod_nss-overlapping_memcpy.patch
|
|
Patch18: mod_nss-CVE-2013-4566-NSSVerifyClient.diff
|
|
Patch19: mod_nss-cipherlist_update_for_tls12.diff
|
|
Patch20: mod_nss-cipherlist_update_for_tls12-doc.diff
|
|
Patch21: mod_nss-SNI-callback.patch
|
|
Patch22: mod_nss-SNI-checks.patch
|
|
Patch23: mod_nss-bnc863518-reopen_dev_tty.diff
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
%define apxs /usr/sbin/apxs2
|
|
%define apache apache2
|
|
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
|
|
%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
|
|
%define apache_includedir %(%{apxs} -q INCLUDEDIR)
|
|
%define apache_serverroot %(%{apxs} -q PREFIX)
|
|
%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
|
|
%define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
|
|
|
|
%description
|
|
The mod_nss module provides strong cryptography for the Apache Web
|
|
server via the Secure Sockets Layer (SSL) and Transport Layer
|
|
Security (TLS) protocols using the Network Security Services (NSS)
|
|
security library.
|
|
|
|
%prep
|
|
%setup -q -n mod_nss-%{version}
|
|
##%patch1 -p1 -b .conf.rpmpatch
|
|
%patch2 -p1 -b .gencert.rpmpatch
|
|
%patch3 -p1 -b .wouldblock.rpmpatch
|
|
%patch4 -p1 -b .negotiate.rpmpatch
|
|
%patch5 -p1 -b .reverseproxy.rpmpatch
|
|
%patch6 -p1 -b .pcachesignal.h.rpmpatch
|
|
%patch7 -p1 -b .reseterror.rpmpatch
|
|
%patch8 -p1 -b .lockpcache.rpmpatch
|
|
%patch10 -p1 -b .proxyvariables.rpmpatch
|
|
%patch11 -p1 -b .tlsv1_1.rpmpatch
|
|
%patch12 -p1 -b .array_overrun.rpmpatch
|
|
%patch13 -p1 -b .clientauth.rpmpatch
|
|
%patch14 -p1 -b .no_shutdown_if_not_init_2.rpmpatch
|
|
%patch15 -p1 -b .PK11_ListCerts_2.rpmpatch
|
|
%patch16 -p1 -b .sslmultiproxy.rpmpatch
|
|
%patch17 -p1 -b .overlapping_memcpy.rpmpatch
|
|
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
|
|
%patch19 -p0 -b .ciphers.rpmpatch
|
|
%patch20 -p0 -b .ciphers.doc.rpmpatch
|
|
%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch
|
|
%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch
|
|
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
|
|
|
|
# keep this last, otherwise we get fuzzyness from above
|
|
%if 0%{?suse_version} >= 1300
|
|
%patch9 -p1 -b .http24
|
|
%endif
|
|
|
|
# Touch expression parser sources to prevent regenerating it
|
|
touch nss_expr_*.[chyl]
|
|
|
|
%build
|
|
CFLAGS="$RPM_OPT_FLAGS"
|
|
export CFLAGS
|
|
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
|
|
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
|
|
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
|
|
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
|
|
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
|
|
# For some reason mod_nss can't find nss on SUSE unless we do the following
|
|
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
|
|
export C_INCLUDE_PATH
|
|
# no more patching a config file...
|
|
cp -a %{SOURCE1} ./nss.conf.in
|
|
cp -a %{SOURCE4} .
|
|
chmod 644 ./nss.conf.in
|
|
#autoreconf -fvi
|
|
%configure \
|
|
--with-nss-lib=$NSS_LIB_DIR \
|
|
--with-nss-inc=$NSS_INCLUDE_DIR \
|
|
--with-nspr-lib=$NSPR_LIB_DIR \
|
|
--with-nspr-inc=$NSPR_INCLUDE_DIR \
|
|
--with-apxs=%{apxs} \
|
|
--enable-ecc \
|
|
--with-apr-config
|
|
make %{?_smp_mflags} all
|
|
|
|
%install
|
|
# The install target of the Makefile isn't used because that uses apxs
|
|
# which tries to enable the module in the build host httpd instead of in
|
|
# the build root.
|
|
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
|
|
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
|
|
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
|
|
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
|
|
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
|
|
|
|
%if 0%{?suse_version}
|
|
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
|
|
%endif
|
|
|
|
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
|
|
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
|
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
|
|
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
|
|
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
|
|
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
|
|
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
|
|
|
|
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
|
|
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
|
|
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
|
|
|
|
%clean
|
|
rm -rf $RPM_BUILD_ROOT
|
|
|
|
%post
|
|
umask 077
|
|
if [ "$1" -eq 1 ] ; then
|
|
# this is first time installation.
|
|
if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
|
|
%{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
|
|
echo ""
|
|
echo "%{name} certificate database generated."
|
|
echo ""
|
|
fi
|
|
# Make sure that the database ownership is setup properly.
|
|
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
|
|
find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
|
|
fi
|
|
if [ "$1" -eq 2 ]; then
|
|
# this is the upgrade case for this %post:
|
|
if [ -d %{apache_sysconfdir}/alias ]; then
|
|
copied_files=""
|
|
for dbfile in *.db; do
|
|
if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
|
|
cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
|
|
copied_files="$copied_files $dbfile"
|
|
fi
|
|
done
|
|
if [ "$copied_files" != "" ]; then
|
|
{
|
|
echo "This notice was written by the post-install script of the package"
|
|
echo "%{name}."
|
|
echo ""
|
|
echo "The files $copied_files"
|
|
echo "have been copied to the directory %{apache_sysconf_nssdir},"
|
|
echo "as this directory is not referenced by the default configuration any longer,"
|
|
echo "and because these files did not exist in %{apache_sysconf_nssdir}."
|
|
echo "Existing files have not been modified."
|
|
echo ""
|
|
echo "Please check your configuration and remove or move your certificate and"
|
|
echo "key storage to your desired place, and adjust your module configuration"
|
|
echo "accordingly."
|
|
echo ""
|
|
echo "Thank you."
|
|
} > %{apache_sysconfdir}/alias/README-dbfiles.txt
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
|
|
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
|
|
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
|
|
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
|
|
%dir %{apache_libexecdir}
|
|
%{apache_libexecdir}/mod_nss.so
|
|
%dir %{apache_sysconf_nssdir}/
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
|
|
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
|
|
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
|
|
#%%{apache_sysconf_nssdir}/libnssckbi.so
|
|
%{_sbindir}/nss_pcache
|
|
%{_sbindir}/gencert
|
|
%{_sbindir}/mod_nss_migrate.pl
|
|
|
|
%changelog
|