From 940afde411eb9ba52252ae80188f4fdbb87a9554 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 26 Nov 2013 08:53:34 +0000 Subject: [PATCH 07/10] Remove mod_ssl port workaround. https://fedorahosted.org/freeipa/ticket/4021 --- freeipa.spec.in | 8 ++++++-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/httpinstance.py | 17 ++++++++--------- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a091164907735d659be61fe29221cbce6934c77d..69ec29d9ff58bf3a25e25b35d5f3ba1d43741124 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,14 +114,14 @@ Requires: krb5-server >= 1.10 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: httpd +Requires: httpd >= 2.4.6-6 Requires: mod_wsgi %if 0%{?fedora} >= 18 Requires: mod_auth_kerb >= 5.4-16 %else Requires: mod_auth_kerb >= 5.4-8 %endif -Requires: mod_nss >= 1.0.8-24 +Requires: mod_nss >= 1.0.8-26 Requires: python-ldap Requires: python-krbV Requires: acl @@ -832,6 +832,10 @@ fi %endif # ONLY_CLIENT %changelog +* Tue Nov 26 2013 Jan Cholasta - 3.3.2-2 +- Set minimum version of httpd to 2.4.6-6 +- Set minimum version of mod_nss to 1.0.8-26 + * Fri Oct 25 2013 Martin Kosek - 3.3.2-1 - Remove mod_ssl conflict, it can now live with mod_nss installed diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..10526f226798c78ae75972b82a2f72b200a8aacf 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1047,7 +1047,7 @@ def main(): http.remove_httpd_ccache() http.configure_selinux_for_httpd() http.configure_httpd_ccache() - http.change_mod_nss_port_to_http() + http.change_mod_nss_port_from_http() ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 689e657e291b93d90038937a61f67915c0d582ec..e61a0c6d1526f29acb4647710e559a5bb32a58c0 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -253,25 +253,24 @@ def __configure_http(self): http_fd.close() os.chmod(target_fname, 0644) - def change_mod_nss_port_to_http(self): + def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss # listened port obviously does not match mod_ssl requirements. # - # Change port to http to workaround the mod_ssl check, the SSL is - # enforced in the vhost later, so it is benign. + # The workaround for this was to change port to http. It is no longer + # necessary, as mod_nss now ships with default configuration which + # sets SSLEngine off when mod_ssl is installed. # - # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168 - # is fixed. - if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): - installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False) - sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True) + # Remove the workaround. + if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): + installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False) + sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) def __set_mod_nss_port(self): self.fstore.backup_file(NSS_CONF) if installutils.update_file(NSS_CONF, '8443', '443') != 0: print "Updating port in %s failed." % NSS_CONF - self.change_mod_nss_port_to_http() def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) -- 1.8.3.1