90ca4f
%{!?_httpd_apxs:       %{expand: %%global _httpd_apxs       %%{_sbindir}/apxs}}
90ca4f
%{!?_httpd_confdir:    %{expand: %%global _httpd_confdir    %%{_sysconfdir}/httpd/conf.d}}
90ca4f
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
90ca4f
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
b7538d
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}}
90ca4f
90ca4f
Name: mod_nss
88aca9
Version: 1.0.14
1383e6
Release: 12%{?dist}
90ca4f
Summary: SSL/TLS module for the Apache HTTP server
90ca4f
Group: System Environment/Daemons
90ca4f
License: ASL 2.0
1383e6
URL: https://pagure.io/mod_nss/
1383e6
Source: http://releases.pagure.org/mod_nss/%{name}-%{version}.tar.gz
90ca4f
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
b7538d
BuildRequires: nspr-devel >= 4.10.8, nss-devel >= 3.19.1
90ca4f
BuildRequires: httpd-devel, apr-devel, apr-util-devel
90ca4f
BuildRequires: pkgconfig
b7538d
BuildRequires: autoconf
b7538d
BuildRequires: automake
b7538d
BuildRequires: libtool
b7538d
# Needed for make check
b7538d
BuildRequires: openssl
b7538d
BuildRequires: python-nose
b7538d
BuildRequires: python-requests
88aca9
BuildRequires: python-urllib3
90ca4f
Requires: httpd-mmn = %{_httpd_mmn}
90ca4f
Requires(post): httpd, nss-tools
b7538d
Requires: nss%{?_isa} >= 3.19.1
90ca4f
# Although the following change reverses the desire of Bugzilla Bug #601939, it
90ca4f
# was provided to suppress the dangling symlink warning of Bugzilla Bug #906089
90ca4f
# as exposed via 'rpmlint'.
90ca4f
Requires: %{_libdir}/libnssckbi.so
90ca4f
90ca4f
# Change configuration to not conflict with mod_ssl
90ca4f
Patch1: mod_nss-conf.patch
90ca4f
# Generate a password-less NSS database
90ca4f
Patch2: mod_nss-gencert.patch
88aca9
# Set DEFAULT_SSL_CIPHER_LIST manually if pyopenssl can't be imported
88aca9
Patch3: mod_nss-defaultcipherlist.patch
88aca9
# Match the available ciphers in RHEL OpenSSL so tests pass
88aca9
Patch4: mod_nss-test-cipherlist.patch 
88aca9
# Disable and fix tests to work inside of brew
88aca9
Patch5: mod_nss-brewtest.patch
88aca9
# Remove setting 'r->user' in nss_hook_Fixup()
88aca9
Patch6: mod_nss-remove-r-user-from-hook-fixup.patch
88aca9
# Cleanup nss_pcache semaphore on shutdown
88aca9
Patch7: mod_nss-clean-semaphore.patch
88aca9
# Check certificate database directory permissions
88aca9
Patch8: mod_nss-certdb-permissions.patch
7212c2
# Die on invalid Protocol settings
7212c2
Patch9: mod_nss-invalid-protocol-setting.patch
7212c2
# Handle group membership when testing file perms
7212c2
Patch10: mod_nss-group-permissions.patch
7212c2
# Add OCSP cache tuning directives
7212c2
Patch11: mod_nss-ocsp-tuning-knobs.patch
7212c2
# Use NoDBInit in nss_pcache
7212c2
Patch12: mod_nss-pcache_nodbinit.patch
7212c2
# Update nss_pcache man page to drop directory and prefix
7212c2
Patch13: mod_nss-nss_pcache_man.patch
20c1a4
# Fix TLS Session cache
20c1a4
Patch14: mod_nss-session_cache.patch
1383e6
# Remove NSSSessionCacheTimeout from default config
1383e6
Patch15: mod_nss-remove-deprecated-NSSSessionCacheTimeout.patch
90ca4f
90ca4f
%description
90ca4f
The mod_nss module provides strong cryptography for the Apache Web
90ca4f
server via the Secure Sockets Layer (SSL) and Transport Layer
90ca4f
Security (TLS) protocols using the Network Security Services (NSS)
90ca4f
security library.
90ca4f
90ca4f
%prep
90ca4f
%setup -q
90ca4f
%patch1 -p1 -b .conf
90ca4f
%patch2 -p1 -b .gencert
88aca9
%patch3 -p1 -b .defaultcipherlist
88aca9
%patch4 -p1 -b .testcipherlist
88aca9
%patch5 -p1 -b .brewtest
88aca9
%patch6 -p1 -b .remove_r_user
88aca9
%patch7 -p1 -b .semaphore
88aca9
%patch8 -p1 -b .permissions
7212c2
%patch9 -p1 -b .protocol_fatal
7212c2
%patch10 -p1 -b .group_permissions
7212c2
%patch11 -p1 -b .ocsp_tuning
7212c2
%patch12 -p1 -b .pcache_nodbinit
7212c2
%patch13 -p1 -b .pcache_man
20c1a4
%patch14 -p1 -b .session_cache
1383e6
%patch15 -p1 -b .deprecated_sessioncachetimeout
90ca4f
90ca4f
# Touch expression parser sources to prevent regenerating it
90ca4f
touch nss_expr_*.[chyl]
90ca4f
90ca4f
%build
90ca4f
90ca4f
CFLAGS="$RPM_OPT_FLAGS"
90ca4f
APXS=%{_httpd_apxs}
90ca4f
90ca4f
export CFLAGS APXS
90ca4f
90ca4f
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
90ca4f
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
90ca4f
90ca4f
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
90ca4f
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
90ca4f
90ca4f
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
90ca4f
b7538d
autoreconf -i -f
90ca4f
%configure \
90ca4f
    --with-nss-lib=$NSS_LIB_DIR \
90ca4f
    --with-nss-inc=$NSS_INCLUDE_DIR \
90ca4f
    --with-nspr-lib=$NSPR_LIB_DIR \
90ca4f
    --with-nspr-inc=$NSPR_INCLUDE_DIR \
90ca4f
    --with-apr-config --enable-ecc
90ca4f
90ca4f
make %{?_smp_mflags} all
90ca4f
90ca4f
%install
90ca4f
# The install target of the Makefile isn't used because that uses apxs
90ca4f
# which tries to enable the module in the build host httpd instead of in
90ca4f
# the build root.
90ca4f
rm -rf $RPM_BUILD_ROOT
90ca4f
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir}
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8
90ca4f
90ca4f
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
90ca4f
# httpd >= 2.4.x
90ca4f
mkdir -p $RPM_BUILD_ROOT%{_httpd_modconfdir}
90ca4f
sed -n /^LoadModule/p nss.conf > 10-nss.conf
90ca4f
sed -i /^LoadModule/d nss.conf
90ca4f
install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir}
90ca4f
%endif
90ca4f
90ca4f
install -m 644 gencert.8 $RPM_BUILD_ROOT%{_mandir}/man8/
90ca4f
install -m 644 nss_pcache.8 $RPM_BUILD_ROOT%{_mandir}/man8/
90ca4f
90ca4f
install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir}
90ca4f
90ca4f
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
90ca4f
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_libexecdir}/
90ca4f
# Provide a compatibility link to prevent disruption of customized deployments.
90ca4f
#
90ca4f
#     NOTE:  This link may be deprecated in a future release of 'mod_nss'.
90ca4f
#
90ca4f
ln -s %{_libexecdir}/nss_pcache $RPM_BUILD_ROOT%{_sbindir}/nss_pcache
90ca4f
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
88aca9
ln -s %{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
90ca4f
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
90ca4f
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db
90ca4f
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db
90ca4f
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log
90ca4f
90ca4f
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
90ca4f
b7538d
%check
b7538d
make check
b7538d
90ca4f
%clean
90ca4f
rm -rf $RPM_BUILD_ROOT
90ca4f
90ca4f
%post
90ca4f
umask 077
90ca4f
90ca4f
if [ "$1" -eq 1 ] ; then
90ca4f
    if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then
90ca4f
        %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1
90ca4f
        echo ""
90ca4f
        echo "%{name} certificate database generated."
90ca4f
        echo ""
90ca4f
    fi
90ca4f
90ca4f
    # Make sure that the database ownership is setup properly.
90ca4f
    /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
90ca4f
    /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
90ca4f
fi
90ca4f
90ca4f
%files
90ca4f
%defattr(-,root,root,-)
90ca4f
%doc README LICENSE docs/mod_nss.html
90ca4f
%{_mandir}/man8/*
90ca4f
%config(noreplace) %{_httpd_confdir}/nss.conf
90ca4f
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
90ca4f
%config(noreplace) %{_httpd_modconfdir}/10-nss.conf
90ca4f
%endif
90ca4f
%{_libdir}/httpd/modules/libmodnss.so
90ca4f
%dir %{_sysconfdir}/httpd/alias/
90ca4f
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db
90ca4f
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db
90ca4f
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
90ca4f
%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log
90ca4f
%{_sysconfdir}/httpd/alias/libnssckbi.so
90ca4f
%{_libexecdir}/nss_pcache
90ca4f
%{_sbindir}/nss_pcache
90ca4f
%{_sbindir}/gencert
90ca4f
90ca4f
%changelog
1383e6
* Fri Nov  3 2017 Rob Crittenden <rcritten@redhat.com> - 1.0.14-12
1383e6
- Correct URL and Source entries to point to pagure.io (#1502362)
1383e6
- Remove deprecated NSSSessionCacheTimeout from default config (#1257662)
1383e6
1383e6
* Wed Jul 19 2017 Rob Crittenden <rcritten@redhat.com> - 1.0.14-11
1383e6
- TLS session cache was not working (#1461580)
20c1a4
7212c2
* Wed May 10 2017 Rob Crittenden <rcritten@redhat.com> - 1.0.14-10
7212c2
- Apply the nss_pcache man page patch (#1382102)
7212c2
7212c2
* Wed May 10 2017 Rob Crittenden <rcritten@redhat.com> - 1.0.14-9
7212c2
- Update nss_pcache.8 to drop directory and prefix options (#1382102)
7212c2
7212c2
- Don't share mod_nss NSS database with nss_pcache (#1382102)
7212c2
* Thu Feb 23 2017 Rob Crittenden <rcritten@redhat.com> - 1.0.14-8
7212c2
- Fail start start when there are invalid Protocols defined (#1389114)
7212c2
- Handle group membership when testing NSS database filesystem
7212c2
  permissions (#1395300)
7212c2
- Add OCSP cache tuning directives (#1392582) 
7212c2
- Don't share mod_nss NSS database with nss_pcache (#1382102)
7212c2
88aca9
* Wed Sep 21 2016 Rob Crittenden <rcritten@redhat.com> - 1.0.14-7
88aca9
- Add the permission patch to the repository (#1312583)
88aca9
88aca9
* Wed Sep 21 2016 Rob Crittenden <rcritten@redhat.com> - 1.0.14-6
88aca9
- Check the NSS certificate database directory for read permissions
88aca9
  by the Apache user. (#1312583)
88aca9
88aca9
* Wed Aug 10 2016 Rob Crittenden <rcritten@redhat.com> - 1.0.14-5
88aca9
- Update clean semaphore patch to not free the pinList twice.
88aca9
  (#1364560)
88aca9
88aca9
* Tue Aug  9 2016 Rob Crittenden <rcritten@redhat.com> - 1.0.14-4
88aca9
- Update clean semaphore patch to not close pipe twice and to
88aca9
  shutdown NSS database (#1364560)
88aca9
88aca9
* Mon Aug  8 2016 Rob Crittenden <rcritten@redhat.com> - 1.0.14-3
88aca9
- Clean up semaphore in nss_pcache on shutdown (#1364560)
88aca9
88aca9
* Tue Jun 28 2016 Matthew Harmsen <mharmsen@redhat.com> - 1.0.14-2
88aca9
- mod_nss sets r->user in fixup even if it was long ago changed
88aca9
  by other module (#1347298)
88aca9
88aca9
* Mon May 23 2016 Rob Crittenden <rcritten@redhat.com> - 1.0.14-1
88aca9
- Rebase to 1.0.14 (#1299063)
88aca9
- Add support for Server Name Indication (SNI) (#1053327)
88aca9
- Use upstream method to not execute live tests as root (#1256887)
88aca9
- Always call SSL_ShutdownServerSessionIDCache() in ModuleKill
88aca9
  (#1263301, #1296685)
88aca9
- Don't require NSSProxyNickname (#1280287)
88aca9
- Make link to libnssckbi.so an absolute link (#1288471)
88aca9
- Fail for colons in credentials with FakeBasicAuth (#1295970)
88aca9
- Don't ignore NSSProtocol when NSSFIPS is enabled (#1312491)
88aca9
- Check filesystem permissions on NSS database at startup (#1312583)
88aca9
- OpenSSL ciphers stopped parsing at +, CVE-2016-3099 (#1323913)
88aca9
- Patch to match available ciphers so tests pass (#1299063)
88aca9
- Patch to fix tests in brew (#1299063)
88aca9
b7538d
* Tue Sep 22 2015 Rob Crittenden <rcritten@redhat.com> - 1.0.11-6
b7538d
- Add the supported NSS SHA384 ciphers (#1253570)
b7538d
- Add kECDH, AECDH, ECDSA and aECDSA macros (#1253570)
b7538d
- Bump the NSS BR and Requires so the new ciphers are available
b7538d
- Bump the NSPR Requires to match NSS
b7538d
b7538d
* Mon Sep 21 2015 Rob Crittenden <rcritten@redhat.com> - 1.0.11-5
b7538d
- Don't enable NULL ciphers in DEFAULT macro (#1253570)
b7538d
- Add OpenSSL cipher macro EECDH (#1160745)
b7538d
- Disable the live server testing in make check because it
b7538d
  may run as root and fail horribly (#1160745)
b7538d
b7538d
* Thu Aug 27 2015 Rob Crittenden <rcritten@redhat.com> - 1.0.11-4
b7538d
- Handle permanently disabled ciphers in call to SSL_CipherPrefSet
b7538d
  (#1160745)
b7538d
b7538d
* Mon Aug 17 2015 Rob Crittenden <rcritten@redhat.com> - 1.0.11-3
b7538d
- Fix logical and support in cipher strings CVE-2015-3277
b7538d
  (#1253570)
b7538d
- Add missing BuildRequires and small patch to use requests.urllib3
b7538d
  to fix make check (#1253570)
b7538d
b7538d
* Wed Jul 29 2015 Matthew Harmsen <mharmsen@redhat.com> - 1.0.11-2
b7538d
- Resolves: rhbz #1066236
b7538d
- Bugzilla Bug #1066236 - mod_nss: documentation formatting fixes
b7538d
b7538d
* Thu Jun 11 2015 Rob Crittenden <rcritten@redhat.com> - 1.0.11-1
b7538d
- Resolves: rhbz #1160745 - Rebase mod_nss to 1.0.11
b7538d
b64dea
* Mon Jan  5 2015 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-33
b64dea
- Resolves: rhbz #1169871
b64dea
- Bugzilla Bug #1169871 -  Default configuration enables SSL3
b64dea
587326
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.0.8-32
587326
- Mass rebuild 2014-01-24
587326
587326
* Mon Jan 13 2014 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-31
587326
- Resolves: rhbz #1029360
587326
- Bugzilla Bug #1029360 - ambiguous/invalid ENVR in httpd-mmn Provides/Requires
587326
- corrected typo on date
587326
587326
* Mon Jan 13 2014 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-30
587326
- Resolves: rhbz #1029360
587326
- Bugzilla Bug #1029360 - ambiguous/invalid ENVR in httpd-mmn Provides/Requires
587326
587326
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.0.8-29
587326
- Mass rebuild 2013-12-27
587326
587326
* Wed Nov 27 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-28
587326
- Resolves: rhbz #1030276
587326
- [mod_nss-usecases.patch]
587326
- Bugzilla Bug #1030276 - mod_nss not working in FIPS mode
587326
587326
* Fri Nov 15 2013 Rob Crittenden <rcritten@redhat.com> - 1.0.8-27
587326
- Resolves: CVE-2013-4566
587326
- Bugzilla Bug #1024536 - mod_nss: incorrect handling of NSSVerifyClient in
587326
  directory context [rhel-7.0] (rcritten)
587326
- Bugzilla Bug #1030845 - mod_nss: do not use %%configure in %%changelog
587326
  (mharmsen)
587326
587326
* Tue Nov 12 2013 Joe Orton <jorton@redhat.com> - 1.0.8-26
587326
- [mod_nss-SSLEngine-off.patch]
587326
- Bugzilla Bug #1029042 - Implicit SSLEngine for 443 port breaks mod_nss
587326
  configuration (jorton)
587326
- [mod_nss-unused-filter_ctx.patch]
587326
- Bugzilla Bug #1029665 - Remove unused variable 'filter_ctx' (mharmsen)
587326
90ca4f
* Fri Nov  1 2013 Tomas Hoger <thoger@redhat.com> - 1.0.8-25
90ca4f
- Bugzilla Bug #1025317 - mod_nss: documentation formatting fixes [rhel-7]
90ca4f
90ca4f
* Thu Oct 24 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-24
587326
- Add '--enable-ecc' option to %%configure line under %%build section of
90ca4f
  this spec file (mharmsen)
90ca4f
- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
90ca4f
- [mod_nss-PK11_ListCerts_2.patch]
90ca4f
- Bugzilla Bug #1022295 - PK11_ListCerts called to retrieve all user
90ca4f
  certificates for every server (rcritten)
90ca4f
- [mod_nss-array_overrun.patch]
90ca4f
- Bugzilla Bug #1022298 - overrunning array when executing nss_pcache
90ca4f
  (rcritten)
90ca4f
- [mod_nss-clientauth.patch]
90ca4f
- Bugzilla Bug #1022921 - mod_nss: FakeBasicAuth authentication bypass
90ca4f
  [rhel-7.0] (rcritten)
90ca4f
- [mod_nss-no_shutdown_if_not_init_2.patch]
90ca4f
- Bugzilla Bug #1022303 - File descriptor leak after "service httpd reload"
90ca4f
  or httpd doesn't reload (rrelyea)
90ca4f
- [mod_nss-proxyvariables.patch]
90ca4f
- Bugzilla Bug #1022309 - mod_nss insists on Required value NSSCipherSuite
90ca4f
  not set. (mharmsen)
90ca4f
- [mod_nss-tlsv1_1.patch]
90ca4f
- Bugzilla Bug #1022310 - current nss support TLS 1.1 so mod_nss should pick
90ca4f
  it up (mharmsen)
90ca4f
- [mod_nss-sslmultiproxy_2.patch]
90ca4f
- Fixes Bugzilla Bug #1021458 - [RFE] Support ability to share mod_proxy with
90ca4f
  other SSL providers (jorton, mharmsen, nkinder, & rcritten)
90ca4f
90ca4f
* Tue Jul 30 2013 Joe Orton <jorton@redhat.com> - 1.0.8-23
90ca4f
- add dependency on httpd-mmn
90ca4f
90ca4f
* Wed Jul  3 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-22
90ca4f
- Moved 'nss_pcache' from %%sbindir to %%libexecdir
90ca4f
  (provided compatibility link)
90ca4f
90ca4f
* Tue Jul  2 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-21.1
90ca4f
- Add the following explanation to the 'Dangling symlinks' textbox in rpmdiff:
90ca4f
  Symlink 'etc/httpd/alias/libnssckbi.so' is deliberate.
90ca4f
  This test does not belong in rpmdiff. This test belongs in TPS.
90ca4f
  Since the symlink points to a file in another package, e.g. a
90ca4f
  dependency or a system file, rpmdiff cannot detect this. Remember,
90ca4f
  rpmdiff does not install or even know about package dependencies.
90ca4f
  That's TPS's job.
90ca4f
- Add the following explanation to the 'Brewtap results' textbox in rpmdiff:
90ca4f
  The '/etc/httpd/conf.d/nss.conf' file does not require a man page
90ca4f
  because its parameters are sufficiently documented within the
90ca4f
  configuration file itself.
90ca4f
  The '/etc/httpd/conf.modules.d/10-nss.conf' file does not require
90ca4f
  a man page because the file merely contains the line
90ca4f
  'LoadModule nss_module modules/libmodnss.so' to support httpd
90ca4f
  loading of Dynamic Shared Objects ('/etc/httpd/conf/httpd.conf').
90ca4f
90ca4f
* Tue Jun 25 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-21
90ca4f
- Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff
90ca4f
  testing
90ca4f
- Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache
90ca4f
- Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss
90ca4f
- Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec
90ca4f
- Bugzilla Bug #948601 - Man page scan results for mod_nss
90ca4f
90ca4f
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-20.1
90ca4f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
90ca4f
90ca4f
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-19.1
90ca4f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
90ca4f
90ca4f
* Mon Jun 18 2012 Joe Orton <jorton@redhat.com> - 1.0.8-18.1
90ca4f
- fix build for RHEL7
90ca4f
90ca4f
* Fri Jun 15 2012 Rob Crittenden <rcritten@redhat.com> - 1.0.8-18
90ca4f
- Actually apply the patch to use memmove in place of memcpy since the
90ca4f
  buffers can overlap (#669118)
90ca4f
90ca4f
* Tue Jun 12 2012 Nathan Kinder <nkinder@redhat.com> - 1.0.8-17
90ca4f
- Port mod_nss to work with httpd 2.4
90ca4f
90ca4f
* Mon Apr 23 2012 Joe Orton <jorton@redhat.com> - 1.0.8-16
90ca4f
- packaging fixes/updates (#803072)
90ca4f
90ca4f
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-15
90ca4f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
90ca4f
90ca4f
* Mon Mar  7 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-14
90ca4f
- Add Requires(post) for nss-tools, gencert needs it (#652007)
90ca4f
90ca4f
* Wed Mar  2 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-13
90ca4f
- Lock around the pipe to nss_pcache for retrieving the token PIN
90ca4f
  (#677701)
90ca4f
90ca4f
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-12
90ca4f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
90ca4f
90ca4f
* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-11
90ca4f
- Use memmove in place of memcpy since the buffers can overlap (#669118)
90ca4f
90ca4f
* Wed Sep 29 2010 jkeating - 1.0.8-10
90ca4f
- Rebuilt for gcc bug 634757
90ca4f
90ca4f
* Thu Sep 23 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-9
90ca4f
- Revert mod_nss-wouldblock patch
90ca4f
- Reset NSPR error before calling PR_Read(). This should fix looping
90ca4f
  in #620856
90ca4f
90ca4f
* Fri Sep 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-8
90ca4f
- Fix hang when handling large POST under some conditions (#620856)
90ca4f
90ca4f
* Tue Jun 22 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-7
90ca4f
- Remove file Requires on libnssckbi.so (#601939)
90ca4f
90ca4f
* Fri May 14 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-6
90ca4f
- Ignore SIGHUP in nss_pcache (#591889).
90ca4f
90ca4f
* Thu May 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-5
90ca4f
- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224)
90ca4f
90ca4f
* Thu Mar 18 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-4
90ca4f
- Patch to add configuration options for new NSS negotiation API (#574187)
90ca4f
- Add (pre) for Requires on httpd so we can be sure the user and group are
90ca4f
  already available
90ca4f
- Add file Requires on libnssckbi.so so symlink can't fail
90ca4f
- Use _sysconfdir macro instead of /etc
90ca4f
- Set minimum level of NSS to 3.12.6
90ca4f
90ca4f
* Mon Jan 25 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-3
90ca4f
- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744)
90ca4f
90ca4f
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-2
90ca4f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
90ca4f
90ca4f
* Mon Mar  2 2009 Rob Crittenden <rcritten@redhat.com> - 1.0.8-1
90ca4f
- Update to 1.0.8
90ca4f
- Add patch that fixes NSPR layer bug
90ca4f
90ca4f
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-11
90ca4f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
90ca4f
90ca4f
* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.0.7-10
90ca4f
- fix license tag
90ca4f
90ca4f
* Mon Jul 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-9
90ca4f
- rebuild to bump NVR
90ca4f
90ca4f
* Mon Jul 14 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-8
90ca4f
- Don't force module de-init during the configuration stage (453508)
90ca4f
90ca4f
* Thu Jul 10 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-7
90ca4f
- Don't inherit the MP cache in multi-threaded mode (454701)
90ca4f
- Don't initialize NSS in each child if SSL isn't configured
90ca4f
90ca4f
* Wed Jul  2 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-6
90ca4f
- Update the patch for FIPS to include fixes for nss_pcache, enforce
90ca4f
  the security policy and properly initialize the FIPS token.
90ca4f
90ca4f
* Mon Jun 30 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-5
90ca4f
- Include patch to fix NSSFIPS (446851)
90ca4f
90ca4f
* Mon Apr 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-4
90ca4f
- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child
90ca4f
  and not before. This is in response to a change in the NSS softtokn code
90ca4f
  and should have always been done this way. (444348)
90ca4f
- The location of libnssckbi moved from /usr/lib[64] to /lib[64]
90ca4f
- The NSS database needs to be readable by apache since we need to use it
90ca4f
  after the root priviledges are dropped.
90ca4f
90ca4f
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.7-3
90ca4f
- Autorebuild for GCC 4.3
90ca4f
90ca4f
* Thu Oct 18 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-2
90ca4f
- Register functions needed by mod_proxy if mod_ssl is not loaded.
90ca4f
90ca4f
* Fri Jun  1 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-1
90ca4f
- Update to 1.0.7
90ca4f
- Remove Requires for nss and nspr since those are handled automatically
90ca4f
  by versioned libraries
90ca4f
- Updated URL and Source to reference directory.fedoraproject.org
90ca4f
90ca4f
* Mon Apr  9 2007 Rob Crittenden <rcritten@redhat.com> 1.0.6-2
90ca4f
- Patch to properly detect the Apache model and set up NSS appropriately
90ca4f
- Patch to punt if a bad password is encountered
90ca4f
- Patch to fix crash when password.conf is malformatted
90ca4f
- Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7)
90ca4f
90ca4f
* Mon Oct 23 2006 Rob Crittenden <rcritten@redhat.com> 1.0.6-1
90ca4f
- Update to 1.0.6
90ca4f
90ca4f
* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-4
90ca4f
- Include LogLevel warn in nss.conf and use separate log files
90ca4f
90ca4f
* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-3
90ca4f
- Need to initialize ECC certificate and key variables
90ca4f
90ca4f
* Fri Aug 04 2006 Jarod Wilson <jwilson@redhat.com> 1.0.3-2
90ca4f
- Use %%ghost for db files and install.log
90ca4f
90ca4f
* Tue Jun 20 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-1
90ca4f
- Initial build