diff -rupN mod_nss-1.0.8.orig/Makefile.am mod_nss-1.0.8/Makefile.am
--- mod_nss-1.0.8.orig/Makefile.am 2008-05-16 08:18:07.000000000 -0700
+++ mod_nss-1.0.8/Makefile.am 2013-06-27 19:13:30.000000000 -0700
@@ -5,6 +5,14 @@ bin_PROGRAMS = nss_pcache
nss_pcache_SOURCES = nss_pcache.c
+man8_MANS = \
+ gencert.8 \
+ nss_pcache.8 \
+ $(NULL)
+
+install-data-hook:
+ @for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
+
## Define the source file for the module
libmodnss_la_SOURCES = mod_nss.c nss_engine_config.c nss_engine_init.c nss_engine_io.c nss_engine_kernel.c nss_engine_log.c nss_engine_pphrase.c nss_engine_vars.c nss_expr.c nss_expr_eval.c nss_expr_parse.y nss_expr_scan.l nss_util.c nss_engine_rand.c
libmodnss_la_LDFLAGS = -module -avoid-version
diff -rupN mod_nss-1.0.8.orig/gencert.8 mod_nss-1.0.8/gencert.8
--- mod_nss-1.0.8.orig/gencert.8 1969-12-31 16:00:00.000000000 -0800
+++ mod_nss-1.0.8/gencert.8 2013-07-01 09:56:37.000000000 -0700
@@ -0,0 +1,59 @@
+.\" A man page for gencert
+.\"
+.\" Licensed under the Apache License, Version 2.0 (the "License");
+.\" you may not use this file except in compliance with the License.
+.\" You may obtain a copy of the License at
+.\"
+.\" http://www.apache.org/licenses/LICENSE-2.0
+.\"
+.\" Unless required by applicable law or agreed to in writing, software
+.\" distributed under the License is distributed on an "AS IS" BASIS,
+.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.\" See the License for the specific language governing permissions and
+.\" limitations under the License.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "gencert" "8" "Jul 1 2013" "Rob Crittenden" ""
+.SH "NAME"
+gencert \- Generate a test NSS database for mod_nss
+
+.SH "SYNOPSIS"
+gencert <destdir>
+
+.SH "DESCRIPTION"
+A tool used to generate a self\-signed CA as well as server and user certificates for mod_nss testing.
+.PP
+This is used to generate a default NSS database for the mod_nss Apache module. It does not test to see if an existing database already exists, so use with care.
+.PP
+\fBgencert\fP will generate a new NSS database and set an empty database password.
+.PP
+It generates a self\-signed CA with the subject "CN=Certificate Shack, O=example.com, C=US"
+.PP
+It also generates a certificate suitable for servers with the subject "CN=<FQDN>, O=example.com, C=US", and a user certificate with the subject "E=alpha@<FQDN>, CN=Frank Alpha, UID=alpha, OU=People, O=example.com, C=US".
+.PP
+The nicknames it uses are:
+.IP
+.TS
+tab(;);
+ll,ll.
+CA:;cacert
+Server certificate:;Server\-Cert
+User cert:;alpha
+.TE
+
+.SH OPTIONS
+.TP
+.B <destdir>
+Specifies the destination directory where the NSS databases will be created.
+
+.SH BUGS
+Report bugs to http://bugzilla.redhat.com.
+
+.SH AUTHORS
+Rob Crittenden <rcritten@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2011 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0.
+.PP
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
diff -rupN mod_nss-1.0.8.orig/migrate.pl mod_nss-1.0.8/migrate.pl
--- mod_nss-1.0.8.orig/migrate.pl 2005-05-31 07:32:42.000000000 -0700
+++ mod_nss-1.0.8/migrate.pl 2013-07-03 14:23:12.000000000 -0700
@@ -115,7 +115,8 @@ while (<SSL>) {
}
if ($passphrase == 0) {
- print NSS "NSSPassPhraseHelper /usr/sbin/nss_pcache\n";
+ # NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'.
+ print NSS "NSSPassPhraseHelper /usr/libexec/nss_pcache\n";
}
close(NSS);
diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in
--- mod_nss-1.0.8.orig/nss.conf.in 2013-06-25 17:14:22.000000000 -0700
+++ mod_nss-1.0.8/nss.conf.in 2013-07-03 14:23:48.000000000 -0700
@@ -42,7 +42,10 @@ NSSPassPhraseDialog builtin
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
-NSSPassPhraseHelper /usr/sbin/nss_pcache
+#
+# NOTE: Located at '/usr/sbin/nss_pcache' prior to 'mod_nss-1.0.8-22'.
+#
+NSSPassPhraseHelper /usr/libexec/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
diff -rupN mod_nss-1.0.8.orig/nss_pcache.8 mod_nss-1.0.8/nss_pcache.8
--- mod_nss-1.0.8.orig/nss_pcache.8 1969-12-31 16:00:00.000000000 -0800
+++ mod_nss-1.0.8/nss_pcache.8 2013-07-03 15:35:39.000000000 -0700
@@ -0,0 +1,95 @@
+.\" A man page for nss_pcache
+.\"
+.\" Licensed under the Apache License, Version 2.0 (the "License");
+.\" you may not use this file except in compliance with the License.
+.\" You may obtain a copy of the License at
+.\"
+.\" http://www.apache.org/licenses/LICENSE-2.0
+.\"
+.\" Unless required by applicable law or agreed to in writing, software
+.\" distributed under the License is distributed on an "AS IS" BASIS,
+.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.\" See the License for the specific language governing permissions and
+.\" limitations under the License.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "nss_pcache" "8" "Jul 1 2013" "Rob Crittenden" ""
+.SH "NAME"
+nss_pcache \- Helper program used to store token password pins
+
+.SH "SYNOPSIS"
+nss_pcache <semid> <fips on/off> <directory> [prefix]
+
+.SH "DESCRIPTION"
+A helper program used by the Apache \fBhttpd\fP mod_nss plug-in to store the NSS PKCS #11 token password pins between restarts of Apache.
+.PP
+Whenever an Apache \fBhttpd\fP process configured to use the mod_nss plug-in is started, this program will be automatically invoked via reference to the mod_nss configuration file stored under \fB/etc/httpd/conf.d/nss.conf\fP which contains the following default entry:
+.IP
+# Pass Phrase Helper:
+.br
+# This helper program stores the token password pins between
+.br
+# restarts of Apache.
+.br
+#
+.br
+# NOTE: Located at '/usr/sbin/nss_pcache' prior
+.br
+# to 'mod_nss-1.0.8-22'.
+.br
+#
+.br
+NSSPassPhraseHelper /usr/libexec/nss_pcache
+
+.SH OPTIONS
+.TP
+.B <semid>
+The semaphore which corresponds to the mod_nss plug-in registered with the Apache \fBhttpd\fP process during startup.
+.TP
+.B <fips on/off>
+Specifies whether FIPS mode should be enabled, \fBon\fP, or disabled, \fBoff\fP. By default, FIPS mode is disabled, and no variable is specified in \fB/etc/httpd/conf.d/nss.conf\fP. To enable FIPS mode, establish password access for the specified NSS security databases, and specify the following variable in \fB/etc/httpd/conf.d/nss.conf\fP:
+.IP
+.TS
+tab(;);
+ll,ll.
+;NSSFIPS on
+.TE
+.TP
+.B <directory>
+Specifies the destination directory of the NSS databases that will be associated with this executable specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP:
+.IP
+.TS
+tab(;);
+ll,ll.
+;# Server Certificate Database:
+;# The NSS security database directory that holds the
+;# certificates and keys. The database consists
+;# of 3 files: cert8.db, key3.db and secmod.db.
+;# Provide the directory that these files exist.
+;NSSCertificateDatabase /etc/httpd/alias
+.TE
+.TP
+.B [prefix]
+Optional prefix to attach prior to the names of the NSS certificate and key databases contained in the directory referenced by the previous argument and specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP (must be uncommented in order to be utilized):
+.IP
+.TS
+tab(;);
+ll,ll.
+;# Database Prefix:
+;# In order to be able to store multiple NSS databases
+;# in one directory they need unique names. This option
+;# sets the database prefix used for cert8.db and key3.db.
+;#NSSDBPrefix my-prefix-
+.TE
+
+.SH BUGS
+Report bugs to http://bugzilla.redhat.com.
+
+.SH AUTHORS
+Rob Crittenden <rcritten@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2013 Red Hat, Inc. This is licensed under the Apache License, Version 2.0 (the "License"); no one may use this file except in compliance with the License. A copy of this license is available at http://www.apache.org/licenses/LICENSE-2.0.
+.PP
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
diff -rupN mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
--- mod_nss-1.0.8.orig/nss_pcache.c 2013-06-25 17:14:22.000000000 -0700
+++ mod_nss-1.0.8/nss_pcache.c 2013-06-26 18:44:42.000000000 -0700
@@ -318,7 +318,7 @@ int main(int argc, char ** argv)
union semun semarg;
if (argc < 4 || argc > 5) {
- fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
+ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
exit(1);
}
@@ -336,7 +336,7 @@ int main(int argc, char ** argv)
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
/* Initialize NSS and open the certificate database read-only. */
- rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
+ rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
if (rv != SECSuccess) {
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);