From b64dea62804f5d2409a5bb28695fa3406352aa83 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 05 2015 13:35:05 +0000
Subject: import mod_nss-1.0.8-33.el7


---

diff --git a/SOURCES/mod_nss-default-NSSProtocol.patch b/SOURCES/mod_nss-default-NSSProtocol.patch
new file mode 100644
index 0000000..0aed663
--- /dev/null
+++ b/SOURCES/mod_nss-default-NSSProtocol.patch
@@ -0,0 +1,28 @@
+diff -rupN mod_nss-1.0.8.orig/nss.conf.in mod_nss-1.0.8/nss.conf.in
+--- mod_nss-1.0.8.orig/nss.conf.in	2015-01-05 14:40:03.982283416 -0700
++++ mod_nss-1.0.8/nss.conf.in	2015-01-05 14:42:42.454075939 -0700
+@@ -126,7 +126,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
+ #   Since all protocol ranges are completely inclusive, and no protocol in the
+ #   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+ #   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+-NSSProtocol SSLv3,TLSv1.0,TLSv1.1
++NSSProtocol TLSv1.0,TLSv1.1
+ 
+ #   SSL Certificate Nickname:
+ #   The nickname of the RSA server certificate you are going to use.
+diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
+--- mod_nss-1.0.8.orig/nss_engine_init.c	2015-01-05 14:40:03.951283261 -0700
++++ mod_nss-1.0.8/nss_engine_init.c	2015-01-06 10:59:47.866985758 -0700
+@@ -646,10 +646,10 @@ static void nss_init_ctx_protocol(server
+     } else {
+         if (mctx->auth.protocols == NULL) {
+             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+-                         "%s value not set; using: SSLv3, TLSv1.0, and TLSv1.1",
++                         "%s value not set; using: TLSv1.0 and TLSv1.1",
+                          protocol_marker);
+ 
+-            ssl3 = tls = tls1_1 = 1;
++            tls = tls1_1 = 1;
+         } else {
+             lprotocols = strdup(mctx->auth.protocols);
+             ap_str_tolower(lprotocols);
diff --git a/SPECS/mod_nss.spec b/SPECS/mod_nss.spec
index 36c758e..a136b61 100644
--- a/SPECS/mod_nss.spec
+++ b/SPECS/mod_nss.spec
@@ -6,7 +6,7 @@
 
 Name: mod_nss
 Version: 1.0.8
-Release: 32%{?dist}
+Release: 33%{?dist}
 Summary: SSL/TLS module for the Apache HTTP server
 Group: System Environment/Daemons
 License: ASL 2.0
@@ -52,6 +52,7 @@ Patch21: mod_nss-SSLEngine-off.patch
 Patch22: mod_nss-unused-filter_ctx.patch
 Patch23: mod_nss-nssverifyclient.patch
 Patch24: mod_nss-usecases.patch
+Patch25: mod_nss-default-NSSProtocol.patch
 
 %description
 The mod_nss module provides strong cryptography for the Apache Web
@@ -90,6 +91,7 @@ security library.
 %patch22 -p1 -b .unused-filter_ctx
 %patch23 -p1 -b .nssverifyclient
 %patch24 -p1 -b .usecases
+%patch25 -p1 -b .default-NSSProtocol
 
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
@@ -200,6 +202,10 @@ fi
 %{_sbindir}/gencert
 
 %changelog
+* Mon Jan  5 2015 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-33
+- Resolves: rhbz #1169871
+- Bugzilla Bug #1169871 -  Default configuration enables SSL3
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.0.8-32
 - Mass rebuild 2014-01-24