%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} %{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} # /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} %{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}} Name: mod_nss Version: 1.0.14 Release: 12%{?dist} Summary: SSL/TLS module for the Apache HTTP server Group: System Environment/Daemons License: ASL 2.0 URL: https://pagure.io/mod_nss/ Source: http://releases.pagure.org/mod_nss/%{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: nspr-devel >= 4.10.8, nss-devel >= 3.19.1 BuildRequires: httpd-devel, apr-devel, apr-util-devel BuildRequires: pkgconfig BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool # Needed for make check BuildRequires: openssl BuildRequires: python-nose BuildRequires: python-requests BuildRequires: python-urllib3 Requires: httpd-mmn = %{_httpd_mmn} Requires(post): httpd, nss-tools Requires: nss%{?_isa} >= 3.19.1 # Although the following change reverses the desire of Bugzilla Bug #601939, it # was provided to suppress the dangling symlink warning of Bugzilla Bug #906089 # as exposed via 'rpmlint'. Requires: %{_libdir}/libnssckbi.so # Change configuration to not conflict with mod_ssl Patch1: mod_nss-conf.patch # Generate a password-less NSS database Patch2: mod_nss-gencert.patch # Set DEFAULT_SSL_CIPHER_LIST manually if pyopenssl can't be imported Patch3: mod_nss-defaultcipherlist.patch # Match the available ciphers in RHEL OpenSSL so tests pass Patch4: mod_nss-test-cipherlist.patch # Disable and fix tests to work inside of brew Patch5: mod_nss-brewtest.patch # Remove setting 'r->user' in nss_hook_Fixup() Patch6: mod_nss-remove-r-user-from-hook-fixup.patch # Cleanup nss_pcache semaphore on shutdown Patch7: mod_nss-clean-semaphore.patch # Check certificate database directory permissions Patch8: mod_nss-certdb-permissions.patch # Die on invalid Protocol settings Patch9: mod_nss-invalid-protocol-setting.patch # Handle group membership when testing file perms Patch10: mod_nss-group-permissions.patch # Add OCSP cache tuning directives Patch11: mod_nss-ocsp-tuning-knobs.patch # Use NoDBInit in nss_pcache Patch12: mod_nss-pcache_nodbinit.patch # Update nss_pcache man page to drop directory and prefix Patch13: mod_nss-nss_pcache_man.patch # Fix TLS Session cache Patch14: mod_nss-session_cache.patch # Remove NSSSessionCacheTimeout from default config Patch15: mod_nss-remove-deprecated-NSSSessionCacheTimeout.patch %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q %patch1 -p1 -b .conf %patch2 -p1 -b .gencert %patch3 -p1 -b .defaultcipherlist %patch4 -p1 -b .testcipherlist %patch5 -p1 -b .brewtest %patch6 -p1 -b .remove_r_user %patch7 -p1 -b .semaphore %patch8 -p1 -b .permissions %patch9 -p1 -b .protocol_fatal %patch10 -p1 -b .group_permissions %patch11 -p1 -b .ocsp_tuning %patch12 -p1 -b .pcache_nodbinit %patch13 -p1 -b .pcache_man %patch14 -p1 -b .session_cache %patch15 -p1 -b .deprecated_sessioncachetimeout # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="$RPM_OPT_FLAGS" APXS=%{_httpd_apxs} export CFLAGS APXS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` autoreconf -i -f %configure \ --with-nss-lib=$NSS_LIB_DIR \ --with-nss-inc=$NSS_INCLUDE_DIR \ --with-nspr-lib=$NSPR_LIB_DIR \ --with-nspr-inc=$NSPR_INCLUDE_DIR \ --with-apr-config --enable-ecc make %{?_smp_mflags} all %install # The install target of the Makefile isn't used because that uses apxs # which tries to enable the module in the build host httpd instead of in # the build root. rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir} mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules mkdir -p $RPM_BUILD_ROOT%{_libexecdir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8 %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" # httpd >= 2.4.x mkdir -p $RPM_BUILD_ROOT%{_httpd_modconfdir} sed -n /^LoadModule/p nss.conf > 10-nss.conf sed -i /^LoadModule/d nss.conf install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir} %endif install -m 644 gencert.8 $RPM_BUILD_ROOT%{_mandir}/man8/ install -m 644 nss_pcache.8 $RPM_BUILD_ROOT%{_mandir}/man8/ install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir} install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/ install -m 755 nss_pcache $RPM_BUILD_ROOT%{_libexecdir}/ # Provide a compatibility link to prevent disruption of customized deployments. # # NOTE: This link may be deprecated in a future release of 'mod_nss'. # ln -s %{_libexecdir}/nss_pcache $RPM_BUILD_ROOT%{_sbindir}/nss_pcache install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ ln -s %{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/ touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert %check make check %clean rm -rf $RPM_BUILD_ROOT %post umask 077 if [ "$1" -eq 1 ] ; then if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; fi %files %defattr(-,root,root,-) %doc README LICENSE docs/mod_nss.html %{_mandir}/man8/* %config(noreplace) %{_httpd_confdir}/nss.conf %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" %config(noreplace) %{_httpd_modconfdir}/10-nss.conf %endif %{_libdir}/httpd/modules/libmodnss.so %dir %{_sysconfdir}/httpd/alias/ %ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db %ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db %ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db %ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log %{_sysconfdir}/httpd/alias/libnssckbi.so %{_libexecdir}/nss_pcache %{_sbindir}/nss_pcache %{_sbindir}/gencert %changelog * Fri Nov 3 2017 Rob Crittenden - 1.0.14-12 - Correct URL and Source entries to point to pagure.io (#1502362) - Remove deprecated NSSSessionCacheTimeout from default config (#1257662) * Wed Jul 19 2017 Rob Crittenden - 1.0.14-11 - TLS session cache was not working (#1461580) * Wed May 10 2017 Rob Crittenden - 1.0.14-10 - Apply the nss_pcache man page patch (#1382102) * Wed May 10 2017 Rob Crittenden - 1.0.14-9 - Update nss_pcache.8 to drop directory and prefix options (#1382102) - Don't share mod_nss NSS database with nss_pcache (#1382102) * Thu Feb 23 2017 Rob Crittenden - 1.0.14-8 - Fail start start when there are invalid Protocols defined (#1389114) - Handle group membership when testing NSS database filesystem permissions (#1395300) - Add OCSP cache tuning directives (#1392582) - Don't share mod_nss NSS database with nss_pcache (#1382102) * Wed Sep 21 2016 Rob Crittenden - 1.0.14-7 - Add the permission patch to the repository (#1312583) * Wed Sep 21 2016 Rob Crittenden - 1.0.14-6 - Check the NSS certificate database directory for read permissions by the Apache user. (#1312583) * Wed Aug 10 2016 Rob Crittenden - 1.0.14-5 - Update clean semaphore patch to not free the pinList twice. (#1364560) * Tue Aug 9 2016 Rob Crittenden - 1.0.14-4 - Update clean semaphore patch to not close pipe twice and to shutdown NSS database (#1364560) * Mon Aug 8 2016 Rob Crittenden - 1.0.14-3 - Clean up semaphore in nss_pcache on shutdown (#1364560) * Tue Jun 28 2016 Matthew Harmsen - 1.0.14-2 - mod_nss sets r->user in fixup even if it was long ago changed by other module (#1347298) * Mon May 23 2016 Rob Crittenden - 1.0.14-1 - Rebase to 1.0.14 (#1299063) - Add support for Server Name Indication (SNI) (#1053327) - Use upstream method to not execute live tests as root (#1256887) - Always call SSL_ShutdownServerSessionIDCache() in ModuleKill (#1263301, #1296685) - Don't require NSSProxyNickname (#1280287) - Make link to libnssckbi.so an absolute link (#1288471) - Fail for colons in credentials with FakeBasicAuth (#1295970) - Don't ignore NSSProtocol when NSSFIPS is enabled (#1312491) - Check filesystem permissions on NSS database at startup (#1312583) - OpenSSL ciphers stopped parsing at +, CVE-2016-3099 (#1323913) - Patch to match available ciphers so tests pass (#1299063) - Patch to fix tests in brew (#1299063) * Tue Sep 22 2015 Rob Crittenden - 1.0.11-6 - Add the supported NSS SHA384 ciphers (#1253570) - Add kECDH, AECDH, ECDSA and aECDSA macros (#1253570) - Bump the NSS BR and Requires so the new ciphers are available - Bump the NSPR Requires to match NSS * Mon Sep 21 2015 Rob Crittenden - 1.0.11-5 - Don't enable NULL ciphers in DEFAULT macro (#1253570) - Add OpenSSL cipher macro EECDH (#1160745) - Disable the live server testing in make check because it may run as root and fail horribly (#1160745) * Thu Aug 27 2015 Rob Crittenden - 1.0.11-4 - Handle permanently disabled ciphers in call to SSL_CipherPrefSet (#1160745) * Mon Aug 17 2015 Rob Crittenden - 1.0.11-3 - Fix logical and support in cipher strings CVE-2015-3277 (#1253570) - Add missing BuildRequires and small patch to use requests.urllib3 to fix make check (#1253570) * Wed Jul 29 2015 Matthew Harmsen - 1.0.11-2 - Resolves: rhbz #1066236 - Bugzilla Bug #1066236 - mod_nss: documentation formatting fixes * Thu Jun 11 2015 Rob Crittenden - 1.0.11-1 - Resolves: rhbz #1160745 - Rebase mod_nss to 1.0.11 * Mon Jan 5 2015 Matthew Harmsen - 1.0.8-33 - Resolves: rhbz #1169871 - Bugzilla Bug #1169871 - Default configuration enables SSL3 * Fri Jan 24 2014 Daniel Mach - 1.0.8-32 - Mass rebuild 2014-01-24 * Mon Jan 13 2014 Matthew Harmsen - 1.0.8-31 - Resolves: rhbz #1029360 - Bugzilla Bug #1029360 - ambiguous/invalid ENVR in httpd-mmn Provides/Requires - corrected typo on date * Mon Jan 13 2014 Matthew Harmsen - 1.0.8-30 - Resolves: rhbz #1029360 - Bugzilla Bug #1029360 - ambiguous/invalid ENVR in httpd-mmn Provides/Requires * Fri Dec 27 2013 Daniel Mach - 1.0.8-29 - Mass rebuild 2013-12-27 * Wed Nov 27 2013 Matthew Harmsen - 1.0.8-28 - Resolves: rhbz #1030276 - [mod_nss-usecases.patch] - Bugzilla Bug #1030276 - mod_nss not working in FIPS mode * Fri Nov 15 2013 Rob Crittenden - 1.0.8-27 - Resolves: CVE-2013-4566 - Bugzilla Bug #1024536 - mod_nss: incorrect handling of NSSVerifyClient in directory context [rhel-7.0] (rcritten) - Bugzilla Bug #1030845 - mod_nss: do not use %%configure in %%changelog (mharmsen) * Tue Nov 12 2013 Joe Orton - 1.0.8-26 - [mod_nss-SSLEngine-off.patch] - Bugzilla Bug #1029042 - Implicit SSLEngine for 443 port breaks mod_nss configuration (jorton) - [mod_nss-unused-filter_ctx.patch] - Bugzilla Bug #1029665 - Remove unused variable 'filter_ctx' (mharmsen) * Fri Nov 1 2013 Tomas Hoger - 1.0.8-25 - Bugzilla Bug #1025317 - mod_nss: documentation formatting fixes [rhel-7] * Thu Oct 24 2013 Matthew Harmsen - 1.0.8-24 - Add '--enable-ecc' option to %%configure line under %%build section of this spec file (mharmsen) - Bumped version build/runtime requirements for NSPR and NSS (mharmsen) - [mod_nss-PK11_ListCerts_2.patch] - Bugzilla Bug #1022295 - PK11_ListCerts called to retrieve all user certificates for every server (rcritten) - [mod_nss-array_overrun.patch] - Bugzilla Bug #1022298 - overrunning array when executing nss_pcache (rcritten) - [mod_nss-clientauth.patch] - Bugzilla Bug #1022921 - mod_nss: FakeBasicAuth authentication bypass [rhel-7.0] (rcritten) - [mod_nss-no_shutdown_if_not_init_2.patch] - Bugzilla Bug #1022303 - File descriptor leak after "service httpd reload" or httpd doesn't reload (rrelyea) - [mod_nss-proxyvariables.patch] - Bugzilla Bug #1022309 - mod_nss insists on Required value NSSCipherSuite not set. (mharmsen) - [mod_nss-tlsv1_1.patch] - Bugzilla Bug #1022310 - current nss support TLS 1.1 so mod_nss should pick it up (mharmsen) - [mod_nss-sslmultiproxy_2.patch] - Fixes Bugzilla Bug #1021458 - [RFE] Support ability to share mod_proxy with other SSL providers (jorton, mharmsen, nkinder, & rcritten) * Tue Jul 30 2013 Joe Orton - 1.0.8-23 - add dependency on httpd-mmn * Wed Jul 3 2013 Matthew Harmsen - 1.0.8-22 - Moved 'nss_pcache' from %%sbindir to %%libexecdir (provided compatibility link) * Tue Jul 2 2013 Matthew Harmsen - 1.0.8-21.1 - Add the following explanation to the 'Dangling symlinks' textbox in rpmdiff: Symlink 'etc/httpd/alias/libnssckbi.so' is deliberate. This test does not belong in rpmdiff. This test belongs in TPS. Since the symlink points to a file in another package, e.g. a dependency or a system file, rpmdiff cannot detect this. Remember, rpmdiff does not install or even know about package dependencies. That's TPS's job. - Add the following explanation to the 'Brewtap results' textbox in rpmdiff: The '/etc/httpd/conf.d/nss.conf' file does not require a man page because its parameters are sufficiently documented within the configuration file itself. The '/etc/httpd/conf.modules.d/10-nss.conf' file does not require a man page because the file merely contains the line 'LoadModule nss_module modules/libmodnss.so' to support httpd loading of Dynamic Shared Objects ('/etc/httpd/conf/httpd.conf'). * Tue Jun 25 2013 Matthew Harmsen - 1.0.8-21 - Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff testing - Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache - Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss - Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec - Bugzilla Bug #948601 - Man page scan results for mod_nss * Thu Feb 14 2013 Fedora Release Engineering - 1.0.8-20.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Fri Jul 20 2012 Fedora Release Engineering - 1.0.8-19.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Mon Jun 18 2012 Joe Orton - 1.0.8-18.1 - fix build for RHEL7 * Fri Jun 15 2012 Rob Crittenden - 1.0.8-18 - Actually apply the patch to use memmove in place of memcpy since the buffers can overlap (#669118) * Tue Jun 12 2012 Nathan Kinder - 1.0.8-17 - Port mod_nss to work with httpd 2.4 * Mon Apr 23 2012 Joe Orton - 1.0.8-16 - packaging fixes/updates (#803072) * Fri Jan 13 2012 Fedora Release Engineering - 1.0.8-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Mon Mar 7 2011 Rob Crittenden - 1.0.8-14 - Add Requires(post) for nss-tools, gencert needs it (#652007) * Wed Mar 2 2011 Rob Crittenden - 1.0.8-13 - Lock around the pipe to nss_pcache for retrieving the token PIN (#677701) * Tue Feb 08 2011 Fedora Release Engineering - 1.0.8-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Wed Jan 12 2011 Rob Crittenden - 1.0.8-11 - Use memmove in place of memcpy since the buffers can overlap (#669118) * Wed Sep 29 2010 jkeating - 1.0.8-10 - Rebuilt for gcc bug 634757 * Thu Sep 23 2010 Rob Crittenden - 1.0.8-9 - Revert mod_nss-wouldblock patch - Reset NSPR error before calling PR_Read(). This should fix looping in #620856 * Fri Sep 17 2010 Rob Crittenden - 1.0.8-8 - Fix hang when handling large POST under some conditions (#620856) * Tue Jun 22 2010 Rob Crittenden - 1.0.8-7 - Remove file Requires on libnssckbi.so (#601939) * Fri May 14 2010 Rob Crittenden - 1.0.8-6 - Ignore SIGHUP in nss_pcache (#591889). * Thu May 13 2010 Rob Crittenden - 1.0.8-5 - Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224) * Thu Mar 18 2010 Rob Crittenden - 1.0.8-4 - Patch to add configuration options for new NSS negotiation API (#574187) - Add (pre) for Requires on httpd so we can be sure the user and group are already available - Add file Requires on libnssckbi.so so symlink can't fail - Use _sysconfdir macro instead of /etc - Set minimum level of NSS to 3.12.6 * Mon Jan 25 2010 Rob Crittenden - 1.0.8-3 - The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744) * Sat Jul 25 2009 Fedora Release Engineering - 1.0.8-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Mon Mar 2 2009 Rob Crittenden - 1.0.8-1 - Update to 1.0.8 - Add patch that fixes NSPR layer bug * Wed Feb 25 2009 Fedora Release Engineering - 1.0.7-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Mon Aug 11 2008 Tom "spot" Callaway - 1.0.7-10 - fix license tag * Mon Jul 28 2008 Rob Crittenden - 1.0.7-9 - rebuild to bump NVR * Mon Jul 14 2008 Rob Crittenden - 1.0.7-8 - Don't force module de-init during the configuration stage (453508) * Thu Jul 10 2008 Rob Crittenden - 1.0.7-7 - Don't inherit the MP cache in multi-threaded mode (454701) - Don't initialize NSS in each child if SSL isn't configured * Wed Jul 2 2008 Rob Crittenden - 1.0.7-6 - Update the patch for FIPS to include fixes for nss_pcache, enforce the security policy and properly initialize the FIPS token. * Mon Jun 30 2008 Rob Crittenden - 1.0.7-5 - Include patch to fix NSSFIPS (446851) * Mon Apr 28 2008 Rob Crittenden - 1.0.7-4 - Apply patch so that mod_nss calls NSS_Init() after Apache forks a child and not before. This is in response to a change in the NSS softtokn code and should have always been done this way. (444348) - The location of libnssckbi moved from /usr/lib[64] to /lib[64] - The NSS database needs to be readable by apache since we need to use it after the root priviledges are dropped. * Tue Feb 19 2008 Fedora Release Engineering - 1.0.7-3 - Autorebuild for GCC 4.3 * Thu Oct 18 2007 Rob Crittenden 1.0.7-2 - Register functions needed by mod_proxy if mod_ssl is not loaded. * Fri Jun 1 2007 Rob Crittenden 1.0.7-1 - Update to 1.0.7 - Remove Requires for nss and nspr since those are handled automatically by versioned libraries - Updated URL and Source to reference directory.fedoraproject.org * Mon Apr 9 2007 Rob Crittenden 1.0.6-2 - Patch to properly detect the Apache model and set up NSS appropriately - Patch to punt if a bad password is encountered - Patch to fix crash when password.conf is malformatted - Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7) * Mon Oct 23 2006 Rob Crittenden 1.0.6-1 - Update to 1.0.6 * Fri Aug 04 2006 Rob Crittenden 1.0.3-4 - Include LogLevel warn in nss.conf and use separate log files * Fri Aug 04 2006 Rob Crittenden 1.0.3-3 - Need to initialize ECC certificate and key variables * Fri Aug 04 2006 Jarod Wilson 1.0.3-2 - Use %%ghost for db files and install.log * Tue Jun 20 2006 Rob Crittenden 1.0.3-1 - Initial build