%define nss_version %(rpm -q nss --queryformat="%{VERSION}")
%define nssdir %{_sysconfdir}/pki/nss/apache-mod_nss
Summary: Provides SSL support using the NSS crypto libraries
Name: apache-mod_nss
Version: 1.0.8
%define subrel 3
Release: %mkrel 16
License: Apache License
Group: System/Servers
URL: http://directory.fedora.redhat.com/wiki/Mod_nss
Source0: http://directory.fedora.redhat.com/sources/mod_nss-%{version}.tar.gz
Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
Patch6: mod_nss-pcachesignal.h
Patch7: mod_nss-reseterror.patch
Patch8: mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9: mod_nss-httpd24.patch
Patch10: mod_nss-proxyvariables.patch
Patch11: mod_nss-tlsv1_1.patch
Patch12: mod_nss-array_overrun.patch
Patch13: mod_nss-clientauth.patch
Patch14: mod_nss-no_shutdown_if_not_init_2.patch
Patch15: mod_nss-PK11_ListCerts_2.patch
Patch16: mod_nss-sslmultiproxy.patch
Patch17: mod_nss-overlapping_memcpy.patch
Requires(pre): rpm-helper
Requires(postun): rpm-helper
Requires(pre): apache >= 2.2.0
## Nobody else requires this at the moment
#Requires: ksh
Requires: openssl
Requires: apache >= 2.2.0
BuildRequires: apache-devel >= 2.2.0
BuildRequires: automake
BuildRequires: nspr-devel >= 2:4.8.4
BuildRequires: nss-devel >= 2:3.12.6
BuildRequires: pkgconfig
BuildRequires: flex
Conflicts: apache-mod_ssl
%description
An Apache 2.0 module for implementing crypto using the Mozilla NSS crypto
libraries. This supports SSLv3/TLSv1 including support for client certificate
authentication. NSS provides web applications with a FIPS 140 certified crypto
provider and support for a full range of PKCS11 devices.
mod_nss is an SSL provider derived from the mod_ssl module for the Apache web
server that uses the Network Security Services (NSS) libraries. We started with
mod_ssl and replaced the OpenSSL calls with NSS calls.
The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was
originally derived from the Apache-SSL package developed by Ben Laurie. It is
licensed under the Apache 2.0 license.
%prep
%setup -q -n mod_nss-%{version}
%patch1 -p1 -b .conf
%patch2 -p1 -b .gencert
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
%patch5 -p1 -b .reverseproxy
%patch6 -p1 -b .pcachesignal.h
%patch7 -p1 -b .reseterror
%patch8 -p1 -b .lockpcache
%patch10 -p1 -b .proxyvariables
%patch11 -p1 -b .tlsv1_1
%patch12 -p1 -b .array_overrun
%patch13 -p1 -b .clientauth.patch
%patch14 -p1 -b .no_shutdown_if_not_init_2
%patch15 -p1 -b .PK11_ListCerts_2
%patch16 -p1 -b .sslmultiproxy
%patch17 -p1 -b .overlapping_memcpy
%patch9 -p1 -b .mod_nss-httpd24
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
export WANT_AUTOCONF_2_5="1"
rm -rf autom*cache configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
CFLAGS="$RPM_OPT_FLAGS"
APXS=%{_httpd_apxs}
export CFLAGS APXS
NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nss`
NSS_BIN=`%{_bindir}/pkg-config --variable=exec_prefix nss`
%configure2_5x \
--localstatedir=/var/lib \
--with-apr-config=%{_bindir}/apr-1-config \
--with-apxs=%{_bindir}/apxs \
--with-nspr-inc=`pkg-config --cflags nspr | sed 's/^\-I//'` \
--with-nspr-lib=%{_libdir} \
--with-nss-inc=`pkg-config --cflags nss | awk '{ print $1}' | sed 's/^\-I//'` \
--with-nss-lib=%{_libdir}
%make
%install
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_libdir}/httpd/modules
install -d %{buildroot}%{_httpd_modconfdir}
install -d %{buildroot}%{_httpd_confdir}/conf.d
install -d %{buildroot}%nssdir
sed -n /^LoadModule/p nss.conf > 10_mod_nss.conf
sed -i /^LoadModule/d nss.conf
install -m0644 *_mod_nss.conf %{buildroot}%{_httpd_modconfdir}
install -m0644 nss.conf %{buildroot}%{_httpd_confdir}/conf.d
install -m0755 .libs/libmodnss.so %{buildroot}%{_libdir}/httpd/modules/mod_nss.so
install -m0755 nss_pcache %{buildroot}%{_sbindir}/
install -m0755 gencert %{buildroot}%{_sbindir}/gencert
ln -s ../../../%{_libdir}/libnssckbi.so %{buildroot}%nssdir
touch %{buildroot}%nssdir/secmod.db
touch %{buildroot}%nssdir/cert8.db
touch %{buildroot}%nssdir/key3.db
touch %{buildroot}%nssdir/install.log
cat > README.urpmi << EOF
NOTE: You may need to convert your existing ssl certs
These links provide a good how-to:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
http://directory.fedora.redhat.com/wiki/Mod_nss
EOF
%post
# Create an NSS database.
# This will create the 3 files that make up your database: cert8.db, key3.db and secmod.db. and the install.log
umask 077
if [ ! -e %nssdir/key3.db ]; then
%{_sbindir}/gencert %nssdir > %nssdir/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
# Make sure that the database ownership is setup properly.
/bin/find %nssdir -user root -name "*.db" -exec /bin/chgrp apache {} \;
/bin/find %nssdir -user root -name "*.db" -exec /bin/chmod g+r {} \;
fi
%_post_service httpd
%preun
%_preun_service httpd
%files
%doc LICENSE NOTICE README TODO migrate.pl docs/*.html README.urpmi
%dir %attr(0755,root,root)%{nssdir}
%config(noreplace) %{_httpd_confdir}/conf.d/nss.conf
%attr(0644,root,root) %config(noreplace)%{_httpd_modconfdir}/*_mod_nss.conf
%ghost %attr(0644,root,apache) %config(noreplace)%nssdir/secmod.db
%ghost %attr(0644,root,apache) %config(noreplace)%nssdir/cert8.db
%ghost %attr(0644,root,apache) %config(noreplace)%nssdir/key3.db
%ghost %config(noreplace) %nssdir/install.log
%nssdir/libnssckbi.so
%attr(0755,root,root) %{_sbindir}/nss_pcache
%attr(0755,root,root) %{_sbindir}/gencert
%attr(0755,root,root) %{_libdir}//httpd/modules/mod_nss.so
%changelog
* Wed Nov 20 2013 spuhler <spuhler> 1.0.8-16.3.mga3
+ Revision: 552012
- removed Requires: nss = 2:%%{nss_version}
* it's not required (by upstream)
- bumped rel for rebuild with new NSS
- generation of certs based on if they already exist (or not) in /etc/pki/nss/apache-mod_nss/
* This should be safe in any case.h
* Before, was based on if this is a new installation or not, so when upgrading it wasn't created
* If the certs already exists in a different location, they could be moved.
- changed patch not to use TLSv.1.2 because our NSS doesn't have it.
- moved nss.conf to /etc/httpd/conf/conf.d so apache can find it.
- renamed libmodnss.so to mod_nss.so to be consistent with the oder mod names
- moved the certs to /etc/pki/nss/apache-mod_nss
* updated nss.conf accordingly
- changed permissions of the certs so apache can use them
* permission similar to those in nss
- changed gencert script on %%post in order to create the correct certs
- added patches 1- to 17 to fix a lot of bugs from upstream (Fedora/RHEL)
* patches taken from opensuse
- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
- mod_nss-clientauth.patch: merged from RHEL6 pkg
- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
- make it build on both Apache2 2.4 and 2.2 systems
- Add support for TLS v1.1 and TLS v1.2
(TLS v1.2 requires mozilla nss 3.15.1 or newer.)
* merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
from redhat to allow tls v1.1 too.
* ported the tls v1.1 patch to be tls v1.2 aware
update %%_post_service and %%_preun_service as per policy
* added mod_nss-proxyvariables.patch (from RHEL6 package)
* added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
made a %%define for the nssdir to make it easy to change it
-moved NSSCertificateDatabase to /etc/pki/nss/apache-mod_nss
* Wed Feb 20 2013 fwang <fwang> 1.0.8-15.mga3
+ Revision: 399575
- rebuild for new nss
* Thu Feb 07 2013 spuhler <spuhler> 1.0.8-14.mga3
+ Revision: 395048
- rebuild agains new NSS
* Fri Jan 11 2013 umeabot <umeabot> 1.0.8-13.mga3
+ Revision: 345861
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild
* Mon Dec 24 2012 spuhler <spuhler> 1.0.8-12.mga3
+ Revision: 334462
- moved the cat file to the correct place
* Sun Dec 23 2012 spuhler <spuhler> 1.0.8-11.mga3
+ Revision: 334404
- rebuilt with nss-devel-3.14.1
- cleaned up spec
added the note about updating the installed open-ssl cert
* Thu Dec 06 2012 spuhler <spuhler> 1.0.8-9.mga3
+ Revision: 327100
- using %%_create_ssl_certificate_helper to creater cert
* Wed Dec 05 2012 spuhler <spuhler> 1.0.8-8.mga3
+ Revision: 326837
- Coordinated spec with fedora.
* Mon Nov 19 2012 spuhler <spuhler> 1.0.8-7.mga3
+ Revision: 319593
- moved the module to the same location as apache
bumbe rel
* Thu Nov 08 2012 spuhler <spuhler> 1.0.8-6.mga3
+ Revision: 316264
- renamed extramodules/mod_nss.so to modules/libmodnss.so
* Sun Nov 04 2012 spuhler <spuhler> 1.0.8-5.mga3
+ Revision: 313599
- changed /apache-extramodules/mod_nss.so
to /httpd/modules/libmodnss.so
where the config file says it is
bumped rel
+ oden <oden>
- fix double LoadModule statement
* Sun Oct 28 2012 spuhler <spuhler> 1.0.8-4.mga3
+ Revision: 310891
+ rebuild (emptylog)
* Sat Oct 27 2012 spuhler <spuhler> 1.0.8-3.mga3
+ Revision: 310864
- removed Requires: apache-conf
* Sat Oct 27 2012 spuhler <spuhler> 1.0.8-2.mga3
+ Revision: 310811
- removed the Requires: ksh
we don't provide it and nobody else requires it.
* Sat Oct 27 2012 spuhler <spuhler> 1.0.8-1.mga3
+ Revision: 310766
- Cleaned spec file
added apache-2.4 patch
- imported package apache-mod_nss
