%define nss_version %(rpm -q nss --queryformat="%{VERSION}") %define nssdir %{_sysconfdir}/pki/nss/apache-mod_nss Summary: Provides SSL support using the NSS crypto libraries Name: apache-mod_nss Version: 1.0.14 Release: %mkrel 3 License: Apache License Group: System/Servers URL: https://fedorahosted.org/mod_nss/ Source0: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Requires(pre): rpm-helper Requires(postun): rpm-helper Requires(pre): apache >= 2.2.0 ## Nobody else requires this at the moment #Requires: ksh Requires: openssl Requires: apache >= 2.2.0 BuildRequires: apache-devel >= 2.2.0 BuildRequires: automake BuildRequires: nspr-devel >= 2:4.8.4 BuildRequires: nss-devel >= 2:3.12.6 BuildRequires: pkgconfig BuildRequires: flex # Needed for make check BuildRequires: openssl BuildRequires: python-nose # Change configuration to not conflict with mod_ssl Patch1: mod_nss-conf.patch # Generate a password-less NSS database Patch2: mod_nss-gencert.patch %description An Apache 2.0 module for implementing crypto using the Mozilla NSS crypto libraries. This supports SSLv3/TLSv1 including support for client certificate authentication. NSS provides web applications with a FIPS 140 certified crypto provider and support for a full range of PKCS11 devices. mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls. The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It is licensed under the Apache 2.0 license. %prep %setup -q -n mod_nss-%{version} %autopatch -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build CFLAGS="$RPM_OPT_FLAGS" APXS=%{_httpd_apxs} export CFLAGS APXS NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr` NSS_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nss` NSS_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nss` NSS_BIN=`%{_bindir}/pkg-config --variable=exec_prefix nss` autoreconf -ivf %configure2_5x \ --localstatedir=/var/lib \ --with-apr-config=%{_bindir}/apr-1-config \ --with-apxs=%{_bindir}/apxs \ --with-nspr-inc=`pkg-config --cflags nspr | sed 's/^\-I//'` \ --with-nspr-lib=%{_libdir} \ --with-nss-inc=`pkg-config --cflags nss | awk '{ print $1}' | sed 's/^\-I//'` \ --with-nss-lib=%{_libdir} %make %install install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_libdir}/httpd/modules install -d %{buildroot}%{_httpd_modconfdir} install -d %{buildroot}%{_httpd_confdir}/conf.d install -d %{buildroot}%nssdir install -d %{buildroot}%{_libexecdir} sed -n /^LoadModule/p nss.conf > 10_mod_nss.conf sed -i /^LoadModule/d nss.conf install -m0644 *_mod_nss.conf %{buildroot}%{_httpd_modconfdir} install -m0644 nss.conf %{buildroot}%{_httpd_confdir}/conf.d install -m0755 .libs/libmodnss.so %{buildroot}%{_libdir}/httpd/modules/mod_nss.so install -m0755 nss_pcache %{buildroot}%{_libexecdir}/ install -m0755 gencert %{buildroot}%{_sbindir}/gencert ln -s ../../../%{_libdir}/libnssckbi.so %{buildroot}%nssdir touch %{buildroot}%nssdir/secmod.db touch %{buildroot}%nssdir/cert8.db touch %{buildroot}%nssdir/key3.db touch %{buildroot}%nssdir/install.log cat > README.urpmi << EOF NOTE: You may need to convert your existing ssl certs These links provide a good how-to: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html http://directory.fedora.redhat.com/wiki/Mod_nss EOF %check # This needs some love, not working right now. # make check %post # Create an NSS database. # This will create the 3 files that make up your database: cert8.db, key3.db and secmod.db. and the install.log umask 077 if [ "$1" -eq 1 ] ; then if [ ! -e %nssdir/key3.db ]; then %{_sbindir}/gencert %nssdir > %nssdir/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. /bin/find %nssdir -user root -name "*.db" -exec /bin/chgrp apache {} \; /bin/find %nssdir -user root -name "*.db" -exec /bin/chmod g+r {} \; fi %_post_service httpd %preun %_preun_service httpd %files %doc LICENSE NOTICE README TODO migrate.pl docs/*.html README.urpmi %dir %attr(0755,root,root)%{nssdir} %config(noreplace) %{_httpd_confdir}/conf.d/nss.conf %attr(0644,root,root) %config(noreplace)%{_httpd_modconfdir}/*_mod_nss.conf %ghost %attr(0644,root,apache) %config(noreplace)%nssdir/secmod.db %ghost %attr(0644,root,apache) %config(noreplace)%nssdir/cert8.db %ghost %attr(0644,root,apache) %config(noreplace)%nssdir/key3.db %ghost %config(noreplace) %nssdir/install.log %nssdir/libnssckbi.so %attr(0755,root,root) %{_libexecdir}/nss_pcache %attr(0755,root,root) %{_sbindir}/gencert %attr(0755,root,root) %{_libdir}//httpd/modules/mod_nss.so %changelog * Tue Jun 28 2016 spuhler <spuhler> 1.0.14-3.mga6 + Revision: 1037990 - reversed Rev 856719 and put nss-db back to %%define nssdir %%{_sysconfdir}/pki/nss/apache-mod_nss * this way, we will have our WEB certs in a defined place apart from the others * this is the upstream way. * Wed Apr 27 2016 spuhler <spuhler> 1.0.14-2.mga6 + Revision: 1006993 - bump rel so it will update from mga5 * Wed Apr 27 2016 spuhler <spuhler> 1.0.14-1.mga6 + Revision: 1006982 - used new patch from Fedora - upgrade to vers. 1.0.14 * fixes security bug #18276, apache-mod_nss security issue CVE-2016-3099 + oden <oden> - update origin * Wed Jan 06 2016 spuhler <spuhler> 1.0.12-2.mga6 + Revision: 920048 - changed %%configure to %%configure2_5x to make it build * Mon Nov 09 2015 spuhler <spuhler> 1.0.12-1.mga6 + Revision: 900074 - synced the %%build section with Fedora to make it build - upgrade to vers. 1.0.12 * This will fix security bug #17069 * Fri Jul 24 2015 spuhler <spuhler> 1.0.11-6.mga6 + Revision: 856719 - moved nssdir to %%{_sysconfdir}/pki/nssdb * this way we have the certs at one place * Tue Jul 21 2015 spuhler <spuhler> 1.0.11-5.mga6 + Revision: 855848 + rebuild (emptylog) * Mon Jul 20 2015 spuhler <spuhler> 1.0.11-4.mga6 + Revision: 855820 - more cert location changes * Mon Jul 20 2015 spuhler <spuhler> 1.0.11-3.mga6 + Revision: 855724 -moved nss_pcache to %%{_libexecdir} * Sun Jul 19 2015 spuhler <spuhler> 1.0.11-2.mga6 + Revision: 855199 - corrected the 'mod_nss-conf.patch' (LoadModule .. modules/libmodnss.so to modules/mod_nss.so) * Thu Jul 16 2015 spuhler <spuhler> 1.0.11-1.mga6 + Revision: 854767 - upgrade to version 2.0.11 * updated patches from Fedora * reloved obsolete patches * added tests * Wed Oct 15 2014 umeabot <umeabot> 1.0.8-28.mga5 + Revision: 739861 - Second Mageia 5 Mass Rebuild * Tue Sep 16 2014 umeabot <umeabot> 1.0.8-27.mga5 + Revision: 677843 - Mageia 5 Mass Rebuild * Thu Dec 05 2013 spuhler <spuhler> 1.0.8-26.mga4 + Revision: 555267 - added patches # 20 -24 * Resolves: CVE-2013-4566, Bug # 11872 - [mod_nss-nssverifyclient.patch] * CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context * mod_nss does not respect `NSSVerifyClient` in Directory - [mod_nss-usecases.patch] - [DOC] making mod_nss work in FIPS mode (mharmsen) * [mod_nss-SSLEngine-off.patch] * Implicit SSLEngine for 443 port breaks mod_nss configuration * [mod_nss-unused-filter_ctx.patch] -Remove unused variable 'filter_ctx' * [mod_nss-docs-fix.patch] - mod_nss: documentation formatting fixes * Wed Nov 20 2013 spuhler <spuhler> 1.0.8-25.mga4 + Revision: 552013 - removed Requires: nss = 2:%%{nss_version} * it's not required (by upstream) * Mon Nov 18 2013 spuhler <spuhler> 1.0.8-24.mga4 + Revision: 551818 - bumped rel for rebuild with new NSS * Mon Oct 21 2013 umeabot <umeabot> 1.0.8-23.mga4 + Revision: 538113 - Mageia 4 Mass Rebuild * Sat Sep 28 2013 fwang <fwang> 1.0.8-22.mga4 + Revision: 488490 - rebuild for new nss * Sun Sep 08 2013 spuhler <spuhler> 1.0.8-20.mga4 + Revision: 475835 - moved nss.conf to /etc/httpd/conf/conf.d so apache can find it. - renamed libmodnss.so to mod_nss.so to be consistent with the oder mod names - moved the certs to /etc/pki/nss/apache-mod_nss * updated nss.conf accordingly - changed permissions of the certs so apache can use them * permission similar to those in nss - changed gencert script on %%post in order to create the correct certs - added patches 1- to 17 to fix a lot of bugs from upstream (Fedora/RHEL) * patches taken from opensuse - mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. - mod_nss-clientauth.patch: merged from RHEL6 pkg - mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg - mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg - mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg - make it build on both Apache2 2.4 and 2.2 systems - Add support for TLS v1.1 and TLS v1.2 (TLS v1.2 requires mozilla nss 3.15.1 or newer.) * merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch from redhat to allow tls v1.1 too. * ported the tls v1.1 patch to be tls v1.2 aware update %%_post_service and %%_preun_service as per policy * added mod_nss-proxyvariables.patch (from RHEL6 package) * added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) -moved NSSCertificateDatabase to /etc/pki/nss/apache-mod_nss * Sun Aug 25 2013 spuhler <spuhler> 1.0.8-19.mga4 + Revision: 471509 - moved nss certs from {_sysconfdir}/httpd/alias to %%{_sysconfdir}/pki/nss/apache-mod_nss/nssdb * we have the ssl cert in %%{_sysconfdir}/pki/ as well - moved NSSCertificateDatabase to /etc/pki/nss/apache-mod_nss/nssdb * this is where we have all the other certs * Sat Jul 06 2013 spuhler <spuhler> 1.0.8-18.mga4 + Revision: 450555 - bumped rel to rebuild against new nss * Thu Jun 27 2013 fwang <fwang> 1.0.8-17.mga4 + Revision: 447370 - rebuild for new nss * Thu Jun 27 2013 fwang <fwang> 1.0.8-16.mga4 + Revision: 447349 - rebuild for new nss * Wed Feb 20 2013 fwang <fwang> 1.0.8-15.mga3 + Revision: 399575 - rebuild for new nss * Thu Feb 07 2013 spuhler <spuhler> 1.0.8-14.mga3 + Revision: 395048 - rebuild agains new NSS * Fri Jan 11 2013 umeabot <umeabot> 1.0.8-13.mga3 + Revision: 345861 - Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild * Mon Dec 24 2012 spuhler <spuhler> 1.0.8-12.mga3 + Revision: 334462 - moved the cat file to the correct place * Sun Dec 23 2012 spuhler <spuhler> 1.0.8-11.mga3 + Revision: 334404 - rebuilt with nss-devel-3.14.1 - cleaned up spec added the note about updating the installed open-ssl cert * Thu Dec 06 2012 spuhler <spuhler> 1.0.8-9.mga3 + Revision: 327100 - using %%_create_ssl_certificate_helper to creater cert * Wed Dec 05 2012 spuhler <spuhler> 1.0.8-8.mga3 + Revision: 326837 - Coordinated spec with fedora. * Mon Nov 19 2012 spuhler <spuhler> 1.0.8-7.mga3 + Revision: 319593 - moved the module to the same location as apache bumbe rel * Thu Nov 08 2012 spuhler <spuhler> 1.0.8-6.mga3 + Revision: 316264 - renamed extramodules/mod_nss.so to modules/libmodnss.so * Sun Nov 04 2012 spuhler <spuhler> 1.0.8-5.mga3 + Revision: 313599 - changed /apache-extramodules/mod_nss.so to /httpd/modules/libmodnss.so where the config file says it is bumped rel + oden <oden> - fix double LoadModule statement * Sun Oct 28 2012 spuhler <spuhler> 1.0.8-4.mga3 + Revision: 310891 + rebuild (emptylog) * Sat Oct 27 2012 spuhler <spuhler> 1.0.8-3.mga3 + Revision: 310864 - removed Requires: apache-conf * Sat Oct 27 2012 spuhler <spuhler> 1.0.8-2.mga3 + Revision: 310811 - removed the Requires: ksh we don't provide it and nobody else requires it. * Sat Oct 27 2012 spuhler <spuhler> 1.0.8-1.mga3 + Revision: 310766 - Cleaned spec file added apache-2.4 patch - imported package apache-mod_nss