# https://gcc.gnu.org/gcc-10/porting_to.html#common
%define _legacy_common_support 1
%define nss_version %(rpm -q nss --queryformat="%{VERSION}")
%define nssdir %{_sysconfdir}/pki/nss/apache-mod_nss
Summary: Provides SSL support using the NSS crypto libraries
Name: apache-mod_nss
Version: 1.0.18
Release: %mkrel 2
License: Apache License
Group: System/Servers
URL: https://fedorahosted.org/mod_nss/
Source0: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz
# Change configuration to not conflict with mod_ssl
Patch1: mod_nss-conf.patch
# Generate a password-less NSS database
Patch2: mod_nss-gencert.patch
Requires(pre): rpm-helper
Requires(postun): rpm-helper
Requires(pre): apache >= 2.2.0
Requires: openssl
Requires: apache >= 2.2.0
Requires: p11-kit-trust
BuildRequires: apache-devel >= 2.2.0
BuildRequires: automake
BuildRequires: pkgconfig(nspr)
BuildRequires: pkgconfig(nss)
BuildRequires: flex
# Needed for make check
BuildRequires: openssl
%description
An Apache 2.0 module for implementing crypto using the Mozilla NSS crypto
libraries. This supports SSLv3/TLSv1 including support for client certificate
authentication. NSS provides web applications with a FIPS 140 certified crypto
provider and support for a full range of PKCS11 devices.
mod_nss is an SSL provider derived from the mod_ssl module for the Apache web
server that uses the Network Security Services (NSS) libraries. We started with
mod_ssl and replaced the OpenSSL calls with NSS calls.
The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was
originally derived from the Apache-SSL package developed by Ben Laurie. It is
licensed under the Apache 2.0 license.
%prep
%setup -q -n mod_nss-%{version}
%autopatch -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
CFLAGS="%{optflags}"
APXS=%{_httpd_apxs}
export CFLAGS APXS
NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nss`
NSS_BIN=`%{_bindir}/pkg-config --variable=exec_prefix nss`
autoreconf -ivf
%configure \
--localstatedir=/var/lib \
--with-apr-config=%{_bindir}/apr-1-config \
--with-apxs=%{_bindir}/apxs \
--with-nspr-inc=`pkg-config --cflags nspr | sed 's/^\-I//'` \
--with-nspr-lib=%{_libdir} \
--with-nss-inc=`pkg-config --cflags nss | awk '{ print $1}' | sed 's/^\-I//'` \
--with-nss-lib=%{_libdir}
%make_build
%install
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_libdir}/httpd/modules
install -d %{buildroot}%{_httpd_modconfdir}
install -d %{buildroot}%{_httpd_confdir}/conf.d
install -d %{buildroot}%{nssdir}
install -d %{buildroot}%{_libexecdir}
sed -n /^LoadModule/p nss.conf > 10_mod_nss.conf
sed -i /^LoadModule/d nss.conf
install -m0644 *_mod_nss.conf %{buildroot}%{_httpd_modconfdir}
install -m0644 nss.conf %{buildroot}%{_httpd_confdir}/conf.d
install -m0755 .libs/libmodnss.so %{buildroot}%{_libdir}/httpd/modules/mod_nss.so
install -m0755 nss_pcache %{buildroot}%{_libexecdir}/
install -m0755 gencert %{buildroot}%{_sbindir}/gencert
ln -s ../../../%{_libdir}/pkcs11/p11-kit-trust.so %{buildroot}%{nssdir}/libnssckbi.so
touch %{buildroot}%{nssdir}/secmod.db
touch %{buildroot}%{nssdir}/cert8.db
touch %{buildroot}%{nssdir}/key3.db
touch %{buildroot}%{nssdir}/install.log
cat > README.urpmi << EOF
NOTE: You may need to convert your existing ssl certs
These links provide a good how-to:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
http://directory.fedora.redhat.com/wiki/Mod_nss
EOF
%check
# This needs some love, not working right now.
# make check
%post
# Create an NSS database.
# This will create the 3 files that make up your database: cert8.db, key3.db and secmod.db. and the install.log
umask 077
if [ "$1" -eq 1 ] ; then
if [ ! -e %{nssdir}/key3.db ]; then
%{_sbindir}/gencert %{nssdir} > %{nssdir}/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
fi
# Make sure that the database ownership is setup properly.
/bin/find %{nssdir} -user root -name "*.db" -exec /bin/chgrp apache {} \;
/bin/find %{nssdir} -user root -name "*.db" -exec /bin/chmod g+r {} \;
fi
%_post_service httpd
%preun
%_preun_service httpd
%files
%doc LICENSE NOTICE README TODO migrate.pl docs/*.html README.urpmi
%dir %attr(0755,root,root)%{nssdir}
%config(noreplace) %{_httpd_confdir}/conf.d/nss.conf
%attr(0644,root,root) %config(noreplace)%{_httpd_modconfdir}/*_mod_nss.conf
%ghost %attr(0644,root,apache) %config(noreplace)%{nssdir}/secmod.db
%ghost %attr(0644,root,apache) %config(noreplace)%{nssdir}/cert8.db
%ghost %attr(0644,root,apache) %config(noreplace)%{nssdir}/key3.db
%ghost %config(noreplace) %{nssdir}/install.log
%{nssdir}/libnssckbi.so
%attr(0755,root,root) %{_libexecdir}/nss_pcache
%attr(0755,root,root) %{_sbindir}/gencert
%attr(0755,root,root) %{_libdir}//httpd/modules/mod_nss.so
%changelog
* Sat Mar 19 2022 umeabot <umeabot> 1.0.18-2.mga9
+ Revision: 1800013
- Mageia 9 Mass Rebuild
* Sat Jun 27 2020 joequant <joequant> 1.0.18-1.mga8
+ Revision: 1599654
- update to 1.0.18 / fix for gcc10
* Fri Jun 05 2020 daviddavid <daviddavid> 1.0.16-5.mga8
+ Revision: 1590534
- fix build with gcc 10 enabling _legacy_common_support
+ luigiwalser <luigiwalser>
- libnssckbi.so is now linked to p11-kit-trust.so (rhbz#1484449)
* Sun Feb 16 2020 umeabot <umeabot> 1.0.16-4.mga8
+ Revision: 1531652
- Mageia 8 Mass Rebuild
+ wally <wally>
- replace deprecated %%configure2_5x
* Sat Sep 14 2019 daviddavid <daviddavid> 1.0.16-3.mga8
+ Revision: 1440718
- remove unneeded python-nose BR
* Fri Sep 21 2018 umeabot <umeabot> 1.0.16-2.mga7
+ Revision: 1294427
- Mageia 7 Mass Rebuild
* Fri Mar 23 2018 kekepower <kekepower> 1.0.16-1.mga7
+ Revision: 1211472
- Update to version 1.0.16
* Tue Jun 28 2016 spuhler <spuhler> 1.0.14-3.mga6
+ Revision: 1037990
- reversed Rev 856719 and put nss-db back to
%%define nssdir %%{_sysconfdir}/pki/nss/apache-mod_nss
* this way, we will have our WEB certs in a defined place apart from the others
* this is the upstream way.
* Wed Apr 27 2016 spuhler <spuhler> 1.0.14-2.mga6
+ Revision: 1006993
- bump rel so it will update from mga5
* Wed Apr 27 2016 spuhler <spuhler> 1.0.14-1.mga6
+ Revision: 1006982
- used new patch from Fedora
- upgrade to vers. 1.0.14
* fixes security bug #18276, apache-mod_nss security issue CVE-2016-3099
+ oden <oden>
- update origin
* Wed Jan 06 2016 spuhler <spuhler> 1.0.12-2.mga6
+ Revision: 920048
- changed %%configure to %%configure2_5x to make it build
* Mon Nov 09 2015 spuhler <spuhler> 1.0.12-1.mga6
+ Revision: 900074
- synced the %%build section with Fedora to make it build
- upgrade to vers. 1.0.12
* This will fix security bug #17069
* Fri Jul 24 2015 spuhler <spuhler> 1.0.11-6.mga6
+ Revision: 856719
- moved nssdir to %%{_sysconfdir}/pki/nssdb
* this way we have the certs at one place
* Tue Jul 21 2015 spuhler <spuhler> 1.0.11-5.mga6
+ Revision: 855848
+ rebuild (emptylog)
* Mon Jul 20 2015 spuhler <spuhler> 1.0.11-4.mga6
+ Revision: 855820
- more cert location changes
* Mon Jul 20 2015 spuhler <spuhler> 1.0.11-3.mga6
+ Revision: 855724
-moved nss_pcache to %%{_libexecdir}
* Sun Jul 19 2015 spuhler <spuhler> 1.0.11-2.mga6
+ Revision: 855199
- corrected the 'mod_nss-conf.patch' (LoadModule .. modules/libmodnss.so to modules/mod_nss.so)
* Thu Jul 16 2015 spuhler <spuhler> 1.0.11-1.mga6
+ Revision: 854767
- upgrade to version 2.0.11
* updated patches from Fedora
* reloved obsolete patches
* added tests
* Wed Oct 15 2014 umeabot <umeabot> 1.0.8-28.mga5
+ Revision: 739861
- Second Mageia 5 Mass Rebuild
* Tue Sep 16 2014 umeabot <umeabot> 1.0.8-27.mga5
+ Revision: 677843
- Mageia 5 Mass Rebuild
* Thu Dec 05 2013 spuhler <spuhler> 1.0.8-26.mga4
+ Revision: 555267
- added patches # 20 -24
* Resolves: CVE-2013-4566, Bug # 11872
- [mod_nss-nssverifyclient.patch]
* CVE-2013-4566 mod_nss: incorrect handling of
NSSVerifyClient in directory context
* mod_nss does not respect `NSSVerifyClient` in Directory
- [mod_nss-usecases.patch]
- [DOC] making mod_nss work in FIPS mode (mharmsen)
* [mod_nss-SSLEngine-off.patch]
* Implicit SSLEngine for 443 port breaks mod_nss configuration
* [mod_nss-unused-filter_ctx.patch]
-Remove unused variable 'filter_ctx'
* [mod_nss-docs-fix.patch]
- mod_nss: documentation formatting fixes
* Wed Nov 20 2013 spuhler <spuhler> 1.0.8-25.mga4
+ Revision: 552013
- removed Requires: nss = 2:%%{nss_version}
* it's not required (by upstream)
* Mon Nov 18 2013 spuhler <spuhler> 1.0.8-24.mga4
+ Revision: 551818
- bumped rel for rebuild with new NSS
* Mon Oct 21 2013 umeabot <umeabot> 1.0.8-23.mga4
+ Revision: 538113
- Mageia 4 Mass Rebuild
* Sat Sep 28 2013 fwang <fwang> 1.0.8-22.mga4
+ Revision: 488490
- rebuild for new nss
* Sun Sep 08 2013 spuhler <spuhler> 1.0.8-20.mga4
+ Revision: 475835
- moved nss.conf to /etc/httpd/conf/conf.d so apache can find it.
- renamed libmodnss.so to mod_nss.so to be consistent with the oder mod names
- moved the certs to /etc/pki/nss/apache-mod_nss
* updated nss.conf accordingly
- changed permissions of the certs so apache can use them
* permission similar to those in nss
- changed gencert script on %%post in order to create the correct certs
- added patches 1- to 17 to fix a lot of bugs from upstream (Fedora/RHEL)
* patches taken from opensuse
- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
- mod_nss-clientauth.patch: merged from RHEL6 pkg
- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
- make it build on both Apache2 2.4 and 2.2 systems
- Add support for TLS v1.1 and TLS v1.2
(TLS v1.2 requires mozilla nss 3.15.1 or newer.)
* merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
from redhat to allow tls v1.1 too.
* ported the tls v1.1 patch to be tls v1.2 aware
update %%_post_service and %%_preun_service as per policy
* added mod_nss-proxyvariables.patch (from RHEL6 package)
* added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
-moved NSSCertificateDatabase to /etc/pki/nss/apache-mod_nss
* Sun Aug 25 2013 spuhler <spuhler> 1.0.8-19.mga4
+ Revision: 471509
- moved nss certs from {_sysconfdir}/httpd/alias to %%{_sysconfdir}/pki/nss/apache-mod_nss/nssdb
* we have the ssl cert in %%{_sysconfdir}/pki/ as well
- moved NSSCertificateDatabase to /etc/pki/nss/apache-mod_nss/nssdb
* this is where we have all the other certs
* Sat Jul 06 2013 spuhler <spuhler> 1.0.8-18.mga4
+ Revision: 450555
- bumped rel to rebuild against new nss
* Thu Jun 27 2013 fwang <fwang> 1.0.8-17.mga4
+ Revision: 447370
- rebuild for new nss
* Thu Jun 27 2013 fwang <fwang> 1.0.8-16.mga4
+ Revision: 447349
- rebuild for new nss
* Wed Feb 20 2013 fwang <fwang> 1.0.8-15.mga3
+ Revision: 399575
- rebuild for new nss
* Thu Feb 07 2013 spuhler <spuhler> 1.0.8-14.mga3
+ Revision: 395048
- rebuild agains new NSS
* Fri Jan 11 2013 umeabot <umeabot> 1.0.8-13.mga3
+ Revision: 345861
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild
* Mon Dec 24 2012 spuhler <spuhler> 1.0.8-12.mga3
+ Revision: 334462
- moved the cat file to the correct place
* Sun Dec 23 2012 spuhler <spuhler> 1.0.8-11.mga3
+ Revision: 334404
- rebuilt with nss-devel-3.14.1
- cleaned up spec
added the note about updating the installed open-ssl cert
* Thu Dec 06 2012 spuhler <spuhler> 1.0.8-9.mga3
+ Revision: 327100
- using %%_create_ssl_certificate_helper to creater cert
* Wed Dec 05 2012 spuhler <spuhler> 1.0.8-8.mga3
+ Revision: 326837
- Coordinated spec with fedora.
* Mon Nov 19 2012 spuhler <spuhler> 1.0.8-7.mga3
+ Revision: 319593
- moved the module to the same location as apache
bumbe rel
* Thu Nov 08 2012 spuhler <spuhler> 1.0.8-6.mga3
+ Revision: 316264
- renamed extramodules/mod_nss.so to modules/libmodnss.so
* Sun Nov 04 2012 spuhler <spuhler> 1.0.8-5.mga3
+ Revision: 313599
- changed /apache-extramodules/mod_nss.so
to /httpd/modules/libmodnss.so
where the config file says it is
bumped rel
+ oden <oden>
- fix double LoadModule statement
* Sun Oct 28 2012 spuhler <spuhler> 1.0.8-4.mga3
+ Revision: 310891
+ rebuild (emptylog)
* Sat Oct 27 2012 spuhler <spuhler> 1.0.8-3.mga3
+ Revision: 310864
- removed Requires: apache-conf
* Sat Oct 27 2012 spuhler <spuhler> 1.0.8-2.mga3
+ Revision: 310811
- removed the Requires: ksh
we don't provide it and nobody else requires it.
* Sat Oct 27 2012 spuhler <spuhler> 1.0.8-1.mga3
+ Revision: 310766
- Cleaned spec file
added apache-2.4 patch
- imported package apache-mod_nss
* Sat Feb 11 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-17mdv2012.0
+ Revision: 772694
- rebuild
* Tue May 24 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-16
+ Revision: 678364
- mass rebuild
* Sat May 21 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-15
+ Revision: 676780
- sync with mod_nss-1.0.8-14.fc16.src.rpm
* Mon Jan 03 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-14mdv2011.0
+ Revision: 627732
- don't force the usage of automake1.7
* Sun Oct 24 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-13mdv2011.0
+ Revision: 588039
- rebuild
* Thu Sep 02 2010 Funda Wang <fwang@mandriva.org> 1.0.8-12mdv2011.0
+ Revision: 575509
- rebuild for new nss
* Mon May 03 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-11mdv2010.1
+ Revision: 541760
- P3: add support for RFC 5746 (fedora)
* Mon Apr 05 2010 Funda Wang <fwang@mandriva.org> 1.0.8-10mdv2010.1
+ Revision: 531599
- rebuild for new nss
* Mon Mar 08 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-9mdv2010.1
+ Revision: 516156
- rebuilt for apache-2.2.15
* Thu Dec 24 2009 Funda Wang <fwang@mandriva.org> 1.0.8-8mdv2010.1
+ Revision: 481953
- rebuild for new nss
* Sun Nov 08 2009 Funda Wang <fwang@mandriva.org> 1.0.8-7mdv2010.1
+ Revision: 462779
- rebuild
* Wed Aug 05 2009 Funda Wang <fwang@mandriva.org> 1.0.8-6mdv2010.0
+ Revision: 410270
- rebuild for new nss
* Sat Aug 01 2009 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-5mdv2010.0
+ Revision: 406627
- rebuild
* Thu Jun 04 2009 Funda Wang <fwang@mandriva.org> 1.0.8-4mdv2010.0
+ Revision: 382610
- rebuild for new nss
* Sat Mar 07 2009 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-3mdv2009.1
+ Revision: 351710
- sync with mod_nss-1.0.8-1.fc11
* Tue Jan 06 2009 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-2mdv2009.1
+ Revision: 326214
- rebuild
* Fri Aug 08 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-1mdv2009.0
+ Revision: 268091
- 1.0.8
- drop the proxy patch, it's in there
* Mon Jul 14 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-8mdv2009.0
+ Revision: 235064
- rebuild
* Thu Jun 05 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-7mdv2009.0
+ Revision: 215615
- fix rebuild
- hard code %%{_localstatedir}/lib to ease backports
* Tue Mar 11 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-6mdv2008.1
+ Revision: 185278
- added a patch from fedora (mod_nss-1.0.7-3.fc9.src.rpm)
* Sun Mar 09 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-5mdv2008.1
+ Revision: 182829
- rebuild
* Thu Feb 14 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-4mdv2008.1
+ Revision: 168009
- rebuilt against new nss libs
+ Olivier Blin <blino@mandriva.org>
- restore BuildRoot
+ Thierry Vignaud <tv@mandriva.org>
- kill re-definition of %%buildroot on Pixel's request
* Sat Sep 08 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-3mdv2008.0
+ Revision: 82642
- rebuild
* Wed Jul 25 2007 Funda Wang <fwang@mandriva.org> 1.0.7-2mdv2008.0
+ Revision: 55143
- Rebuild against new nss
* Sun Jul 15 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-1mdv2008.0
+ Revision: 52261
- 1.0.7
* Sat Mar 10 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.6-3mdv2007.1
+ Revision: 140565
- rebuild
* Fri Feb 09 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.6-2mdv2007.1
+ Revision: 118485
- fix deps
* Fri Jan 12 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.6-1mdv2007.1
+ Revision: 107934
- 1.0.6
* Thu Nov 09 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0.3-1mdv2007.1
+ Revision: 79469
- Import apache-mod_nss
* Fri Jun 23 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0.3-1mdv2007.0
- 1.0.3
- fix deps
- rediffed P1
* Fri Apr 28 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0.2-1mdk
- 1.0.2
- drop upstream patches; P0,P2
* Sat Apr 22 2006 Emmanuel Blindauer <blindauer@mandriva.org> 1.0-4mdk
- Fix BuildRequires
* Tue Jan 17 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0-3mdk
- rebuilt against new nss libs
* Tue Dec 20 2005 Oden Eriksson <oeriksson@mandriva.com> 1.0-2mdk
- rebuilt against apache-2.2.0 (P2)
* Fri Dec 02 2005 Oden Eriksson <oeriksson@mandriva.com> 1.0-1mdk
- initial Mandriva package (first draft...)
- fix autofoo, config and gencert (P0,P1)
- used tiny parts from the provided spec file
