%define nss_version 3.12 %define nssdir %{_sysconfdir}/pki/nss/apache-mod_nss Summary: Provides SSL support using the NSS crypto libraries Name: apache-mod_nss Version: 1.0.8 Release: %mkrel 1 License: Apache License Group: System/Servers URL: http://directory.fedora.redhat.com/wiki/Mod_nss Source0: http://directory.fedora.redhat.com/sources/mod_nss-%{version}.tar.gz Patch1: mod_nss-1.0.3-gencert_fix.diff Requires(pre): rpm-helper Requires(postun): rpm-helper Requires(pre): apache-conf >= 2.2.0 Requires(pre): apache >= 2.2.0 Requires: nss = 2:%{nss_version} Requires: ksh Requires: openssl Requires: apache-conf >= 2.2.0 Requires: apache >= 2.2.0 BuildRequires: apache-devel >= 2.2.0 BuildRequires: automake1.7 BuildRequires: libnspr-devel >= 2:4.6.5 BuildRequires: libnss-devel >= 2:%{nss_version} BuildRequires: pkgconfig BuildRequires: flex Conflicts: apache-mod_ssl apache-mod_ssl+distcache BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot %description An Apache 2.0 module for implementing crypto using the Mozilla NSS crypto libraries. This supports SSLv3/TLSv1 including support for client certificate authentication. NSS provides web applications with a FIPS 140 certified crypto provider and support for a full range of PKCS11 devices. mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls. The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It is licensed under the Apache 2.0 license. %prep %setup -q -n mod_nss-%{version} %patch1 -p0 %build export WANT_AUTOCONF_2_5="1" rm -rf autom*cache configure libtoolize --copy --force; aclocal-1.7; autoconf; automake-1.7 --foreign --add-missing --copy if [ -x %{_bindir}/apr-config ]; then APR=%{_bindir}/apr-config; fi if [ -x %{_bindir}/apr-1-config ]; then APR=%{_bindir}/apr-1-config; fi export CPPFLAGS=`$APR --cppflags` %configure2_5x --localstatedir=/var/lib \ --with-apr-config=$APR \ --with-apxs=%{_sbindir}/apxs \ --with-nspr-inc=`pkg-config --cflags nspr | sed 's/^\-I//'` \ --with-nspr-lib=%{_libdir} \ --with-nss-inc=`pkg-config --cflags nss | awk '{ print $1}' | sed 's/^\-I//'` \ --with-nss-lib=%{_libdir} %make %install rm -rf %{buildroot} install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_libdir}/apache-extramodules install -d %{buildroot}%{nssdir} install -d %{buildroot}%{_sysconfdir}/httpd/modules.d install -m0755 .libs/libmodnss.so %{buildroot}%{_libdir}/apache-extramodules/mod_nss.so install -m0755 nss_pcache %{buildroot}%{_sbindir}/ install -m0755 gencert %{buildroot}%{_sbindir}/nss_gencert cat > 40_mod_nss.conf << EOF <IfDefine HAVE_NSS> <IfModule !mod_nss.c> LoadModule nss_module extramodules/mod_nss.so </IfModule> </IfDefine> EOF # fix the bundled conf cp nss.conf.in nss.conf.tmp perl -pi -e "s|\@apache_bin\@|%{_sbindir}|g" nss.conf.tmp perl -pi -e "s|\@apache_prefix\@/htdocs|/var/www/html|g" nss.conf.tmp perl -pi -e "s|\@apache_prefix\@/logs|logs|g" nss.conf.tmp perl -pi -e "s|\@apache_conf\@|%{nssdir}|g" nss.conf.tmp perl -pi -e "s|\@apache_prefix\@/cgi-bin|/var/www/cgi-bin|g" nss.conf.tmp # user has to fix this... perl -pi -e "s|^#NSSOCSP off|#NSSOCSP off\n\nNSSEnforceValidCerts off\n|g" nss.conf.tmp cat nss.conf.tmp >> 40_mod_nss.conf install -m0644 40_mod_nss.conf %{buildroot}%{_sysconfdir}/httpd/modules.d/ %post # http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html # http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html # http://directory.fedora.redhat.com/wiki/Mod_nss # the following stuff is partly taken from the migrate.pl script and is not the slightest fool proof in any way... # TODO: figure out how to make this accept a ASCII password file for rpm install automation, currently it # prompts for a password which is not so nice. # Create an NSS database. You just need to specify the database directory, not a specific file. # This will create the 3 files that make up your database: cert8.db, key3.db and secmod.db. if ! [ -f %{nssdir}/cert8.db -o -f %{nssdir}/key3.db -o -f %{nssdir}/secmod.db ]; then echo "Creating NSS certificate database." certutil -N -d %{nssdir} fi # Convert the OpenSSL key and certificate into a PKCS#12 file if [ -f %{_sysconfdir}/ssl/apache/server.crt -o -f %{_sysconfdir}/ssl/apache/server.key ]; then subject=`openssl x509 -subject < %{_sysconfdir}/ssl/apache/server.crt | head -1 | perl -pi -e 's/subject= \///;s/\//,/g;s/Email=.*(,){0,1}//;s/,$//;g'` echo "Importing certificate $subject as \"Server-Cert\"." openssl pkcs12 -export -in %{_sysconfdir}/ssl/apache/server.crt -inkey %{_sysconfdir}/ssl/apache/server.key \ -out %{nssdir}/server.p12 -name "Server-Cert" -passout pass:foo # Load the PKCS #12 file into your NSS database. pk12util -i %{nssdir}/server.p12 -d %{nssdir} -W foo else %{_sbindir}/nss_gencert %{nssdir} fi if [ -f %{_var}/lock/subsys/httpd ]; then %{_initrddir}/httpd restart 1>&2; fi %postun if [ "$1" = "0" ]; then if [ -f %{_var}/lock/subsys/httpd ]; then %{_initrddir}/httpd restart 1>&2 fi fi %clean rm -rf %{buildroot} %files %defattr(-,root,root) %doc LICENSE NOTICE README TODO migrate.pl docs/*.html %dir %attr(0750,root,root) %{nssdir} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/modules.d/*_mod_nss.conf %attr(0755,root,root) %{_sbindir}/nss_pcache %attr(0755,root,root) %{_sbindir}/nss_gencert %attr(0755,root,root) %{_libdir}/apache-extramodules/mod_nss.so %changelog * Fri Aug 08 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.8-1mdv2009.0 + Revision: 268091 - 1.0.8 - drop the proxy patch, it's in there * Mon Jul 14 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-8mdv2009.0 + Revision: 235064 - rebuild * Thu Jun 05 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-7mdv2009.0 + Revision: 215615 - fix rebuild - hard code %%{_localstatedir}/lib to ease backports * Tue Mar 11 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-6mdv2008.1 + Revision: 185278 - added a patch from fedora (mod_nss-1.0.7-3.fc9.src.rpm) * Sun Mar 09 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-5mdv2008.1 + Revision: 182829 - rebuild * Thu Feb 14 2008 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-4mdv2008.1 + Revision: 168009 - rebuilt against new nss libs + Olivier Blin <oblin@mandriva.com> - restore BuildRoot + Thierry Vignaud <tvignaud@mandriva.com> - kill re-definition of %%buildroot on Pixel's request * Sat Sep 08 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-3mdv2008.0 + Revision: 82642 - rebuild * Wed Jul 25 2007 Funda Wang <fundawang@mandriva.org> 1.0.7-2mdv2008.0 + Revision: 55143 - Rebuild against new nss * Sun Jul 15 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.7-1mdv2008.0 + Revision: 52261 - 1.0.7 * Sat Mar 10 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.6-3mdv2007.1 + Revision: 140565 - rebuild * Fri Feb 09 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.6-2mdv2007.1 + Revision: 118485 - fix deps * Fri Jan 12 2007 Oden Eriksson <oeriksson@mandriva.com> 1.0.6-1mdv2007.1 + Revision: 107934 - 1.0.6 * Thu Nov 09 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0.3-1mdv2007.1 + Revision: 79469 - Import apache-mod_nss * Fri Jun 23 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0.3-1mdv2007.0 - 1.0.3 - fix deps - rediffed P1 * Fri Apr 28 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0.2-1mdk - 1.0.2 - drop upstream patches; P0,P2 * Sat Apr 22 2006 Emmanuel Blindauer <blindauer@mandriva.org> 1.0-4mdk - Fix BuildRequires * Tue Jan 17 2006 Oden Eriksson <oeriksson@mandriva.com> 1.0-3mdk - rebuilt against new nss libs * Tue Dec 20 2005 Oden Eriksson <oeriksson@mandriva.com> 1.0-2mdk - rebuilt against apache-2.2.0 (P2) * Fri Dec 02 2005 Oden Eriksson <oeriksson@mandriva.com> 1.0-1mdk - initial Mandriva package (first draft...) - fix autofoo, config and gencert (P0,P1) - used tiny parts from the provided spec file