#New ADVX macros %define ADVXdir %{_datadir}/ADVX %{expand:%(cat %{ADVXdir}/ADVX-build)} %{expand:%%define apache_version %(rpm -q apache-devel|sed 's/apache-devel-\([0-9].*\)-.*$/\1/')} %{expand:%%define apache_release %(rpm -q apache-devel|sed 's/apache-devel-[0-9].*-\(.*\)$/\1/')} %{expand:%%define mm_major %(mm-config --version|sed 's/MM \([0-9]\)\.\([0-9.].*\) \(.*\)$/\1/')} %{expand:%%define mm_minor %(mm-config --version|sed 's/MM \([0-9]\)\.\([0-9.].*\) \(.*\)$/\2/')} %define mm_version %{mm_major}.%{mm_minor} %define sysconfdir /etc Summary: An SSL module for the Apache Web server Name: mod_ssl Version: 2.8.12 Release: 8.2.91mdk Group: System/Servers URL: http://www.modssl.org Source0: http://www.modssl.org/source/mod_ssl-%{version}-%{apache_version}.tar.bz2 Source1: mod_ssl.conf Source2: server.crt Source3: server.key Source5: ssl.default-vhost.conf Source7: gentestcrt.sh Source8: mod_ssl.conf.ppc Patch0: ssl.patch.bz2 Patch1: mod_ssl-2.8.2-cca.sh.patch.bz2 Patch2: mod_ssl-2.8.12-1.3.27-lib64.patch.bz2 Patch3: mod_ssl-2.8-can-2004-0488.patch.bz2 Patch4: mod_ssl-ssl_log.patch.bz2 License: Apache License BuildRoot: %_tmppath/%name-%version-%release-root Prereq: apache = %{apache_version} Prereq: apache-common >= %{apache_version} Prereq: apache-conf >= %{apache_version} Prereq: mm = %{mm_major}.%{mm_minor} Prereq: openssl >= 0.9.7 Provides: ADVXpackage Provides: AP13package BuildRequires: ADVX-build >= 1.2 BuildRequires: apache-devel, openssl-devel >= 0.9.7 %description The mod_ssl project provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL, which is based on SSLeay from Eric A. Young and Tim J. Hudson. The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was originally derived from software developed by Ben Laurie for use in the Apache-SSL HTTP server project. The mod_ssl package is licensed under a BSD-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes. %prep %setup -q -n mod_ssl-%{version}-%{apache_version} %patch1 -p0 -b .cca.sh %patch2 -p1 -b .lib64 %patch3 -p0 -b .can-2004-0488 %patch4 -p1 -b .ssl_log cd pkg.sslmod %patch -p1 cd ../.. pwd cd mod_ssl-%{version}-%{apache_version} perl -pi -e "s|Apache/|Apache-AdvancedExtranetServer/|g;" configure %build #Hack to build without apache, just apache-devel. perl -pi -e "s|APV=|APV=%{apache_version}\nAP2=|;" configure PATH="$PATH:`pwd`" SSL_BASE=SYSTEM CFLAGS="`%{_sbindir}/apxs -q CFLAGS`" \ ./configure --with-apxs=%{_sbindir}/apxs --libdir=%{_libdir} ### Ugly hack because of conflict between SunOS includes and gcc includes if [ `uname` = "SunOS" ]; then mkdir /tmp/include ln -s %{includedir}/openssl/ /tmp/include/openssl SSL_INCDIR=/tmp/include CFLAGS_SHLIB="-fPIC -DSHARED_MODULE -DSSL_USE_SDBM" make -e rm -rf /tmp/include fi if [ `uname` = "Linux" ]; then CFLAGS_SHLIB="-fPIC -DSHARED_MODULE -DSSL_USE_SDBM" make -e fi %install rm -rf %{buildroot} mkdir -p %{buildroot}%{_libdir}/apache-extramodules install -m 755 pkg.sslmod/libssl.so \ %{buildroot}%{_libdir}/apache-extramodules mkdir -p %{buildroot}%{_libdir}/ssl/mod_ssl install -m 755 pkg.contrib/*.sh %{buildroot}%{_libdir}/ssl/mod_ssl install -m 755 %{SOURCE7} %{buildroot}%{_libdir}/ssl/mod_ssl mkdir -p %{buildroot}{%{ap_base}/conf/ssl,%{_sysconfdir}/ssl/apache} # install mod_ssl.conf %ifarch ppc install -m 644 %{SOURCE8} %{buildroot}%{ap_base}/conf/ssl/mod_ssl.conf %else install -m 644 %{SOURCE1} %{buildroot}%{ap_base}/conf/ssl %endif # install server.crt install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ssl/apache # install server.key install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ssl/apache # install ssl.default-vhost.conf install -m 644 %{SOURCE5} %{buildroot}%{ap_base}/conf/ssl mkdir -p %{buildroot}%{ap_webdoc} pushd %{buildroot}%{ap_webdoc} ln -s ../../../..%{_docdir}/mod_ssl-%{version} mod_ssl-%{version} popd %pre #Check config file sanity %AP13pre %post if [ $1 = "1" ]; then #We're in Install mode, add module to the config files for config in %{ap_base}/conf/{httpd,httpd-perl}.conf; do if [ -x %{_sbindir}/advxaddmod -a -e $config ]; then %{_sbindir}/advxaddmod $config \ extramodules/libssl.so mod_ssl.c ssl_module \ define=HAVE_SSL addconf=conf/ssl/mod_ssl.conf fi echo "Include conf/ssl/ssl.default-vhost.conf" >> $config done #Create a self-signed server key and certificate #this will overwrite the dummy certificate echo "Generating self-signed certificate" pushd %{_sysconfdir}/ssl/apache/ >/dev/null yes ""|%{_libdir}/ssl/mod_ssl/gentestcrt.sh >/dev/null 2>/dev/null popd > /dev/null %ADVXpost fi alias FIXME="perl -pi -e" if [ $1 -gt 1 ]; then #We're in *upgrade mode*. Since we can't be sure the configuration files #are sane, remove module from the conf files to clean them, re-add again #in a way that the older module we're replacing won't try to erase (the #post scripts were broken on some packages), and finally clean the module #specific config file so it's compatible with the upgrade. for config in %{ap_base}/conf/{httpd,httpd-perl}.conf; do if [ -x %{_sbindir}/advxdelmod -a -e $config ]; then %{_sbindir}/advxdelmod $config \ extramodules/libssl.so mod_ssl.c ssl_module \ define=HAVE_SSL addconf=conf/ssl/mod_ssl.conf FIXME 's|^#*Include\s+conf/ssl/ssl.default-vhost.conf\n||g;' \ $config fi if [ -x %{_sbindir}/advxaddmod -a -e $config ]; then %{_sbindir}/advxaddmod $config \ extramodules/libssl.so mod_ssl.c ssl_module \ define=HAVE_SSL addconf=conf/ssl/mod_ssl.conf echo "Include conf/ssl/ssl.default-vhost.conf" >> $config fi done if [ -x %{_sbindir}/advxfixconf ]; then %{_sbindir}/advxfixconf \ %{ap_base}/conf/ssl/mod_ssl.conf \ libssl.so mod_ssl.c ssl_module ifmodule %{_sbindir}/advxfixconf \ %{ap_base}/conf/ssl/ssl.default-vhost.conf \ libssl.so mod_ssl.c ssl_module ifmodule fi %ifnarch ppc FIXME 's|file:logs/ssl_mutex|sem|g;' \ %{ap_base}/conf/ssl/mod_ssl.conf %endif #Create a self-signed server key and certificate #this will overwrite the dummy certificate, but will #not overwrite a user-generated certificate, since we #use config noreplace and it checks the mdsum echo "Generating self-signed certificate" pushd %{_sysconfdir}/ssl/apache/ > /dev/null yes ""|%{_libdir}/ssl/mod_ssl/gentestcrt.sh >/dev/null 2>/dev/null popd > /dev/null if [ ! -e %{_libdir}/apache/libssl.so ]; then %ADVXpost fi fi %postun alias FIXME="perl -pi -e" if [ $1 = "0" ]; then for config in %{ap_base}/conf/{httpd,httpd-perl}.conf; do if [ -x %{_sbindir}/advxdelmod -a -e $config ]; then %{_sbindir}/advxdelmod $config \ extramodules/libssl.so mod_ssl.c ssl_module \ define=HAVE_SSL addconf=conf/ssl/mod_ssl.conf FIXME 's|^#*Include\s+conf/ssl/ssl.default-vhost.conf\n||g;' \ $config fi done %ADVXpost fi %files %defattr(-,root,root) %dir %{ap_base}/conf/ssl %dir %{_sysconfdir}/ssl/apache %config(noreplace) %{_sysconfdir}/ssl/apache/server.crt %config(noreplace) %{_sysconfdir}/ssl/apache/server.key %config(noreplace) %{ap_base}/conf/ssl/mod_ssl.conf %config(noreplace) %{ap_base}/conf/ssl/ssl.default-vhost.conf %{ap_webdoc}/* %doc pkg.ssldoc/* %doc ANNOUNCE %doc CHANGES %doc CREDITS %doc LICENSE %doc NEWS %doc README %doc README.GlobalID %doc README.Support %doc README.Versions %doc README.Wishes %{_libdir}/apache-extramodules/libssl.so %dir %{_libdir}/ssl/mod_ssl %{_libdir}/ssl/mod_ssl/*.sh %clean rm -rf %{buildroot} %changelog * Mon Jul 19 2004 Stew Benedict <sbenedict@mandrakesoft.com> 2.8.12-8.2.91mdk - another potential ssl_log vulnerability * Thu May 27 2004 Vincent Danen <vdanen@mandrakesoft.com> 2.8.12-8.1.91mdk - security fix for CAN-2004-0488 * Thu Feb 13 2003 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.12-8mdk - new macros from ADVX-build * Sat Jan 18 2003 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.12-7mdk - rebuild with new openssl * Tue Jan 7 2003 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.12-6mdk - Fix post scripts a bit, but need major rewrite eventually. * Mon Jan 6 2003 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.12-5mdk - Rebuild - Add Provides: ADVXpackage, all ADVX package will have this tag, so we can easily do a rpm --whatprovides ADVXpackage to find out what ADVX packages a user has installed on his system. * Wed Nov 27 2002 Gwenole Beauchesne <gbeauchesne@mandrakesoft.com> 2.8.12-4mdk - Update Patch2 (lib64) to really use $CC in case that one has -m32 flag in * Wed Nov 27 2002 Gwenole Beauchesne <gbeauchesne@mandrakesoft.com> 2.8.12-3mdk - BuildPrereq: /usr/sbin/httpd - Patch2: Make it lib64 aware. * Fri Nov 8 2002 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.12-2mdk - Rebuild for Cooker * Mon Oct 28 2002 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.12-1mdk - New Security version - Rebuild with new apache * Fri Aug 16 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.10-5mdk - rebuild against latest openssl. * Mon Aug 12 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.10-4mdk - rebuild against latest openssl. * Tue Jul 9 2002 Pixel <pixel@mandrakesoft.com> 2.8.10-3mdk - rebuild (so that it builds with "-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64") => fix segfault * Wed Jul 03 2002 Vincent Danen <vdanen@mandrakesoft.com> 2.8.10-2mdk - certs go in /etc/ssl/apache - PPC fix for SSLMutex (use file, not semaphore for PPC) * Wed Jun 26 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.10-1mdk - rebuild against new apache. - new version 2.8.10. * Thu May 16 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.8-2mdk - Rebuild with gcc 3.1. - Rebuild against new openssl. * Mon Apr 15 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.8-1mdk - Apache 1.3.24. - mod_ssl 2.8.8. * Sat Mar 23 2002 David BAUDENS <baudens@mandrakesoft.com> 2.8.7-3mdk - Fix BuildRequires * Mon Mar 02 2002 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.7-2mdk - Rebuild against apache to ensure 100% EAPI compatibility * Tue Feb 28 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.7-1mdk - 2.8.7. * Mon Feb 04 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.6-1mdk - 2.8.6. - Rebuild against latest apache. * Mon Jan 22 2002 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.5-4mdk - Rebuild against latest openssl. * Mon Dec 3 2001 Stefan van der Eijk <stefan@eijk.nu> 2.8.5-3mdk - Remove %%dir %%{_libdir}/ssl (dir owned by openssl) * Thu Nov 22 2001 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.5-2mdk - Fix invalid-packager and no-url warnings (rpmlint). - apply -q option to setup * Tue Oct 16 2001 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.5-1mdk - 2.8.5. - apache 1.3.22. * Fri Oct 12 2001 Stefan van der Eijk <stefan@eijk.nu> 2.8.4-3mdk - BuildRequires: openssl --> openssl-devel - Replaced entries of RPM SOURCE DIR (make rpmlint happy) * Tue Sep 04 2001 Christian Belisle <cbelisle@mandrakesoft.com> 2.8.4-2mdk - rebuild against latest version of OpenSSL. * Wed Jul 11 2001 Philippe Libat <philippe@mandrakesoft.com> 2.8.4-1mdk - new version * Wed May 16 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 2.8.2-6mdk - Fix cca.sh OpenSSL binary location. * Sat Apr 14 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.2-5mdk - fixed config with proxied perl * Fri Apr 13 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.2-4mdk - fixed prereqs - fixed post script that was too verbose * Fri Apr 13 2001 David Baudens <baudens@mandrakesoft.com> 2.8.2-3mdk - Use %_tmppath for BuildRoot (allow build as user) * Mon Apr 9 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.8.2-2mdk - removed mod_ssl-sxnet, will be in a separate package - fixed the post scripts, updates should work now - got rid of the static server certificate and key, we now generate a self-signed test certificate during install (as discussed on the security mailing list) - fix the SSLMutex directive to get rid of the Mutex temporary file that "spammed" the error_log. * Sun Apr 08 2001 Stefan van der Eijk <stefan@eijk.nu> 2.8.2-1mdk - updated to 2.8.2 - adjusted mod_ssl.patch * Wed Mar 07 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 2.7.1-3mdk - Rebuild, a long time request of cookers. * Tue Oct 24 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.7.1-2mdk - fixed packager tag * Sat Oct 21 2000 Jean-Michel Dailt <jmdault@mandrakesoft.com> 2.7.1-1mdk - bugfix release for apache bugfix and security release * Thu Aug 24 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.6-1mdk - new and shiny 2.6.6 * Wed Aug 09 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.5-3mdk - Fixed ssl.default-vhost.conf for FHS * Wed Aug 09 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.5-2mdk - Macroize - FHS compliance - Now in cooker because there is no cooker-crypto and it depends heavily on the openssl version in cooker * Fri Jul 14 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.5-1mdk - 2.6.5 - use new AESctl for %post scripts * Mon May 08 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.4-1mdk - 2.6.4 (more bugfixes) * Mon Apr 17 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.3-1mdk - 2.6.3 (bug fixes) - re-made documentation * Sun Apr 02 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.2-2mdk - fixed defattr * Sun Apr 02 2000 Jean-Michel Dault <jmdault@mandrakesoft.com> 2.6.2-1mdk - 2.6.2 - fix group * Tue Feb 29 2000 Jean-Michel Dault <jmdault@netrevolution.com> 2.6.1-1mdk - update to 2.6.1 * Mon Feb 28 2000 Jean-Michel Dault <jmdault@netrevolution.com> 2.6.0-3mdk - added Thawte logo in mod_sxnet documentation * Sun Feb 27 2000 Jean-Michel Dault <jmdault@netrevolution.com> 2.6.0-2mdk - fixed segfault in CustomLogs * Sun Feb 27 2000 Jean-Michel Dault <jmdault@netrevolution.com> 2.6.0-1mdk - updated to 2.6.0 * Sun Jan 23 2000 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.5.0 * Wed Jan 19 2000 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.4.10 * Mon Jan 3 2000 Jean-Michel Dault <jmdault@netrevolution.com> - final cleanup for Mandrake 7 * Thu Dec 30 1999 Jean-Michel Dault <jmdault@netrevolution.com> - rebuilt for Mandrake 7.0 * Sat Dec 12 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.4.9 * Mon Sep 06 1999 Jean-Michel Dault <jmdault@netrevolution.com> - re-build for mm 1.0.11 - changed post script to stop, then start httpd, instead of restart, because it didn't restart cleanly * Fri Sep 3 1999 Jean-Michel Dault <jmdault@netrevolution.com> - modified config file - rebuilt for new mm-1.0.10 module in Apache * Wed Sep 1 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.4.1 * Wed Aug 18 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.4.0 * Mon Aug 16 1999 Jean-Michel Dault <jmdault@netrevolution.com> - build for apache 1.3.9 * Sun Aug 15 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.3.11 - cleaned SPEC file, Solaris/UltraSparc adaptation * Sat Jul 31 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.3.10 - changed postun script * Thu Jul 29 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated again to 2.3.9 * Tue Jul 22 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.3.6 - modified config so Linuxconf could manage it (I hope...) * Sat Jun 05 1999 Jean-Michel Dault <jmdault@netrevolution.com> - moved documentation in html - rebuilt for the new optimized apache * Sun May 30 1999 Jean-Michel Dault <jmdault@netrevolution.com> - updated to 2.3.1 - add fr locale - added sxnet (Secure ExtraNet) package from Thawte * Sun May 23 1999 Bernhard Rosenkränzer <bero@mandrakesoft.com> - handle RPM_OPT_FLAGS - add de locale - don't require openssl-devel