Name: mod_nss
Version: 1.0.8
Release: 8%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
URL: http://directory.fedoraproject.org/wiki/Mod_nss
Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6
BuildRequires: httpd-devel, apr-devel, apr-util-devel
BuildRequires: pkgconfig
Requires(pre): httpd
Requires: nss >= 3.12.6
Patch1: mod_nss-conf.patch
Patch2: mod_nss-gencert.patch
Patch3: mod_nss-wouldblock.patch
# Add options for tuning client negotiate in NSS
Patch4: mod_nss-negotiate.patch
Patch5: mod_nss-reverseproxy.patch
Patch6: mod_nss-pcachesignal.h
Patch7: mod_nss-reseterror.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.
%prep
%setup -q
%patch1 -p1 -b .conf
%patch2 -p1 -b .gencert
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
%patch5 -p1 -b .reverseproxy
%patch6 -p1 -b .pcachesignal.h
%patch7 -p1 -b .reseterror
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
%configure \
--with-nss-lib=$NSS_LIB_DIR \
--with-nss-inc=$NSS_INCLUDE_DIR \
--with-nspr-lib=$NSPR_LIB_DIR \
--with-nspr-inc=$NSPR_INCLUDE_DIR \
--with-apr-config
make %{?_smp_mflags} all
%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias
install -m 644 nss.conf $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
%clean
rm -rf $RPM_BUILD_ROOT
%post
umask 077
if [ "$1" -eq 1 ] ; then
if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then
%{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
fi
# Make sure that the database ownership is setup properly.
/bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
/bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
fi
%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html
%config(noreplace) %{_sysconfdir}/httpd/conf.d/nss.conf
%{_libdir}/httpd/modules/libmodnss.so
%dir %{_sysconfdir}/httpd/alias/
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db
%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log
%{_sysconfdir}/httpd/alias/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%changelog
* Thu Sep 23 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-8
- Revert mod_nss-wouldblock patch
- Reset NSPR error before calling PR_Read(). This should fix looping
in #620856
* Fri Sep 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-7
- Fix hang when handling large POST under some conditions (#620856)
- Remove file requires on libnssckbi.so (requested by svidal)
* Fri May 14 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-6
- Ignore SIGHUP in nss_pcache (#591889).
* Thu May 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-5
- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224)
* Thu Mar 18 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-4
- Patch to add configuration options for new NSS negotiation API (#574187)
- Add (pre) for Requires on httpd so we can be sure the user and group are
already available
- Add file Requires on libnssckbi.so so symlink can't fail
- Use _sysconfdir macro instead of /etc
- Set minimum level of NSS to 3.12.6
* Mon Jan 25 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-3
- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744)
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Mar 2 2009 Rob Crittenden <rcritten@redhat.com> - 1.0.8-1
- Update to 1.0.8
- Add patch that fixes NSPR layer bug
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.0.7-10
- fix license tag
* Mon Jul 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-9
- rebuild to bump NVR
* Mon Jul 14 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-8
- Don't force module de-init during the configuration stage (453508)
* Thu Jul 10 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-7
- Don't inherit the MP cache in multi-threaded mode (454701)
- Don't initialize NSS in each child if SSL isn't configured
* Wed Jul 2 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-6
- Update the patch for FIPS to include fixes for nss_pcache, enforce
the security policy and properly initialize the FIPS token.
* Mon Jun 30 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-5
- Include patch to fix NSSFIPS (446851)
* Mon Apr 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-4
- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child
and not before. This is in response to a change in the NSS softtokn code
and should have always been done this way. (444348)
- The location of libnssckbi moved from /usr/lib[64] to /lib[64]
- The NSS database needs to be readable by apache since we need to use it
after the root priviledges are dropped.
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.7-3
- Autorebuild for GCC 4.3
* Thu Oct 18 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-2
- Register functions needed by mod_proxy if mod_ssl is not loaded.
* Fri Jun 1 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-1
- Update to 1.0.7
- Remove Requires for nss and nspr since those are handled automatically
by versioned libraries
- Updated URL and Source to reference directory.fedoraproject.org
* Mon Apr 9 2007 Rob Crittenden <rcritten@redhat.com> 1.0.6-2
- Patch to properly detect the Apache model and set up NSS appropriately
- Patch to punt if a bad password is encountered
- Patch to fix crash when password.conf is malformatted
- Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7)
* Mon Oct 23 2006 Rob Crittenden <rcritten@redhat.com> 1.0.6-1
- Update to 1.0.6
* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-4
- Include LogLevel warn in nss.conf and use separate log files
* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-3
- Need to initialize ECC certificate and key variables
* Fri Aug 04 2006 Jarod Wilson <jwilson@redhat.com> 1.0.3-2
- Use %%ghost for db files and install.log
* Tue Jun 20 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-1
- Initial build