commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2020-06-15 20:30:34
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.3606 (New)
Package is "apache2-mod_nss"
Mon Jun 15 20:30:34 2020 rev:35 rq:814638 version:1.0.18
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2020-05-13 22:56:35.291068234 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_nss.new.3606/apache2-mod_nss.changes
2020-06-15 20:30:58.782471836 +0200
@@ -1,0 +2,5 @@
+Thu Jun 11 09:53:59 UTC 2020 - Paolo Stivanin
+
+- Add -fcommon in order to fix building with GCC10
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.yUYmIl/_old 2020-06-15 20:31:00.042476201 +0200
+++ /var/tmp/diff_new_pack.yUYmIl/_new 2020-06-15 20:31:00.046476215 +0200
@@ -81,7 +81,7 @@
touch nss_expr_*.[chyl]
%build
-CFLAGS="%{optflags}"
+CFLAGS="%{optflags} -fcommon"
export CFLAGS
NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr`
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2020-05-13 22:56:34
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.2738 (New)
Package is "apache2-mod_nss"
Wed May 13 22:56:34 2020 rev:34 rq:805249 version:1.0.18
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2019-09-13 14:57:47.657275903 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_nss.new.2738/apache2-mod_nss.changes
2020-05-13 22:56:35.291068234 +0200
@@ -1,0 +2,6 @@
+Tue May 12 08:41:45 UTC 2020 - Vítězslav Čížek
+
+- Set the minimal apache version to 2.4.18 which is required since
+ 1.0.18 (mod_nss needs conn_rec->master field)
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.sl4jgw/_old 2020-05-13 22:56:36.031069678 +0200
+++ /var/tmp/diff_new_pack.sl4jgw/_new 2020-05-13 22:56:36.031069678 +0200
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -30,7 +30,7 @@
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
Group: Productivity/Networking/Web/Servers
-Url:https://pagure.io/mod_nss
+URL:https://pagure.io/mod_nss
Source: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz
Source1:mod_nss.conf.in
Source2:listen_nss.conf
@@ -42,7 +42,7 @@
Patch5: mod_nss-gencert_stronger_password.patch
BuildRequires: apache-rex
BuildRequires: apache-rpm-macros
-BuildRequires: apache2-devel >= 2.2.12
+BuildRequires: apache2-devel >= 2.4.18
BuildRequires: apr-devel
BuildRequires: apr-util-devel
BuildRequires: automake
@@ -60,7 +60,7 @@
BuildRequires: pkgconfig
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
-Requires: apache2 >= 2.2.12
+Requires: apache2 >= 2.4.18
Requires: findutils
Requires: iproute2
Requires: mozilla-nss >= 3.25
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2019-09-13 14:57:34
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.7948 (New)
Package is "apache2-mod_nss"
Fri Sep 13 14:57:34 2019 rev:33 rq:730047 version:1.0.18
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2019-07-08 15:10:38.787323293 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_nss.new.7948/apache2-mod_nss.changes
2019-09-13 14:57:47.657275903 +0200
@@ -1,0 +2,8 @@
+Tue Sep 10 11:01:45 UTC 2019 - Vítězslav Čížek
+
+- Use a stronger password in gencert to pass the stricter tests in
+ FIPS mode (bsc#1150133)
+ * https://pagure.io/mod_nss/pull-request/48
+ * add mod_nss-gencert_stronger_password.patch
+
+---
New:
mod_nss-gencert_stronger_password.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.DLxMmu/_old 2019-09-13 14:57:48.297275930 +0200
+++ /var/tmp/diff_new_pack.DLxMmu/_new 2019-09-13 14:57:48.301275931 +0200
@@ -39,6 +39,7 @@
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
+Patch5: mod_nss-gencert_stronger_password.patch
BuildRequires: apache-rex
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
@@ -74,9 +75,7 @@
%prep
%setup -q -n mod_nss-%{version}
-%patch1 -p1
-%patch2 -p1
-%patch4 -p1
+%autopatch -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
++ mod_nss-gencert_stronger_password.patch ++
Index: mod_nss-1.0.18/gencert.in
===
--- mod_nss-1.0.18.orig/gencert.in 2019-09-10 13:43:27.548434070 +0200
+++ mod_nss-1.0.18/gencert.in 2019-09-10 13:43:53.424589071 +0200
@@ -75,6 +75,10 @@ VALIDITY=48
# 3 is the server cert "Server-Cert".
CERTSERIAL=0
+# Password for the certificate. Uses special characters and mixed case in order
+# to pass the strict NSS FIPS mode check
+PASSWORD="hTtp.Te5t"
+
if [ $# -lt 1 ]
then
echo "usage: $0 " 1>&2
@@ -115,7 +119,7 @@ done
echo "TEST = $TEST"
echo "SNI = $SNI"
-echo "httptest" > $DEST/pw.txt
+echo "$PASSWORD" > $DEST/pw.txt
function generate_server_sni_cert {
hostname=$1
@@ -173,7 +177,7 @@ function generate_server_sni_cert {
echo ""
echo "#"
echo "Generating new server certificate and key database. The password"
-echo "is httptest"
+echo "is $PASSWORD"
echo "#"
$CERTUTIL -N -d $DBDIR -f $DEST/pw.txt
@@ -329,7 +333,7 @@ rm $DEST/pw.txt
rm $DEST/noise
echo ""
-echo "The database password is httptest"
+echo "The database password is $PASSWORD"
echo ""
# change the ownership of the NSS database so apache can access it
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2019-07-08 15:10:37
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.4615 (New)
Package is "apache2-mod_nss"
Mon Jul 8 15:10:37 2019 rev:32 rq:713601 version:1.0.18
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2018-12-06 12:18:37.589435463 +0100
+++
/work/SRC/openSUSE:Factory/.apache2-mod_nss.new.4615/apache2-mod_nss.changes
2019-07-08 15:10:38.787323293 +0200
@@ -1,0 +2,5 @@
+Fri Jun 28 11:15:10 UTC 2019 - Petr Gajdos
+
+- use apache-rex in %check
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.k7lsqm/_old 2019-07-08 15:10:39.759324226 +0200
+++ /var/tmp/diff_new_pack.k7lsqm/_new 2019-07-08 15:10:39.759324226 +0200
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -39,12 +39,14 @@
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
+BuildRequires: apache-rex
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: apr-devel
BuildRequires: apr-util-devel
BuildRequires: automake
BuildRequires: bison
+%apache_rex_deps
BuildRequires: curl
BuildRequires: findutils
BuildRequires: flex
@@ -141,59 +143,9 @@
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert
%check
-set +x
-mkdir -p %{apache_test_module_dir}
-# create password file including internal token to suppress apache 'builtin
dialog'
-cat << EOF > %{apache_test_module_dir}/password.conf
-internal:httptest
-EOF
-# create test configuration
-cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
-NSSEngine on
-NSSNickname Server-Cert
-NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
-NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
-NSSPassPhraseHelper %{buildroot}%{_sbindir}/nss_pcache
-NSSCipherSuite
+ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
-NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
-
-%if 0%{?apache_branch} >= 204
- Require local
-%else
- Allow from localhost
-%endif
-
-EOF
-# create test certificate
-mkdir -p %{apache_test_module_dir}/mod_nss.d
-# bend gencert to use ServerName of apache test instance
-cp %{buildroot}%{_sbindir}/gencert .
-sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
-./gencert %{apache_test_module_dir}/mod_nss.d >
%{apache_test_module_dir}/mod_nss.d/LOG 2>&1
-# create test document
-mkdir -p %{apache_test_module_dir}/htdocs
-cat << EOF > %{apache_test_module_dir}/htdocs/index.html
-HTTPS HELLO
-EOF
-exit_code=0
-# run apache test instance
-%apache_test_module_start_apache -m nss -i mod_nss-test.conf
-# get test document
-%apache_test_module_curl -r https -d /index.html -o
%{apache_test_module_dir}/output.txt
-echo
-echo 'Testing /index.html output'
-grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
-if [ $exit_code -eq 0 ]; then
- echo 'SUCCESS'
-else
- echo 'FAILED, error_log:'
- cat %{apache_test_module_dir}/error_log
-fi
-echo
-# stop apache test instance
-%apache_test_module_stop_apache
-set -x
-exit $exit_code
+# specific file name format for module is required by apache-rex
+ln .libs/libmodnss.so .libs/mod_nss.so
+%apache_rex_check -m .libs/ -b . mod_nss-basic
%post
umask 077
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2018-12-06 12:18:29
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.19453 (New)
Package is "apache2-mod_nss"
Thu Dec 6 12:18:29 2018 rev:31 rq:655362 version:1.0.18
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2018-03-29 11:57:36.982029928 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_nss.new.19453/apache2-mod_nss.changes
2018-12-06 12:18:37.589435463 +0100
@@ -1,0 +2,7 @@
+Wed Dec 5 10:22:19 UTC 2018 - Vítězslav Čížek
+
+- Update to 1.0.18
+ * Initial support for new mod_proxy function ssl_engine_set
+ * Fix some warnings from clang
+
+---
Old:
mod_nss-1.0.17.tar.gz
New:
mod_nss-1.0.18.tar.gz
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.EewG1t/_old 2018-12-06 12:18:38.313434686 +0100
+++ /var/tmp/diff_new_pack.EewG1t/_new 2018-12-06 12:18:38.317434682 +0100
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -25,7 +25,7 @@
%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
&& $MMN)
%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
Name: apache2-mod_nss
-Version:1.0.17
+Version:1.0.18
Release:0
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
++ mod_nss-1.0.17.tar.gz -> mod_nss-1.0.18.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.17/ChangeLog new/mod_nss-1.0.18/ChangeLog
--- old/mod_nss-1.0.17/ChangeLog2018-03-27 22:40:30.0 +0200
+++ new/mod_nss-1.0.18/ChangeLog2018-12-04 20:47:45.0 +0100
@@ -1,3 +1,10 @@
+2018-12-04 Rob Crittenden
+ * Become 1.0.18
+
+2018-04-12 Rob Crittenden
+ * Initial support for new mod_proxy function ssl_engine_set
+ * Fix some warnings from clang
+
2018-03-27 Rob Crittenden
* PEP-8 fixups
* Add TLS 1.3 support to the cipher tests
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.17/configure.ac
new/mod_nss-1.0.18/configure.ac
--- old/mod_nss-1.0.17/configure.ac 2018-03-27 22:40:30.0 +0200
+++ new/mod_nss-1.0.18/configure.ac 2018-12-04 20:47:45.0 +0100
@@ -1,5 +1,5 @@
# Required initializer
-AC_INIT([mod_nss],[1.0.17])
+AC_INIT([mod_nss],[1.0.18])
m4_include([acinclude.m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.17/mod_nss.c new/mod_nss-1.0.18/mod_nss.c
--- old/mod_nss-1.0.17/mod_nss.c2018-03-27 22:40:30.0 +0200
+++ new/mod_nss-1.0.18/mod_nss.c2018-12-04 20:47:45.0 +0100
@@ -220,8 +220,85 @@
return sslconn;
}
+static int nss_engine_status(conn_rec *c, SSLConnRec *sslconn)
+{
+SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+
+if (c->master) {
+return DECLINED;
+}
+if (sslconn) {
+if (sslconn->disabled) {
+return SUSPENDED;
+}
+if (sslconn->is_proxy) {
+if (!sc->proxy_enabled) {
+return DECLINED;
+}
+}
+else {
+if (sc->enabled != TRUE) {
+return DECLINED;
+}
+}
+}
+else {
+if (sc->enabled != TRUE) {
+return DECLINED;
+}
+}
+return OK;
+}
+
static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
+#ifdef SSL_ENGINE_SET
+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set;
+
+int nss_engine_set(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int proxy, int enable)
+{
+SSLConnRec *sslconn;
+int status;
+
+if (othermod_engine_set) {
+return othermod_engine_set(c, per_dir_config, proxy, enable);
+}
+
+// FIXME: Add support for per_dir_config
+if (proxy) {
+sslconn = nss_init_connection_ctx(c);
+sslconn->is_proxy = 1;
+}
+else {
+sslconn = myConnConfig(c);
+}
+
+status = nss_engine_status(c, sslconn);
+
+if (proxy && status == DECLINED) {
+if (enable) {
+SSLSrvConfigRec *sc =
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2018-03-29 11:57:32
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Thu Mar 29 11:57:32 2018 rev:30 rq:592034 version:1.0.17
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2018-03-20 22:00:50.444643599 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2018-03-29 11:57:36.982029928 +0200
@@ -1,0 +2,10 @@
+Tue Mar 27 21:16:15 UTC 2018 - vci...@suse.com
+
+- Update to 1.0.17
+ * Add TLSv1.3 support
+ * Update documentation for TLS 1.3
+ * Add TLS 1.3 support to the cipher tests
+ * PEP-8 fixups
+ * Change the default certificate database format to SQLite.
+
+---
Old:
mod_nss-1.0.16.tar.gz
New:
mod_nss-1.0.17.tar.gz
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.aJMz8n/_old 2018-03-29 11:57:37.658005527 +0200
+++ /var/tmp/diff_new_pack.aJMz8n/_new 2018-03-29 11:57:37.658005527 +0200
@@ -25,7 +25,7 @@
%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
&& $MMN)
%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
Name: apache2-mod_nss
-Version:1.0.16
+Version:1.0.17
Release:0
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
++ mod_nss-1.0.16.tar.gz -> mod_nss-1.0.17.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.16/ChangeLog new/mod_nss-1.0.17/ChangeLog
--- old/mod_nss-1.0.16/ChangeLog2018-01-19 21:44:16.0 +0100
+++ new/mod_nss-1.0.17/ChangeLog2018-03-27 22:40:30.0 +0200
@@ -1,3 +1,15 @@
+2018-03-27 Rob Crittenden
+ * PEP-8 fixups
+ * Add TLS 1.3 support to the cipher tests
+ * Update documentation for TLSv1.3
+ * Become 1.0.17
+
+2018-03-05 Vitezslav Cizek
+ * Change the default certificate database format to SQLite.
+
+2018-02-16 Christian Heimes
+ * Add TLSv1.3 support
+
2018-01-19 Rob Crittenden
* Fix some merge issues in the ciphers (that'll teach me to test
BEFORE making the tag)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.16/Makefile.am
new/mod_nss-1.0.17/Makefile.am
--- old/mod_nss-1.0.16/Makefile.am 2018-01-19 21:44:16.0 +0100
+++ new/mod_nss-1.0.17/Makefile.am 2018-03-27 22:40:30.0 +0200
@@ -22,7 +22,7 @@
## Set the includes and libraries needed
AM_CPPFLAGS = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@
-LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4
+LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4
-lnssutil3
EXTRA_CPPFLAGS=@extra_cppflags@
install-libLTLIBRARIES: libmodnss.la
@@ -102,8 +102,8 @@
rm -rf work;\
nosetests -v test_cipher.py;\
if [ `id -u` != 0 ]; then \
- ./setup.sh -s 1;\
- nosetests -v test.py; \
+ ./setup.sh -s 1 dbm:; \
+ DBPREFIX=dbm: nosetests -v test.py; \
sleep 5;\
rm -rf work;\
./setup.sh -s 1 sql:; \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.16/configure.ac
new/mod_nss-1.0.17/configure.ac
--- old/mod_nss-1.0.16/configure.ac 2018-01-19 21:44:16.0 +0100
+++ new/mod_nss-1.0.17/configure.ac 2018-03-27 22:40:30.0 +0200
@@ -1,5 +1,5 @@
# Required initializer
-AC_INIT([mod_nss],[1.0.16])
+AC_INIT([mod_nss],[1.0.17])
m4_include([acinclude.m4])
@@ -249,34 +249,53 @@
AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_128_GCM_SHA256,
gcm=$enableval, gcm=no)
if test "$gcm" = yes; then
extra_cppflags="$extra_cppflags -DENABLE_GCM"
- echo "ENABLE_GCM=1" > test/variable.py
+ echo "ENABLE_GCM = 1" > test/variable.py
else
- echo "ENABLE_GCM=0" > test/variable.py
+ echo "ENABLE_GCM = 0" > test/variable.py
fi
AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_256_GCM_SHA384,
sha384=$enableval, sha384=no)
if test "$sha384" = yes; then
extra_cppflags="$extra_cppflags -DENABLE_SHA384"
- echo "ENABLE_SHA384=1" >> test/variable.py
+ echo "ENABLE_SHA384 = 1" >> test/variable.py
else
- echo "ENABLE_SHA384=0" >> test/variable.py
+ echo "ENABLE_SHA384 = 0" >> test/variable.py
fi
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2018-03-20 22:00:22
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Tue Mar 20 22:00:22 2018 rev:29 rq:588675 version:1.0.16
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2018-03-11 15:25:33.850541809 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2018-03-20 22:00:50.444643599 +0100
@@ -1,0 +2,15 @@
+Mon Mar 19 15:23:59 UTC 2018 - vci...@suse.com
+
+- Use fixed upstream 1.0.16 tarball
+ * https://pagure.io/mod_nss/issue/44
+
+---
+Mon Mar 19 11:12:29 UTC 2018 - vci...@suse.com
+
+- Update to 1.0.16
+ * Fix up some broken cipher strings from a bad merge
+- adjust distro detection, Tumbleweed has NSS 3.35, Leap 15 has 3.34
+- drop 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
+ (upstream)
+
+---
Old:
0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
mod_nss-1.0.15.tar.gz
New:
mod_nss-1.0.16.tar.gz
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.QC2LBR/_old 2018-03-20 22:00:51.296612926 +0100
+++ /var/tmp/diff_new_pack.QC2LBR/_new 2018-03-20 22:00:51.304612638 +0100
@@ -25,7 +25,7 @@
%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
&& $MMN)
%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
Name: apache2-mod_nss
-Version:1.0.15
+Version:1.0.16
Release:0
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
@@ -39,7 +39,6 @@
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
-Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: apr-devel
@@ -76,7 +75,6 @@
%patch1 -p1
%patch2 -p1
%patch4 -p1
-%patch5 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -130,7 +128,7 @@
install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so
$RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
-%if 0%{?suse_version} < 1330
+%if 0%{?suse_version} <= 1500
touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db
touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db
touch %{buildroot}%{apache_sysconf_nssdir}/key3.db
@@ -220,7 +218,7 @@
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
-%if 0%{?suse_version} < 1330
+%if 0%{?suse_version} <= 1500
%ghost %attr(0640,root,www) %config(noreplace)
%{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace)
%{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
++ mod_nss-1.0.15.tar.gz -> mod_nss-1.0.16.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.15/ChangeLog new/mod_nss-1.0.16/ChangeLog
--- old/mod_nss-1.0.15/ChangeLog2018-01-19 21:29:30.0 +0100
+++ new/mod_nss-1.0.16/ChangeLog2018-01-19 21:44:16.0 +0100
@@ -1,4 +1,9 @@
2018-01-19 Rob Crittenden
+* Fix some merge issues in the ciphers (that'll teach me to test
+ BEFORE making the tag)
+ * Become 1.0.16
+
+2018-01-19 Rob Crittenden
* Resync ciphers and tests with openssl-1.1.0g and nss-3.34.0
* Become 1.0.15
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.15/configure.ac
new/mod_nss-1.0.16/configure.ac
--- old/mod_nss-1.0.15/configure.ac 2018-01-19 21:29:30.0 +0100
+++ new/mod_nss-1.0.16/configure.ac 2018-01-19 21:44:16.0 +0100
@@ -1,5 +1,5 @@
# Required initializer
-AC_INIT([mod_nss],[1.0.15])
+AC_INIT([mod_nss],[1.0.16])
m4_include([acinclude.m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.15/nss_engine_cipher.c
new/mod_nss-1.0.16/nss_engine_cipher.c
--- old/mod_nss-1.0.15/nss_engine_cipher.c 2018-01-19 21:29:30.0
+0100
+++ new/mod_nss-1.0.16/nss_engine_cipher.c 2018-01-19 21:44:16.0
+0100
@@ -59,7 +59,7 @@
{"fips_3des_sha",
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2018-03-11 15:25:26
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Sun Mar 11 15:25:26 2018 rev:28 rq:585105 version:1.0.15
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2017-12-29 18:51:14.107286468 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2018-03-11 15:25:33.850541809 +0100
@@ -1,0 +2,42 @@
+Thu Mar 8 13:15:32 UTC 2018 - vci...@suse.com
+
+- Since the update to NSS 3.35, the default NSS certificate
+ database format changed from Berkley DB to SQLite
+- use %license tag
+
+---
+Wed Mar 7 16:35:56 UTC 2018 - vci...@suse.com
+
+- Update to 1.0.15
+ * Try to auto-detect the NSS database format if not specified
+ * Update nss_pcache.8 man page to drop directory and prefix
+ * When a token is configured in password file only authenticate once
+ * Return an error when NSSPassPhraseDialog is invalid
+ * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
+ * Add -Werror=implicit-function-declaration to CFLAGS
+ * Handle group membership when testing for file permissions
+ * NSS system-wide policy now disables SSLv3, don't use it in tests
+ * Add missing error messages for libssl errors
+ * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
+ * When including additional test config use specific extension
+ * Fix the TLS Session ID cache
+ * Make an invalid protocol setting fatal
+ * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
+ * Add info log message when FIPS is enabled
+ * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
+ * Fix removal of CR from PEM certificates
+ * Add OCSP caching and timeout tuning knobs
+ * Check the NSS database directory permissions as well as the files
+inside it for read access on startup.
+ * Add in simple aliases for ciphers to fix those that
+don't follow the pattern (dhe_rsa_aes_128_sha256,
+dhe_rsa_aes_256_sha256) and those with typos
+(camelia_128_sha, camelia_256_sha)
+ * Fix semaphore leak
+ * Don't set remote user in fixup hook
+ * Drop SSLv2 tests because it is completely disabled now
+- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch
+ (upstream)
+- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
+
+---
Old:
0001-Handle-group-membership-when-testing-for-file-permis.patch
mod_nss-1.0.14.tar.gz
New:
0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
mod_nss-1.0.15.tar.gz
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.uLN65b/_old 2018-03-11 15:25:34.650513110 +0100
+++ /var/tmp/diff_new_pack.uLN65b/_new 2018-03-11 15:25:34.658512824 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
&& $MMN)
%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
Name: apache2-mod_nss
-Version:1.0.14
+Version:1.0.15
Release:0
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
@@ -38,8 +38,8 @@
Source5:vhost-nss.template
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
-Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
+Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: apr-devel
@@ -51,7 +51,6 @@
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: iproute2
-BuildRequires: iproute2
BuildRequires: libtool
BuildRequires: mozilla-nspr-devel >= 4.6.3
BuildRequires: mozilla-nss-devel >= 3.25
@@ -62,7 +61,6 @@
Requires: apache2 >= 2.2.12
Requires: findutils
Requires: iproute2
-Requires: iproute2
Requires: mozilla-nss >= 3.25
Requires(post): mozilla-nss-tools
Provides: mod_nss
@@ -77,8 +75,8 @@
%setup -q -n mod_nss-%{version}
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2017-12-29 18:50:58 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Fri Dec 29 18:50:58 2017 rev:27 rq:560006 version:1.0.14 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-12-14 10:59:47.952906675 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2017-12-29 18:51:14.107286468 +0100 @@ -1,0 +2,6 @@ +Tue Dec 19 13:13:22 UTC 2017 - pgaj...@suse.com + +- buildrequire apr-devel instead of libapr1-devel +- buildrequire apr-util-devel instead of libapr-util1-devel + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.kkjfV4/_old 2017-12-29 18:51:14.871067105 +0100 +++ /var/tmp/diff_new_pack.kkjfV4/_new 2017-12-29 18:51:14.871067105 +0100 @@ -42,6 +42,8 @@ Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 +BuildRequires: apr-devel +BuildRequires: apr-util-devel BuildRequires: automake BuildRequires: bison BuildRequires: curl @@ -50,8 +52,6 @@ BuildRequires: gcc-c++ BuildRequires: iproute2 BuildRequires: iproute2 -BuildRequires: libapr-util1-devel -BuildRequires: libapr1-devel BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.25
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2017-12-14 10:59:24
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Thu Dec 14 10:59:24 2017 rev:26 rq:556377 version:1.0.14
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2017-12-11 18:57:23.971999448 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2017-12-14 10:59:47.952906675 +0100
@@ -1,0 +2,6 @@
+Mon Dec 11 20:41:26 UTC 2017 - vci...@suse.com
+
+- Fix NSS database startup permission check (bsc#1057776)
+ * add 0001-Handle-group-membership-when-testing-for-file-permis.patch
+
+---
New:
0001-Handle-group-membership-when-testing-for-file-permis.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.CoNwit/_old 2017-12-14 10:59:49.552829439 +0100
+++ /var/tmp/diff_new_pack.CoNwit/_new 2017-12-14 10:59:49.556829246 +0100
@@ -38,6 +38,7 @@
Source5:vhost-nss.template
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
+Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
@@ -76,6 +77,7 @@
%setup -q -n mod_nss-%{version}
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%patch4 -p1
# Touch expression parser sources to prevent regenerating it
++ 0001-Handle-group-membership-when-testing-for-file-permis.patch ++
>From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 23 Feb 2017 13:06:21 -0500
Subject: [PATCH] Handle group membership when testing for file permissions
This was a bit of a corner case but group membership wasn't
considered when trying to determine if the NSS databases are
readable.
Resolves BZ 1395300
---
nss_engine_init.c | 45 +
1 file changed, 33 insertions(+), 12 deletions(-)
Index: mod_nss-1.0.14/nss_engine_init.c
===
--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014
+0100
+++ mod_nss-1.0.14/nss_engine_init.c2017-12-11 21:47:22.698850519 +0100
@@ -29,6 +29,7 @@
#include "cert.h"
#include
#include
+#include
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -57,22 +58,38 @@ static char *version_components[] = {
* Return 0 on failure or file doesn't exist
* Return 1 on success
*/
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
+ apr_pool_t *p)
{
apr_finfo_t finfo;
-int rv;
+PRBool in_group = PR_FALSE;
+struct group *gr;
+int i = 0;
+
+if ((apr_stat(, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
+== APR_SUCCESS) {
+if ((gr = getgrgid(finfo.group)) == NULL) {
+return 0;
+}
-if ((rv = apr_stat(, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
- p)) == APR_SUCCESS) {
+if (gid == finfo.group) {
+in_group = PR_TRUE;
+} else {
+while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
+if (!strcasecmp(user, gr->gr_mem[i++])) {
+in_group = PR_TRUE;
+break;
+}
+}
+}
if (((uid == finfo.user) &&
((finfo.protection & APR_FPROT_UREAD))) ||
-((gid == finfo.group) &&
-((finfo.protection & APR_FPROT_GREAD)))
+(in_group && (finfo.protection & APR_FPROT_GREAD)) ||
+(finfo.protection & APR_FPROT_WREAD)
)
{
return 1;
}
-return 0;
}
return 0;
}
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
apr_snprintf(filepath, 1024, "%s/key4.db",
mc->pCertificateDatabase+4);
-if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2017-12-11 18:57:21
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Mon Dec 11 18:57:21 2017 rev:25 rq:555875 version:1.0.14
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2017-10-25 17:47:24.247745180 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2017-12-11 18:57:23.971999448 +0100
@@ -1,0 +2,7 @@
+Thu Dec 7 13:19:08 UTC 2017 - vci...@suse.com
+
+- drop obsolete mod_nss-dont_disable_SSLV2.patch
+ * bump up minimal NSS version to 3.25, which we now have everywhere
+- Require iproute2 for ss, which is used by gencert to gather noise
+
+---
@@ -26,0 +34 @@
+ (bsc#998183)
Old:
mod_nss-dont_disable_SSLV2.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.g2cgLZ/_old 2017-12-11 18:57:24.603969347 +0100
+++ /var/tmp/diff_new_pack.g2cgLZ/_new 2017-12-11 18:57:24.607969156 +0100
@@ -38,7 +38,6 @@
Source5:vhost-nss.template
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
-Patch3: mod_nss-dont_disable_SSLV2.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
@@ -49,11 +48,12 @@
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: iproute2
+BuildRequires: iproute2
BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel
BuildRequires: libtool
BuildRequires: mozilla-nspr-devel >= 4.6.3
-BuildRequires: mozilla-nss-devel >= 3.15.1
+BuildRequires: mozilla-nss-devel >= 3.25
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
Requires: %{apache_mmn}
@@ -61,7 +61,8 @@
Requires: apache2 >= 2.2.12
Requires: findutils
Requires: iproute2
-Requires: mozilla-nss >= 3.15.1
+Requires: iproute2
+Requires: mozilla-nss >= 3.25
Requires(post): mozilla-nss-tools
Provides: mod_nss
@@ -75,7 +76,6 @@
%setup -q -n mod_nss-%{version}
%patch1 -p1
%patch2 -p1
-%patch3 -p1
%patch4 -p1
# Touch expression parser sources to prevent regenerating it
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2017-10-25 17:47:23
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Wed Oct 25 17:47:23 2017 rev:24 rq:536370 version:1.0.14
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2016-10-10 16:21:12.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2017-10-25 17:47:24.247745180 +0200
@@ -1,0 +2,7 @@
+Mon Oct 23 12:53:12 UTC 2017 - vci...@suse.com
+
+- Use ss instead of the deprecated netstat in gencert (bsc#1064415)
+ * add mod_nss-gencert_use_ss_instead_of_netstat.patch
+- spec: cleanup and fix URLs
+
+---
New:
mod_nss-gencert_use_ss_instead_of_netstat.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.nuRJUK/_old 2017-10-25 17:47:25.307695433 +0200
+++ /var/tmp/diff_new_pack.nuRJUK/_new 2017-10-25 17:47:25.311695246 +0200
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,25 +16,30 @@
#
+%defineapxs %{_sbindir}/apxs2
+%defineapache apache2
+%defineapache_libexecdir %(%{apxs} -q LIBEXECDIR)
+%defineapache_sysconfdir %(%{apxs} -q SYSCONFDIR)
+%defineapache_includedir %(%{apxs} -q INCLUDEDIR)
+%defineapache_serverroot %(%{apxs} -q PREFIX)
+%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
&& $MMN)
+%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
Name: apache2-mod_nss
+Version:1.0.14
+Release:0
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
Group: Productivity/Networking/Web/Servers
-Version:1.0.14
-Release:0.4.8
-Url:https://fedorahosted.org/mod_nss
-Source:
https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
+Url:https://pagure.io/mod_nss
+Source: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz
Source1:mod_nss.conf.in
Source2:listen_nss.conf
Source4:README-SUSE.txt
Source5:vhost-nss.template
-Provides: mod_nss
-Requires: %{apache_mmn}
-Requires: %{apache_suse_maintenance_mmn}
-Requires: apache2 >= 2.2.12
-Requires: findutils
-Requires: mozilla-nss >= 3.15.1
-PreReq: mozilla-nss-tools
+Patch1: mod_nss-migrate.patch
+Patch2: mod_nss-gencert-correct-ownership.patch
+Patch3: mod_nss-dont_disable_SSLV2.patch
+Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: automake
@@ -43,6 +48,7 @@
BuildRequires: findutils
BuildRequires: flex
BuildRequires: gcc-c++
+BuildRequires: iproute2
BuildRequires: libapr-util1-devel
BuildRequires: libapr1-devel
BuildRequires: libtool
@@ -50,20 +56,14 @@
BuildRequires: mozilla-nss-devel >= 3.15.1
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
-
-Patch1: mod_nss-migrate.patch
-Patch2: mod_nss-gencert-correct-ownership.patch
-Patch3: mod_nss-dont_disable_SSLV2.patch
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-%defineapxs /usr/sbin/apxs2
-%defineapache apache2
-%defineapache_libexecdir %(%{apxs} -q LIBEXECDIR)
-%defineapache_sysconfdir %(%{apxs} -q SYSCONFDIR)
-%defineapache_includedir %(%{apxs} -q INCLUDEDIR)
-%defineapache_serverroot %(%{apxs} -q PREFIX)
-%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
&& $MMN)
-%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
+Requires: %{apache_mmn}
+Requires: %{apache_suse_maintenance_mmn}
+Requires: apache2 >= 2.2.12
+Requires: findutils
+Requires: iproute2
+Requires: mozilla-nss >= 3.15.1
+Requires(post): mozilla-nss-tools
+Provides: mod_nss
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -76,20 +76,21 @@
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
%build
-CFLAGS="$RPM_OPT_FLAGS"
+CFLAGS="%{optflags}"
export CFLAGS
-NSPR_INCLUDE_DIR=`/usr/bin/pkg-config
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2016-10-10 16:21:11
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2016-09-17 14:40:32.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2016-10-10 16:21:12.0 +0200
@@ -1,0 +2,5 @@
+Thu Sep 29 15:26:39 UTC 2016 - jeng...@inai.de
+
+- Avoid changing permissions through symlinks
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.YVMBTb/_old 2016-10-10 16:21:13.0 +0200
+++ /var/tmp/diff_new_pack.YVMBTb/_new 2016-10-10 16:21:13.0 +0200
@@ -199,8 +199,8 @@
echo ""
fi
# Make sure that the database ownership is setup properly.
-find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {}
\;
-find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {}
\;
+find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www
{} +
+find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec
/bin/chmod 640 {} +
%files
%defattr(-,root,root,-)
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2016-09-17 14:40:30
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2016-08-05 18:16:41.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2016-09-17 14:40:32.0 +0200
@@ -1,0 +2,15 @@
+Thu Sep 15 10:44:06 UTC 2016 - vci...@suse.com
+
+- don't disable SSLV2, because it doesn't work with NSS 3.24
+ (boo#993642)
+ * add mod_nss-dont_disable_SSLV2.patch
+- remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in
+ (bsc#998176)
+- change ownership of the gencert generated NSS database so apache
+ can read it (bsc#998180)
+ * add mod_nss-gencert-correct-ownership.patch
+- use correct configuration path in mod_nss.conf.in (bsc#996282)
+- remove %post migration code from the old alias directory
+- generate dummy certificates if there aren't any in mod_nss.d
+
+---
New:
mod_nss-dont_disable_SSLV2.patch
mod_nss-gencert-correct-ownership.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.dmgxzl/_old 2016-09-17 14:40:34.0 +0200
+++ /var/tmp/diff_new_pack.dmgxzl/_new 2016-09-17 14:40:34.0 +0200
@@ -52,6 +52,8 @@
BuildRequires: pkgconfig
Patch1: mod_nss-migrate.patch
+Patch2: mod_nss-gencert-correct-ownership.patch
+Patch3: mod_nss-dont_disable_SSLV2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
@@ -72,6 +74,8 @@
%prep
%setup -q -n mod_nss-%{version}
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -188,48 +192,15 @@
%post
umask 077
-if [ "$1" -eq 1 ] ; then
-# this is first time installation.
-if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
+if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
%{_sbindir}/gencert %{apache_sysconf_nssdir} >
%{apache_sysconf_nssdir}/install.log 2>&1
echo ""
echo "%{name} certificate database generated."
echo ""
-fi
-# Make sure that the database ownership is setup properly.
-find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www
{} \;
-find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640
{} \;
-fi
-if [ "$1" -eq 2 ]; then
-# this is the upgrade case for this %post:
-if [ -d %{apache_sysconfdir}/alias ]; then
- copied_files=""
- for dbfile in *.db; do
- if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
- cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
- copied_files="$copied_files $dbfile"
- fi
- done
- if [ "$copied_files" != "" ]; then
- {
- echo "This notice was written by the post-install script of the
package"
- echo "%{name}."
- echo ""
- echo "The files $copied_files"
- echo "have been copied to the directory
%{apache_sysconf_nssdir},"
- echo "as this directory is not referenced by the default
configuration any longer,"
- echo "and because these files did not exist in
%{apache_sysconf_nssdir}."
- echo "Existing files have not been modified."
- echo ""
- echo "Please check your configuration and remove or move your
certificate and"
- echo "key storage to your desired place, and adjust your module
configuration"
- echo "accordingly."
- echo ""
- echo "Thank you."
- } > %{apache_sysconfdir}/alias/README-dbfiles.txt
- fi
-fi
fi
+# Make sure that the database ownership is setup properly.
+find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {}
\;
+find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {}
\;
%files
%defattr(-,root,root,-)
@@ -244,7 +215,6 @@
%ghost %attr(0640,root,www) %config(noreplace)
%{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
-#%%{apache_sysconf_nssdir}/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%{_sbindir}/mod_nss_migrate.pl
++ mod_nss-dont_disable_SSLV2.patch ++
Index: mod_nss-1.0.14/nss_engine_init.c
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2016-08-05 18:16:40
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2016-04-28 16:57:51.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2016-08-05 18:16:41.0 +0200
@@ -1,0 +2,7 @@
+Fri Jul 29 18:04:55 UTC 2016 - vci...@suse.com
+
+- use systemd-ask-password to prompt for a certificate passphrase
+ (bsc#972968)
+ * drop obsolete mod_nss-bnc863518-reopen_dev_tty.diff
+
+---
Old:
mod_nss-bnc863518-reopen_dev_tty.diff
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.BxDyVN/_old 2016-08-05 18:16:42.0 +0200
+++ /var/tmp/diff_new_pack.BxDyVN/_new 2016-08-05 18:16:42.0 +0200
@@ -51,7 +51,6 @@
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
-Patch0: mod_nss-bnc863518-reopen_dev_tty.diff
Patch1: mod_nss-migrate.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -72,7 +71,6 @@
%prep
%setup -q -n mod_nss-%{version}
-%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch1 -p1
# Touch expression parser sources to prevent regenerating it
@@ -136,9 +134,7 @@
%check
set +x
mkdir -p %{apache_test_module_dir}
-# create password file including internal token to suppress
-# apache 'builtin dialog', see NSSPassPhraseDialog below
-# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
+# create password file including internal token to suppress apache 'builtin
dialog'
cat << EOF > %{apache_test_module_dir}/password.conf
internal:httptest
EOF
++ mod_nss.conf.in ++
--- /var/tmp/diff_new_pack.BxDyVN/_old 2016-08-05 18:16:42.0 +0200
+++ /var/tmp/diff_new_pack.BxDyVN/_new 2016-08-05 18:16:42.0 +0200
@@ -26,7 +26,7 @@
# VirtualHosts on the same IP Address and port is not possible.
#
# Reason:
-# The brwoser/client connects to the web server's port 443 and initializes
+# The browser/client connects to the web server's port 443 and initializes
# an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the
# client to specify the host that it wants to connect to, unless the crypto
# has been fully initialized already. Similarly, the server cannot present
@@ -132,8 +132,7 @@
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
-NSSPassPhraseDialog builtin
-
+NSSPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
# Pass Phrase Helper:
# This helper program stores the token password pins between
@@ -188,35 +187,9 @@
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
-# SSL 3 ciphers. SSL 2 is disabled
-#NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
-
-# The following ciphers are available in SUSE's package after June 2014;
-# The GCM mode aes ciphers are of particular interest.
-# You may want to add them if so desired:
-#
-# rsa_aes_128_gcm_sha
-# ecdh_ecdsa_aes_128_gcm_sha
-# ecdhe_ecdsa_aes_128_gcm_sha
-# ecdh_rsa_aes_128_gcm_sha
-# ecdhe_rsa_aes_128_gcm_sha
-
-# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
-#
-# Comment out the NSSCipherSuite line above and use the one below if you have
-# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
-#NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
-
-# The following is taken as default with the apache2-mod_nss package, as
-# provided with
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2016-04-28 16:54:54
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2016-03-31 13:03:47.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2016-04-28 16:57:51.0 +0200
@@ -1,0 +2,12 @@
+Sat Apr 16 09:12:29 UTC 2016 - vci...@suse.com
+
+- update to 1.0.14 (fixes boo#973996)
+ * OpenSSL ciphers stopped parsing at +, CVE-2016-3099
+ * Created valgrind suppression files to ease debugging
+ * Implement SSL_PPTYPE_FILTER to call executables to get
+the key password pins. Can be used to prompt with systemd.
+ * Improvements to migrate.pl
+- drop mod_nss_migrate.pl and use upstream migrate script instead
+ * add mod_nss-migrate.patch
+
+---
Old:
mod_nss-1.0.13.tar.gz
mod_nss_migrate.pl
New:
mod_nss-1.0.14.tar.gz
mod_nss-migrate.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.Pu1grj/_old 2016-04-28 16:57:54.0 +0200
+++ /var/tmp/diff_new_pack.Pu1grj/_new 2016-04-28 16:57:54.0 +0200
@@ -20,13 +20,12 @@
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
Group: Productivity/Networking/Web/Servers
-Version:1.0.13
+Version:1.0.14
Release:0.4.8
Url:https://fedorahosted.org/mod_nss
Source:
https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1:mod_nss.conf.in
Source2:listen_nss.conf
-Source3:mod_nss_migrate.pl
Source4:README-SUSE.txt
Source5:vhost-nss.template
Provides: mod_nss
@@ -52,7 +51,8 @@
BuildRequires: mozilla-nss-tools
BuildRequires: pkgconfig
-Patch23:mod_nss-bnc863518-reopen_dev_tty.diff
+Patch0: mod_nss-bnc863518-reopen_dev_tty.diff
+Patch1: mod_nss-migrate.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
@@ -72,7 +72,8 @@
%prep
%setup -q -n mod_nss-%{version}
-%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
+%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
+%patch1 -p1
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -123,7 +124,7 @@
install -m 755 .libs/libmodnss.so
$RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
-install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/
+install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl
#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so
$RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
++ mod_nss-1.0.13.tar.gz -> mod_nss-1.0.14.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.13/ChangeLog new/mod_nss-1.0.14/ChangeLog
--- old/mod_nss-1.0.13/ChangeLog2016-03-05 23:39:14.0 +0100
+++ new/mod_nss-1.0.14/ChangeLog2016-04-15 20:27:59.0 +0200
@@ -1,3 +1,19 @@
+2016-04-15 Rob Crittenden
+* Become 1.0.14
+
+2016-03-31 Rob Crittenden
+* Created valgrind suppression files to ease debugging
+
+2016-03-30 Rob Crittenden
+* Implement SSL_PPTYPE_FILTER to call executables to get
+ the key password pins. Can be used to prompt with systemd.
+
+2016-03-30 Vitezslav Cizek
+* Improvements to migrate.pl
+
+2016-03-17 Rob Crittenden
+* OpenSSL ciphers stopped parsing at +, CVE-2016-3099
+
2016-03-04 Rob Crittenden
* Fix a number of issues discovered by clang-analyzer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.13/configure.ac
new/mod_nss-1.0.14/configure.ac
--- old/mod_nss-1.0.13/configure.ac 2016-03-05 23:39:14.0 +0100
+++ new/mod_nss-1.0.14/configure.ac 2016-04-15 20:27:59.0 +0200
@@ -1,5 +1,5 @@
# Required initializer
-AC_INIT([mod_nss],[1.0.13])
+AC_INIT([mod_nss],[1.0.14])
m4_include([acinclude.m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_nss-1.0.13/docs/mod_nss.html
new/mod_nss-1.0.14/docs/mod_nss.html
--- old/mod_nss-1.0.13/docs/mod_nss.html
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2016-03-31 13:03:40
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2016-01-23 01:16:32.0 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2016-03-31 13:03:47.0 +0200
@@ -1,0 +2,68 @@
+Thu Mar 17 16:27:13 UTC 2016 - vci...@suse.com
+
+- use a whitelist approach for keeping directives in the migration
+ script (bsc#961907)
+ * modify mod_nss_migrate.pl
+
+---
+Wed Mar 16 14:45:24 UTC 2016 - pgaj...@suse.com
+
+- fix test: add NSSPassPhraseDialog, point it to plain file
+
+---
+Mon Mar 14 12:27:37 UTC 2016 - vci...@suse.com
+
+- update to 1.0.13
+ Update default ciphers to something more modern and secure
+ Check for host and netstat commands in gencert before trying to use them
+ Add server support for DHE ciphers
+ Extract SAN from server/client certificates into env
+ Fix memory leaks and other coding issues caught by clang analyzer
+ Add support for Server Name Indication (SNI) (#1010751)
+ Add support for SNI for reverse proxy connections
+ Add RenegBufferSize? option
+ Add support for TLS Session Tickets (RFC 5077)
+ Fix logical AND support in OpenSSL cipher compatibility
+ Correctly handle disabled ciphers (CVE-2015-5244)
+ Implement a slew more OpenSSL cipher macros
+ Fix a number of illegal memory accesses and memory leaks
+ Support for SHA384 ciphers if they are available in NSS
+ Add compatibility for mod_ssl-style cipher definitions (#862938)
+ Add TLSv1.2-specific ciphers
+ Completely remove support for SSLv2
+ Add support for sqlite NSS databases (#1057650)
+ Compare subject CN and VS hostname during server start up
+ Add support for enabling TLS v1.2
+ Don't enable SSL 3 by default (CVE-2014-3566)
+ Fix CVE-2013-4566
+ Move nss_pcache to /usr/libexec
+ Support httpd 2.4+
+- drop almost all our patches (upstream)
+ * 0001-SNI-check-with-NameVirtualHosts.patch
+ * mod_nss-CVE-2013-4566-NSSVerifyClient.diff
+ * mod_nss-PK11_ListCerts_2.patch
+ * mod_nss-add_support_for_enabling_TLS_v1.2.patch
+ * mod_nss-array_overrun.patch
+ * mod_nss-cipherlist_update_for_tls12-doc.diff
+ * mod_nss-cipherlist_update_for_tls12.diff
+ * mod_nss-clientauth.patch
+ * mod_nss-compare_subject_CN_and_VS_hostname.patch
+ * mod_nss-gencert.patch
+ * mod_nss-httpd24.patch
+ * mod_nss-lockpcache.patch
+ * mod_nss-negotiate.patch
+ * mod_nss-no_shutdown_if_not_init_2.patch
+ * mod_nss-overlapping_memcpy.patch
+ * mod_nss-pcachesignal.h
+ * mod_nss-proxyvariables.patch
+ * mod_nss-reseterror.patch
+ * mod_nss-reverse_proxy_send_SNI.patch
+ * mod_nss-reverseproxy.patch
+ * mod_nss-sslmultiproxy.patch
+ * mod_nss-tlsv1_1.patch
+ * mod_nss-wouldblock.patch
+ * update-ciphers.patch
+- add automake and libtool to BuildRequires
+- temporarily comment out %check
+
+---
Old:
0001-SNI-check-with-NameVirtualHosts.patch
mod_nss-1.0.8.tar.gz
mod_nss-CVE-2013-4566-NSSVerifyClient.diff
mod_nss-PK11_ListCerts_2.patch
mod_nss-add_support_for_enabling_TLS_v1.2.patch
mod_nss-array_overrun.patch
mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
mod_nss-clientauth.patch
mod_nss-compare_subject_CN_and_VS_hostname.patch
mod_nss-gencert.patch
mod_nss-httpd24.patch
mod_nss-lockpcache.patch
mod_nss-negotiate.patch
mod_nss-no_shutdown_if_not_init_2.patch
mod_nss-overlapping_memcpy.patch
mod_nss-pcachesignal.h
mod_nss-proxyvariables.patch
mod_nss-reseterror.patch
mod_nss-reverse_proxy_send_SNI.patch
mod_nss-reverseproxy.patch
mod_nss-sslmultiproxy.patch
mod_nss-tlsv1_1.patch
mod_nss-wouldblock.patch
update-ciphers.patch
New:
mod_nss-1.0.13.tar.gz
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:48.0 +0200
+++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:48.0 +0200
@@ -20,7 +20,7 @@
Summary:SSL/TLS module for the Apache HTTP server
License:Apache-2.0
Group: Productivity/Networking/Web/Servers
-Version:1.0.8
+Version:1.0.13
Release:0.4.8
Url:https://fedorahosted.org/mod_nss
Source:
https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
@@ -38,6 +38,7
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2016-01-23 01:16:27
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2015-12-21 12:04:38.0 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2016-01-23 01:16:32.0 +0100
@@ -1,0 +2,5 @@
+Tue Jan 12 08:31:19 UTC 2016 - pgaj...@suse.com
+
+- %check: access syntax depends on %{apache_branch}
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.26NAUP/_old 2016-01-23 01:16:33.0 +0100
+++ /var/tmp/diff_new_pack.26NAUP/_new 2016-01-23 01:16:33.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -202,7 +202,11 @@
NSSCipherSuite
+ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
+%if 0%{?apache_branch} >= 204
Require local
+%else
+ Allow from localhost
+%endif
EOF
# create test certificate
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2015-12-21 12:04:32
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2015-10-20 00:09:01.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2015-12-21 12:04:38.0 +0100
@@ -1,0 +2,5 @@
+Fri Dec 11 12:08:09 UTC 2015 - pgaj...@suse.com
+
+- %{apache_branch} converted to number
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.Ve1Mmo/_old 2015-12-21 12:04:39.0 +0100
+++ /var/tmp/diff_new_pack.Ve1Mmo/_new 2015-12-21 12:04:39.0 +0100
@@ -128,7 +128,7 @@
%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
# keep this last, otherwise we get fuzzyness from above
-%if "%{apache_branch}" != "2.2"
+%if %{apache_branch} >= 204
%patch9 -p1 -b .http24
%endif
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2015-10-19 22:53:58
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is "apache2-mod_nss"
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2015-07-20 11:21:14.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2015-10-20 00:09:01.0 +0200
@@ -1,0 +2,39 @@
+Wed Oct 14 09:23:18 UTC 2015 - pgaj...@suse.com
+
+- mod_nss-httpd24.patch applied depending on %{apache_branch}
+ instead of %{suse_version}, fixes build for sle11 with new apache
+
+---
+Fri Oct 2 14:35:41 UTC 2015 - pgaj...@suse.com
+
+- test module with %apache_test_module_curl
+
+---
+Mon Sep 7 08:25:03 UTC 2015 - vci...@suse.com
+
+- unified ciphers with SLE-12
+ * modified patches:
+mod_nss-cipherlist_update_for_tls12-doc.diff
+mod_nss-cipherlist_update_for_tls12.diff
+update-ciphers.patch
+
+---
+Mon Sep 7 08:03:31 UTC 2015 - vci...@suse.com
+
+- send TLS server name extension on proxy connections (bsc#933832)
+ * added mod_nss-reverse_proxy_send_SNI.patch
+- updates to the SNI code (from Stanislav Tokos):
+ update update-ciphers.patch
+ (bsc#928039)
+ merge changes from the mod_nss-SNI_support.patch to:
+ 0001-SNI-check-with-NameVirtualHosts.patch
+ (bnc#927402)
+ abstract hash for NSSNickname and ServerName, add ServerAliases and Wild
+ Cards for vhost
+ (bsc#927402, bsc#928039, bsc#930922)
+ replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts)
+ (bsc#930186)
+ add alert about permission on the certificate database
+ (bsc#933265)
+
+---
Old:
mod_nss-SNI_support.patch
New:
0001-SNI-check-with-NameVirtualHosts.patch
mod_nss-reverse_proxy_send_SNI.patch
update-ciphers.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.XpMPTp/_old 2015-10-20 00:09:02.0 +0200
+++ /var/tmp/diff_new_pack.XpMPTp/_new 2015-10-20 00:09:02.0 +0200
@@ -39,6 +39,7 @@
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
BuildRequires: bison
+BuildRequires: curl
BuildRequires: findutils
BuildRequires: flex
BuildRequires: gcc-c++
@@ -78,7 +79,9 @@
# PATCH-FIX-UPSTREAM bnc#902068 kstreit...@suse.com -- small fixes for TLS-v1.2
Patch25:mod_nss-add_support_for_enabling_TLS_v1.2.patch
# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreit...@suse.com -- add
Server Name Indication support
-Patch26:mod_nss-SNI_support.patch
+Patch26:0001-SNI-check-with-NameVirtualHosts.patch
+Patch27:update-ciphers.patch
+Patch28:mod_nss-reverse_proxy_send_SNI.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
@@ -120,10 +123,12 @@
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
-%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch
+%patch26 -p1 -b .SNI_support.rpmpatch
+%patch27 -p1 -b .update-ciphers.rpmpatch
+%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch
# keep this last, otherwise we get fuzzyness from above
-%if 0%{?suse_version} >= 1300
+%if "%{apache_branch}" != "2.2"
%patch9 -p1 -b .http24
%endif
@@ -185,8 +190,51 @@
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
-%clean
-rm -rf $RPM_BUILD_ROOT
+%check
+set +x
+mkdir -p %{apache_test_module_dir}
+# create test configuration
+cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
+NSSEngine on
+NSSNickname Server-Cert
+NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
+NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
+NSSCipherSuite
+ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
+
+ Require local
+
+EOF
+# create test certificate
+mkdir -p %{apache_test_module_dir}/mod_nss.d
+# bend gencert to use ServerName of apache test instance
+cp %{buildroot}%{_sbindir}/gencert .
+sed -i
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2015-07-20 11:21:12
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2015-05-18 22:33:44.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2015-07-20 11:21:14.0 +0200
@@ -1,0 +2,7 @@
+Thu Jul 16 07:22:02 UTC 2015 - pgaj...@suse.com
+
+- Requries: %{apache_suse_maintenance_mmn}
+ This will pull this module to the update (in released distribution)
+ when apache maintainer thinks it is good (due api/abi changes).
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.Yw1iZ3/_old 2015-07-20 11:21:16.0 +0200
+++ /var/tmp/diff_new_pack.Yw1iZ3/_new 2015-07-20 11:21:16.0 +0200
@@ -30,10 +30,13 @@
Source4:README-SUSE.txt
Source5:vhost-nss.template
Provides: mod_nss
+Requires: %{apache_mmn}
+Requires: %{apache_suse_maintenance_mmn}
Requires: apache2 = 2.2.12
Requires: findutils
Requires: mozilla-nss = 3.15.1
PreReq: mozilla-nss-tools
+BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel = 2.2.12
BuildRequires: bison
BuildRequires: findutils
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-05-18 22:33:43 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-05-10 10:46:58.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-05-18 22:33:44.0 +0200 @@ -1,0 +2,6 @@ +Mon May 18 10:32:12 UTC 2015 - h...@suse.com + +- The package does not carry any .conf files underneath /etc/apache2/mod_nss.d, + therefore use 'IncludeOptional' instead of 'Include' directory in mod_nss.conf. + +--- Other differences: -- ++ mod_nss.conf.in ++ --- /var/tmp/diff_new_pack.xd7xdE/_old 2015-05-18 22:33:45.0 +0200 +++ /var/tmp/diff_new_pack.xd7xdE/_new 2015-05-18 22:33:45.0 +0200 @@ -106,7 +106,7 @@ IfModule mod_nss.c Include /etc/apache2/listen_nss.conf -Include /etc/apache2/mod_nss.d/*.conf +IncludeOptional /etc/apache2/mod_nss.d/*.conf
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2015-05-10 10:46:55
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2015-04-10 09:52:40.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2015-05-10 10:46:58.0 +0200
@@ -1,0 +2,5 @@
+Thu May 7 12:27:40 UTC 2015 - kstreit...@suse.com
+
+- change of url and source address
+
+---
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.9ZDWiG/_old 2015-05-10 10:46:59.0 +0200
+++ /var/tmp/diff_new_pack.9ZDWiG/_new 2015-05-10 10:46:59.0 +0200
@@ -22,8 +22,8 @@
Group: Productivity/Networking/Web/Servers
Version:1.0.8
Release:0.4.8
-Url:http://directory.fedoraproject.org/wiki/Mod_nss
-Source:
http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
+Url:https://fedorahosted.org/mod_nss
+Source:
https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1:mod_nss.conf.in
Source2:listen_nss.conf
Source3:mod_nss_migrate.pl
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2015-03-09 10:09:27
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2014-11-06 16:50:56.0 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2015-03-09 10:09:39.0 +0100
@@ -1,0 +2,8 @@
+Tue Mar 3 10:25:27 UTC 2015 - kstreit...@suse.com
+
+- add mod_nss-SNI_support.patch that brings Server Name Indication
+ support that allows to have multiple HTTPS websites with multiple
+ certificates on the same IP address and port.
+ [fate#318331], [bnc#897712]
+
+---
New:
mod_nss-SNI_support.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.xkC1d8/_old 2015-03-09 10:09:40.0 +0100
+++ /var/tmp/diff_new_pack.xkC1d8/_new 2015-03-09 10:09:40.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -74,6 +74,8 @@
Patch24:mod_nss-compare_subject_CN_and_VS_hostname.patch
# PATCH-FIX-UPSTREAM bnc#902068 kstreit...@suse.com -- small fixes for TLS-v1.2
Patch25:mod_nss-add_support_for_enabling_TLS_v1.2.patch
+# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreit...@suse.com -- add
Server Name Indication support
+Patch26:mod_nss-SNI_support.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
@@ -115,6 +117,7 @@
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
+%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} = 1300
++ mod_nss-SNI_support.patch ++
From 07405e4dbd1e2df6583bb571a6230da78788c19b Mon Sep 17 00:00:00 2001
From: standa sto...@suse.de
Date: Thu, 26 Feb 2015 15:23:50 +0100
Subject: [PATCH] SNI check with NameVirtualHosts
---
docs/mod_nss.html | 10 ++
mod_nss.c | 3 ++
mod_nss.h | 18 ++
nss_engine_config.c | 11 +++
nss_engine_init.c | 95 -
nss_engine_kernel.c | 51
nss_util.c | 19 +++
7 files changed, 199 insertions(+), 8 deletions(-)
Index: mod_nss-1.0.8/docs/mod_nss.html
===
--- mod_nss-1.0.8.orig/docs/mod_nss.html
+++ mod_nss-1.0.8/docs/mod_nss.html
@@ -1079,6 +1079,16 @@ components of the client certificate, th
br
codeNSSRequirebr
/codebr
+bigbigNSSSNI/big/bigbr
+br
+Enables or disables Server Name Identification(SNI) extension check for
+SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header.
+br
+br
+span style=font-weight: bold;Example/spanbr
+br
+codeNSSSNI off/codebr
+br
bigbigNSSProxyEngine/big/bigbr
br
Enables or disables mod_nss HTTPS support for mod_proxy.br
Index: mod_nss-1.0.8/mod_nss.c
===
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -85,6 +85,9 @@ static const command_rec nss_config_cmds
SSL_CMD_SRV(FIPS, FLAG,
FIPS 140-1 mode
(`on', `off'))
+SSL_CMD_SRV(SNI, FLAG,
+SNI
+(`on', `off'))
SSL_CMD_ALL(CipherSuite, TAKE1,
Comma-delimited list of permitted SSL Ciphers, + to enable, -
to disable
(`[+-]XXX,...,[+-]XXX' - see manual))
Index: mod_nss-1.0.8/mod_nss.h
===
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -308,6 +308,7 @@ struct SSLSrvConfigRec {
const char *ocsp_name;
BOOL ocsp;
BOOL enabled;
+BOOL sni;
BOOL proxy_enabled;
const char *vhost_id;
int vhost_id_len;
@@ -343,6 +344,20 @@ typedef struct
PRInt32 version; /* protocol version valid for this cipher */
} cipher_properties;
+typedef struct {
+ const char *vhost_id[70];
+ const char *nick[30];
+} vhostNick[500];
+
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2014-11-06 16:50:15
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2014-10-31 19:57:44.0 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2014-11-06 16:50:56.0 +0100
@@ -1,0 +2,6 @@
+Tue Nov 4 14:13:46 UTC 2014 - kstreit...@suse.com
+
+- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
+ that adding small fixes for support of TLS v1.2
+
+---
New:
mod_nss-add_support_for_enabling_TLS_v1.2.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.e5AH66/_old 2014-11-06 16:50:58.0 +0100
+++ /var/tmp/diff_new_pack.e5AH66/_new 2014-11-06 16:50:58.0 +0100
@@ -72,6 +72,8 @@
Patch23:mod_nss-bnc863518-reopen_dev_tty.diff
# PATCH-FIX-UPSTREAM bnc#897712 kstreit...@suse.com -- check for the
misconfiguration of certificate's CN and virtual name
Patch24:mod_nss-compare_subject_CN_and_VS_hostname.patch
+# PATCH-FIX-UPSTREAM bnc#902068 kstreit...@suse.com -- small fixes for TLS-v1.2
+Patch25:mod_nss-add_support_for_enabling_TLS_v1.2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
@@ -112,6 +114,7 @@
%patch20 -p0 -b .ciphers.doc.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
+%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} = 1300
++ mod_nss-add_support_for_enabling_TLS_v1.2.patch ++
From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 16 Oct 2014 14:05:05 -0400
Subject: [PATCH] Add support for enabling TLS v1.2
If support is available in NSS then it is just a matter of including
TLS 1.2 in the protocol range.
---
docs/mod_nss.html | 97 ---
mod_nss.c | 4 +--
nss.conf.in | 2 +-
nss_engine_init.c | 51 +
nss_engine_vars.c | 3 ++
5 files changed, 86 insertions(+), 71 deletions(-)
Index: mod_nss-1.0.8/nss.conf.in
===
--- mod_nss-1.0.8.orig/nss.conf.in
+++ mod_nss-1.0.8/nss.conf.in
@@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
-NSSProtocol SSLv3,TLSv1
+NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
Index: mod_nss-1.0.8/nss_engine_vars.c
===
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver
case SSL_LIBRARY_VERSION_TLS_1_1:
result = TLSv1.1;
break;
+case SSL_LIBRARY_VERSION_TLS_1_2:
+result = TLSv1.2;
+break;
}
}
}
Index: mod_nss-1.0.8/nss_engine_init.c
===
--- mod_nss-1.0.8.orig/nss_engine_init.c
+++ mod_nss-1.0.8/nss_engine_init.c
@@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server
* cannot be excluded from this range. NSS will automatically negotiate
* to utilize the strongest acceptable protocol for a connection starting
* with the maximum specified protocol and downgrading as necessary to the
- * minimum specified
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2014-10-31 18:27:35
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2014-08-25 11:05:02.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2014-10-31 19:57:44.0 +0100
@@ -1,0 +2,9 @@
+Wed Oct 29 14:59:06 UTC 2014 - kstreit...@suse.com
+
+- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
+ that compare CN and VS hostname (use NSS library). Removed
+ following patches:
+ * mod_nss-SNI-checks.patch
+ * mod_nss-SNI-callback.patch
+
+---
Old:
mod_nss-SNI-callback.patch
mod_nss-SNI-checks.patch
New:
mod_nss-compare_subject_CN_and_VS_hostname.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.kxhGZ0/_old 2014-10-31 19:57:46.0 +0100
+++ /var/tmp/diff_new_pack.kxhGZ0/_new 2014-10-31 19:57:46.0 +0100
@@ -69,9 +69,10 @@
Patch18:mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19:mod_nss-cipherlist_update_for_tls12.diff
Patch20:mod_nss-cipherlist_update_for_tls12-doc.diff
-Patch21:mod_nss-SNI-callback.patch
-Patch22:mod_nss-SNI-checks.patch
Patch23:mod_nss-bnc863518-reopen_dev_tty.diff
+# PATCH-FIX-UPSTREAM bnc#897712 kstreit...@suse.com -- check for the
misconfiguration of certificate's CN and virtual name
+Patch24:mod_nss-compare_subject_CN_and_VS_hostname.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
%defineapache apache2
@@ -109,9 +110,8 @@
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
-%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch
-%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch
%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
+%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} = 1300
++ mod_nss-compare_subject_CN_and_VS_hostname.patch ++
From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001
From: standa sto...@suse.de
Date: Wed, 22 Oct 2014 16:14:29 +0200
Subject: [PATCH] Compare subject CN and VS hostname during server start up
---
nss_engine_init.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index d74f002..2569c8d 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const
char *nickname,
*KEAtype = NSS_FindCertKEAType(*servercert);
+/* Subject/hostname check */
+secstatus = CERT_VerifyCertName(*servercert, s-server_hostname);
+if (secstatus != SECSuccess) {
+ char *cert_dns = CERT_GetCommonName((*servercert)-subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ Misconfiguration of certificate's CN and virtual name.
+ The certificate CN has %s. We expected %s as virtual
+name., cert_dns, s-server_hostname);
+ PORT_Free(cert_dns);
+}
+
/*
- * Check for certs that are expired or not yet valid and WARN about it
- * no need to refuse working - the client gets a warning, but can work
- * with the server we could also verify if the certificate is made out
- * for the correct hostname but that would require a reverse DNS lookup
- * for every virtual server - too expensive?
+ * Check for certs that are expired or not yet valid and WARN about it.
+ * No need to refuse working - the client gets a warning.
*/
certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
--
1.9.3
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2014-08-25 11:03:58
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2014-07-27 18:47:32.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2014-08-25 11:05:02.0 +0200
@@ -1,0 +2,7 @@
+Thu Aug 21 07:50:57 UTC 2014 - meiss...@suse.com
+
+- mod_nss-cipherlist_update_for_tls12-doc.diff,
+ mod_nss-cipherlist_update_for_tls12.diff,
+ mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.
+
+---
Other differences:
--
++ mod_nss-cipherlist_update_for_tls12-doc.diff ++
--- /var/tmp/diff_new_pack.B2WRIL/_old 2014-08-25 11:05:04.0 +0200
+++ /var/tmp/diff_new_pack.B2WRIL/_new 2014-08-25 11:05:04.0 +0200
@@ -1,7 +1,7 @@
diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
--- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.0
+0100
+++ ./docs/mod_nss.html2014-02-18 16:48:18.0 +0100
-@@ -632,100 +632,121 @@
+@@ -632,100 +632,135 @@
/td
td style=vertical-align: top;SSLv3/TLSv1.0/TLSv1.1/TLSv1.2/td
/tr
@@ -53,11 +53,18 @@
td style=vertical-align: top;SSLv3/TLSv1.0/TLSv1.1/TLSv1.2/td
/tr
+tr
++ td style=vertical-align: top;rsa_aes_128_sha256br
++ /td
++ td style=vertical-align: top;TLS_RSA_WITH_AES_128_CBC_SHA256br
++ /td
++ td style=vertical-align: top;TLSv1.2/td
++/tr
++tr
+ td style=vertical-align: top;rsa_aes_128_gcm_shabr
+ /td
+ td style=vertical-align: top;TLS_RSA_WITH_AES_128_GCM_SHA256br
+ /td
-+ td style=vertical-align: top;TLSv1.0/TLSv1.1/TLSv1.2/td
++ td style=vertical-align: top;TLSv1.2/td
+/tr
+tr
+ td style=vertical-align: top;rsa_camellia_128_shabr
@@ -73,6 +80,13 @@
+ /td
+ td style=vertical-align: top;TLSv1.0/TLSv1.1/TLSv1.2/td
+/tr
++tr
++ td style=vertical-align: top;rsa_aes_256_sha256br
++ /td
++ td style=vertical-align: top;TLS_RSA_WITH_AES_256_CBC_SHA256br
++ /td
++ td style=vertical-align: top;TLSv1.2/td
++/tr
/tbody
/table
br
@@ -123,7 +137,7 @@
tdecdhe_ecdsa_rc4_128_sha/td
tdTLS_ECDHE_ECDSA_WITH_RC4_128_SHA/td
tdTLSv1.0/TLSv1.1/TLSv1.2/td
-@@ -773,100 +794,120 @@
+@@ -773,100 +794,130 @@
tr
tdechde_rsa_null/td
tdTLS_ECDHE_RSA_WITH_NULL_SHA/td
@@ -175,6 +189,16 @@
tdTLSv1.0/TLSv1.1/TLSv1.2/td
/tr
+tr
++ tdecdh_ecdsa_aes_128_sha256/td
++ tdTLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256/td
++ tdTLSv1.2/td
++/tr
++tr
++ tdecdh_rsa_aes_128_sha256/td
++ tdTLS_ECDH_RSA_WITH_AES_128_CBC_SHA256/td
++ tdTLSv1.2/td
++/tr
++tr
+ tdecdh_ecdsa_aes_128_gcm_sha/td
+ tdTLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256/td
+ tdTLSv1.0/TLSv1.1/TLSv1.2/td
++ mod_nss-cipherlist_update_for_tls12.diff ++
--- /var/tmp/diff_new_pack.B2WRIL/_old 2014-08-25 11:05:04.0 +0200
+++ /var/tmp/diff_new_pack.B2WRIL/_new 2014-08-25 11:05:04.0 +0200
@@ -53,10 +53,10 @@
/* the table itself is defined in nss_engine_init.c */
#ifdef NSS_ENABLE_ECC
-#define ciphernum 48
-+#define ciphernum 55
++#define ciphernum 59
#else
-#define ciphernum 23
-+#define ciphernum 26
++#define ciphernum 28
#endif
/*
@@ -110,7 +110,7 @@
diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
--- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.0
+0100
+++ ./nss_engine_init.c2014-02-18 16:30:51.0 +0100
-@@ -15,122 +15,130 @@
+@@ -15,122 +15,134 @@
#include mod_nss.h
#include apr_thread_proc.h
@@ -161,9 +161,11 @@
{rsa_rc4_56_sha, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
/* AES ciphers.*/
{rsa_aes_128_sha, TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
++{rsa_aes_128_sha256, TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
+{rsa_aes_128_gcm_sha, TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
+{rsa_camellia_128_sha, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
{rsa_aes_256_sha, TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
++{rsa_aes_256_sha256, TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
+{rsa_camellia_256_sha, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
+
#ifdef NSS_ENABLE_ECC
@@ -178,6 +180,7 @@
{ecdhe_ecdsa_rc4_128_sha, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2014-07-27 18:47:17
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2014-02-22 18:07:11.0 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2014-07-27 18:47:32.0 +0200
@@ -1,0 +2,22 @@
+Thu Jul 24 12:49:29 CEST 2014 - dr...@suse.de
+
+- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and
+ open(/dev/tty, ...) to make sure that stdin can be read from.
+ startproc may inherit wrongly opened file descriptors to httpd.
+ (Note: An analogous fix exists in startproc(8), too.)
+ [bnc#863518]
+- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
+ externalized to /etc/apache2/conf.d/vhost-nss.template and not
+ activated/read by default. [bnc#878681]
+- NSSCipherSuite update following additional ciphers of Feb 18
+ change. [bnc#878681]
+
+---
+Fri Jun 27 16:13:01 CEST 2014 - dr...@suse.de
+
+- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
+ server side SNI was not implemented when mod_nss was made;
+ patches implement SNI with checks if SNI provided hostname
+ equals Host: field in http request header.
+
+---
New:
mod_nss-SNI-callback.patch
mod_nss-SNI-checks.patch
mod_nss-bnc863518-reopen_dev_tty.diff
vhost-nss.template
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.2mA94w/_old 2014-07-27 18:47:33.0 +0200
+++ /var/tmp/diff_new_pack.2mA94w/_new 2014-07-27 18:47:33.0 +0200
@@ -21,13 +21,14 @@
License:Apache-2.0
Group: Productivity/Networking/Web/Servers
Version:1.0.8
-Release:0.4.RELEASE7
+Release:0.4.8
Url:http://directory.fedoraproject.org/wiki/Mod_nss
Source:
http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
Source1:mod_nss.conf.in
Source2:listen_nss.conf
Source3:mod_nss_migrate.pl
Source4:README-SUSE.txt
+Source5:vhost-nss.template
Provides: mod_nss
Requires: apache2 = 2.2.12
Requires: findutils
@@ -68,6 +69,9 @@
Patch18:mod_nss-CVE-2013-4566-NSSVerifyClient.diff
Patch19:mod_nss-cipherlist_update_for_tls12.diff
Patch20:mod_nss-cipherlist_update_for_tls12-doc.diff
+Patch21:mod_nss-SNI-callback.patch
+Patch22:mod_nss-SNI-checks.patch
+Patch23:mod_nss-bnc863518-reopen_dev_tty.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
%defineapache apache2
@@ -86,7 +90,7 @@
%prep
%setup -q -n mod_nss-%{version}
-#%patch1 -p1 -b .conf.rpmpatch
+##%patch1 -p1 -b .conf.rpmpatch
%patch2 -p1 -b .gencert.rpmpatch
%patch3 -p1 -b .wouldblock.rpmpatch
%patch4 -p1 -b .negotiate.rpmpatch
@@ -105,6 +109,9 @@
%patch18 -p0 -b .CVE-2013-4566.rpmpatch
%patch19 -p0 -b .ciphers.rpmpatch
%patch20 -p0 -b .ciphers.doc.rpmpatch
+%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch
+%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch
+%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
# keep this last, otherwise we get fuzzyness from above
%if 0%{?suse_version} = 1300
@@ -146,6 +153,7 @@
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
+mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
@@ -154,6 +162,7 @@
%endif
install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
+install -m 644 %{SOURCE5}
$RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so
$RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
@@ -219,6 +228,7 @@
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
+%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
++ mod_nss-SNI-callback.patch ++
diff -rNU 30 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
--- ../mod_nss-1.0.8-o/mod_nss.h2014-06-23 12:23:17.0 +0200
+++
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2013-08-07 20:43:06
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2013-08-02 15:01:07.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2013-08-07 20:43:07.0 +0200
@@ -1,0 +2,10 @@
+Fri Aug 2 08:29:35 UTC 2013 - meiss...@suse.com
+
+- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
+- mod_nss-clientauth.patch: merged from RHEL6 pkg
+- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
+- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
+- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
+- make it build on both Apache2 2.4 and 2.2 systems
+
+---
New:
mod_nss-PK11_ListCerts_2.patch
mod_nss-clientauth.patch
mod_nss-no_shutdown_if_not_init_2.patch
mod_nss-sslmultiproxy.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.1oLG3Z/_old 2013-08-07 20:43:08.0 +0200
+++ /var/tmp/diff_new_pack.1oLG3Z/_new 2013-08-07 20:43:08.0 +0200
@@ -53,6 +53,11 @@
Patch10:mod_nss-proxyvariables.patch
Patch11:mod_nss-tlsv1_1.patch
Patch12:mod_nss-array_overrun.patch
+Patch13:mod_nss-clientauth.patch
+Patch14:mod_nss-no_shutdown_if_not_init_2.patch
+Patch15:mod_nss-PK11_ListCerts_2.patch
+Patch16:mod_nss-sslmultiproxy.patch
+Patch17:mod_nss-overlapping_memcpy.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
%defineapache apache2
@@ -78,12 +83,19 @@
%patch6 -p1 -b .pcachesignal.h
%patch7 -p1 -b .reseterror
%patch8 -p1 -b .lockpcache
-%if 0%{?suse_version} = 1300
-%patch9 -p1 -b .http24
-%endif
%patch10 -p1 -b .proxyvariables
%patch11 -p1 -b .tlsv1_1
%patch12 -p1 -b .array_overrun
+%patch13 -p1 -b .clientauth.patch
+%patch14 -p1 -b .no_shutdown_if_not_init_2
+%patch15 -p1 -b .PK11_ListCerts_2
+%patch16 -p1 -b .sslmultiproxy
+%patch17 -p1 -b .overlapping_memcpy
+
+# keep this last, otherwise we get fuzzyness from above
+%if 0%{?suse_version} = 1300
+%patch9 -p1 -b .http24
+%endif
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
++ mod_nss-PK11_ListCerts_2.patch ++
diff -pu mod_nss.h mod_nss.h.PK11_ListCerts
--- ./mod_nss.h 2010-09-08 21:06:49.0 +0800
+++ ./mod_nss.h.PK11_ListCerts2010-09-08 21:06:22.0 +0800
@@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd
/* module initialization */
int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void nss_init_Child(apr_pool_t *, server_rec *);
-void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *,
SSLSrvConfigRec *);
+void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *,
SSLSrvConfigRec *, const CERTCertList*);
apr_status_t nss_init_ModuleKill(void *data);
apr_status_t nss_init_ChildKill(void *data);
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool
cipher_list[ciphernum]);
diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts
--- ./nss_engine_init.c 2010-09-08 21:07:13.0 +0800
+++ ./nss_engine_init.c.PK11_ListCerts2010-09-09 00:21:59.0 +0800
@@ -26,7 +26,7 @@
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
-static CERTCertificate* FindServerCertFromNickname(const char* name);
+static CERTCertificate* FindServerCertFromNickname(const char* name, const
CERTCertList* clist);
SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig,
PRBool isServer);
/*
@@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
Init: Initializing (virtual) servers for SSL);
+CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL);
+
for (s = base_server; s; s = s-next) {
sc = mySrvConfig(s);
/*
@@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p
/*
* Read the server certificate and key
*/
-nss_init_ConfigureServer(s, p, ptemp, sc);
+nss_init_ConfigureServer(s, p, ptemp, sc, clist);
+}
+
+if (clist) {
+CERT_DestroyCertList(clist);
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2013-08-02 15:01:05
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes
2013-07-24 17:28:46.0 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2013-08-02 15:01:07.0 +0200
@@ -1,0 +2,12 @@
+Thu Aug 1 15:06:55 UTC 2013 - meiss...@suse.com
+
+- Add support for TLS v1.1 and TLS v1.2
+ (TLS v1.2 requires mozilla nss 3.15.1 or newer.)
+ - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
+from redhat to allow tls v1.1 too.
+ - ported the tls v1.1 patch to be tls v1.2 aware
+ - added mod_nss-proxyvariables.patch (from RHEL6 package)
+ - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
+- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun
+
+---
New:
mod_nss-array_overrun.patch
mod_nss-proxyvariables.patch
mod_nss-tlsv1_1.patch
Other differences:
--
++ apache2-mod_nss.spec ++
--- /var/tmp/diff_new_pack.fkDcz2/_old 2013-08-02 15:01:07.0 +0200
+++ /var/tmp/diff_new_pack.fkDcz2/_new 2013-08-02 15:01:07.0 +0200
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_nss
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,24 +18,25 @@
Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
-Version: 1.0.8
-Release: 3
-Group: Productivity/Networking/Web/Servers
License: Apache-2.0
+Group: Productivity/Networking/Web/Servers
+Version:1.0.8
+Release:0
Url: http://directory.fedoraproject.org/wiki/Mod_nss
Source:http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
Provides: mod_nss
Requires: apache2 = 2.0.52
Requires: findutils
Requires(post): mozilla-nss-tools
+BuildRequires: apache2-devel = 2.0.52
BuildRequires: bison
BuildRequires: findutils
+BuildRequires: flex
BuildRequires: gcc-c++
-BuildRequires: libapr1-devel
BuildRequires: libapr-util1-devel
+BuildRequires: libapr1-devel
BuildRequires: mozilla-nspr-devel = 4.6.3
BuildRequires: mozilla-nss-devel = 3.12.6
-BuildRequires: apache2-devel = 2.0.52
BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
Patch1:mod_nss-conf.patch
@@ -48,7 +49,11 @@
Patch8:mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9:mod_nss-httpd24.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+Patch10:mod_nss-proxyvariables.patch
+Patch11:mod_nss-tlsv1_1.patch
+Patch12:mod_nss-array_overrun.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
%defineapxs /usr/sbin/apxs2
%defineapache apache2
%defineapache_libexecdir %(%{apxs} -q LIBEXECDIR)
@@ -76,6 +81,9 @@
%if 0%{?suse_version} = 1300
%patch9 -p1 -b .http24
%endif
+%patch10 -p1 -b .proxyvariables
+%patch11 -p1 -b .tlsv1_1
+%patch12 -p1 -b .array_overrun
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
++ mod_nss-array_overrun.patch ++
mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array
child_argv, with 5 elements, at position 5 with index variable 5.
https://bugzilla.redhat.com/show_bug.cgi?id=714154
diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c
mod_nss-1.0.8/nss_engine_init.c
--- mod_nss-1.0.8.orig/nss_engine_init.c2011-08-01 13:24:34.0
-0400
+++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.0 -0400
@@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p
/* Do we need to fire up our password helper? */
if (mc-nInitCount == 1) {
-const char * child_argv[5];
+const char * child_argv[6];
apr_status_t rv;
struct sembuf sb;
char sembuf[32];
++ mod_nss-proxyvariables.patch ++
diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c
--- mod_nss-1.0.8.orig/nss_engine_init.c2012-10-03 14:28:50.751794000
-0700
+++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700
@@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server
tls = 1;
} else {
if
commit apache2-mod_nss for openSUSE:Factory
Hello community,
here is the log from the commit of package apache2-mod_nss for openSUSE:Factory
checked in at 2013-07-24 17:28:44
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
Package is apache2-mod_nss
Changes:
New Changes file:
--- /dev/null 2013-07-23 23:44:04.804033756 +0200
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes
2013-07-24 17:28:46.0 +0200
@@ -0,0 +1,28 @@
+---
+Fri Jul 12 10:42:06 UTC 2013 - a...@ajaissle.de
+
+- Changed source to original tar.gz
+
+---
+Thu Jul 11 14:50:42 UTC 2013 - a...@ajaissle.de
+
+- Added mod_nns-httpd24.patch to support build with apache 2.4
+
+---
+Tue Jan 22 09:35:41 UTC 2013 - a...@ajaissle.de
+
+- Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE
+ dir layout [bnc#799483]
+- Cleaned up license tag
+
+---
+Sun Apr 15 14:17:19 UTC 2012 - w...@rosenauer.org
+
+- import some patches from Fedora
+- removed autoreconf call
+
+---
+Wed Feb 17 13:30:47 UTC 2010 - n...@opensuse.org
+
+- Fix mod_nss-conf.patch to work on SUSE
+- Rename package from mod_nss to apache2-mod_nss
New:
apache2-mod_nss.changes
apache2-mod_nss.spec
mod_nss-1.0.8.tar.gz
mod_nss-conf.patch
mod_nss-gencert.patch
mod_nss-httpd24.patch
mod_nss-lockpcache.patch
mod_nss-negotiate.patch
mod_nss-overlapping_memcpy.patch
mod_nss-pcachesignal.h
mod_nss-reseterror.patch
mod_nss-reverseproxy.patch
mod_nss-wouldblock.patch
Other differences:
--
++ apache2-mod_nss.spec ++
#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An Open Source License is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_nss
Summary: SSL/TLS module for the Apache HTTP server
Version: 1.0.8
Release: 3
Group: Productivity/Networking/Web/Servers
License: Apache-2.0
Url: http://directory.fedoraproject.org/wiki/Mod_nss
Source:http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz
Provides: mod_nss
Requires: apache2 = 2.0.52
Requires: findutils
Requires(post): mozilla-nss-tools
BuildRequires: bison
BuildRequires: findutils
BuildRequires: gcc-c++
BuildRequires: libapr1-devel
BuildRequires: libapr-util1-devel
BuildRequires: mozilla-nspr-devel = 4.6.3
BuildRequires: mozilla-nss-devel = 3.12.6
BuildRequires: apache2-devel = 2.0.52
BuildRequires: pkgconfig
# [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout
Patch1:mod_nss-conf.patch
Patch2:mod_nss-gencert.patch
Patch3:mod_nss-wouldblock.patch
Patch4:mod_nss-negotiate.patch
Patch5:mod_nss-reverseproxy.patch
Patch6:mod_nss-pcachesignal.h
Patch7:mod_nss-reseterror.patch
Patch8:mod_nss-lockpcache.patch
# Fix build with apache 2.4
Patch9:mod_nss-httpd24.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%defineapxs /usr/sbin/apxs2
%defineapache apache2
%defineapache_libexecdir %(%{apxs} -q LIBEXECDIR)
%defineapache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%defineapache_includedir %(%{apxs} -q INCLUDEDIR)
%defineapache_serverroot %(%{apxs} -q PREFIX)
%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN
$MMN)
%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.
%prep
%setup -q -n mod_nss-%{version}
%patch1 -p1 -b .conf
%patch2 -p1 -b .gencert
%patch3 -p1 -b .wouldblock
%patch4 -p1 -b .negotiate
%patch5 -p1 -b .reverseproxy
%patch6 -p1 -b .pcachesignal.h
%patch7 -p1 -b .reseterror
%patch8 -p1 -b .lockpcache
%if 0%{?suse_version} = 1300
%patch9 -p1 -b .http24
%endif
# Touch expression parser sources to prevent regenerating it
