commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2020-06-15 20:30:34 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.3606 (New) Package is "apache2-mod_nss" Mon Jun 15 20:30:34 2020 rev:35 rq:814638 version:1.0.18 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2020-05-13 22:56:35.291068234 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.3606/apache2-mod_nss.changes 2020-06-15 20:30:58.782471836 +0200 @@ -1,0 +2,5 @@ +Thu Jun 11 09:53:59 UTC 2020 - Paolo Stivanin + +- Add -fcommon in order to fix building with GCC10 + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.yUYmIl/_old 2020-06-15 20:31:00.042476201 +0200 +++ /var/tmp/diff_new_pack.yUYmIl/_new 2020-06-15 20:31:00.046476215 +0200 @@ -81,7 +81,7 @@ touch nss_expr_*.[chyl] %build -CFLAGS="%{optflags}" +CFLAGS="%{optflags} -fcommon" export CFLAGS NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr` NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr`
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2020-05-13 22:56:34 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.2738 (New) Package is "apache2-mod_nss" Wed May 13 22:56:34 2020 rev:34 rq:805249 version:1.0.18 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2019-09-13 14:57:47.657275903 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.2738/apache2-mod_nss.changes 2020-05-13 22:56:35.291068234 +0200 @@ -1,0 +2,6 @@ +Tue May 12 08:41:45 UTC 2020 - Vítězslav Čížek + +- Set the minimal apache version to 2.4.18 which is required since + 1.0.18 (mod_nss needs conn_rec->master field) + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.sl4jgw/_old 2020-05-13 22:56:36.031069678 +0200 +++ /var/tmp/diff_new_pack.sl4jgw/_new 2020-05-13 22:56:36.031069678 +0200 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,7 @@ Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 Group: Productivity/Networking/Web/Servers -Url:https://pagure.io/mod_nss +URL:https://pagure.io/mod_nss Source: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz Source1:mod_nss.conf.in Source2:listen_nss.conf @@ -42,7 +42,7 @@ Patch5: mod_nss-gencert_stronger_password.patch BuildRequires: apache-rex BuildRequires: apache-rpm-macros -BuildRequires: apache2-devel >= 2.2.12 +BuildRequires: apache2-devel >= 2.4.18 BuildRequires: apr-devel BuildRequires: apr-util-devel BuildRequires: automake @@ -60,7 +60,7 @@ BuildRequires: pkgconfig Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} -Requires: apache2 >= 2.2.12 +Requires: apache2 >= 2.4.18 Requires: findutils Requires: iproute2 Requires: mozilla-nss >= 3.25
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2019-09-13 14:57:34 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.7948 (New) Package is "apache2-mod_nss" Fri Sep 13 14:57:34 2019 rev:33 rq:730047 version:1.0.18 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2019-07-08 15:10:38.787323293 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.7948/apache2-mod_nss.changes 2019-09-13 14:57:47.657275903 +0200 @@ -1,0 +2,8 @@ +Tue Sep 10 11:01:45 UTC 2019 - Vítězslav Čížek + +- Use a stronger password in gencert to pass the stricter tests in + FIPS mode (bsc#1150133) + * https://pagure.io/mod_nss/pull-request/48 + * add mod_nss-gencert_stronger_password.patch + +--- New: mod_nss-gencert_stronger_password.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.DLxMmu/_old 2019-09-13 14:57:48.297275930 +0200 +++ /var/tmp/diff_new_pack.DLxMmu/_new 2019-09-13 14:57:48.301275931 +0200 @@ -39,6 +39,7 @@ Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch +Patch5: mod_nss-gencert_stronger_password.patch BuildRequires: apache-rex BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 @@ -74,9 +75,7 @@ %prep %setup -q -n mod_nss-%{version} -%patch1 -p1 -%patch2 -p1 -%patch4 -p1 +%autopatch -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] ++ mod_nss-gencert_stronger_password.patch ++ Index: mod_nss-1.0.18/gencert.in === --- mod_nss-1.0.18.orig/gencert.in 2019-09-10 13:43:27.548434070 +0200 +++ mod_nss-1.0.18/gencert.in 2019-09-10 13:43:53.424589071 +0200 @@ -75,6 +75,10 @@ VALIDITY=48 # 3 is the server cert "Server-Cert". CERTSERIAL=0 +# Password for the certificate. Uses special characters and mixed case in order +# to pass the strict NSS FIPS mode check +PASSWORD="hTtp.Te5t" + if [ $# -lt 1 ] then echo "usage: $0 " 1>&2 @@ -115,7 +119,7 @@ done echo "TEST = $TEST" echo "SNI = $SNI" -echo "httptest" > $DEST/pw.txt +echo "$PASSWORD" > $DEST/pw.txt function generate_server_sni_cert { hostname=$1 @@ -173,7 +177,7 @@ function generate_server_sni_cert { echo "" echo "#" echo "Generating new server certificate and key database. The password" -echo "is httptest" +echo "is $PASSWORD" echo "#" $CERTUTIL -N -d $DBDIR -f $DEST/pw.txt @@ -329,7 +333,7 @@ rm $DEST/pw.txt rm $DEST/noise echo "" -echo "The database password is httptest" +echo "The database password is $PASSWORD" echo "" # change the ownership of the NSS database so apache can access it
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2019-07-08 15:10:37 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.4615 (New) Package is "apache2-mod_nss" Mon Jul 8 15:10:37 2019 rev:32 rq:713601 version:1.0.18 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2018-12-06 12:18:37.589435463 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.4615/apache2-mod_nss.changes 2019-07-08 15:10:38.787323293 +0200 @@ -1,0 +2,5 @@ +Fri Jun 28 11:15:10 UTC 2019 - Petr Gajdos + +- use apache-rex in %check + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.k7lsqm/_old 2019-07-08 15:10:39.759324226 +0200 +++ /var/tmp/diff_new_pack.k7lsqm/_new 2019-07-08 15:10:39.759324226 +0200 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,12 +39,14 @@ Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch +BuildRequires: apache-rex BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apr-devel BuildRequires: apr-util-devel BuildRequires: automake BuildRequires: bison +%apache_rex_deps BuildRequires: curl BuildRequires: findutils BuildRequires: flex @@ -141,59 +143,9 @@ perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert %check -set +x -mkdir -p %{apache_test_module_dir} -# create password file including internal token to suppress apache 'builtin dialog' -cat << EOF > %{apache_test_module_dir}/password.conf -internal:httptest -EOF -# create test configuration -cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf -NSSEngine on -NSSNickname Server-Cert -NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d -NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf -NSSPassPhraseHelper %{buildroot}%{_sbindir}/nss_pcache -NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 -NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 - -%if 0%{?apache_branch} >= 204 - Require local -%else - Allow from localhost -%endif - -EOF -# create test certificate -mkdir -p %{apache_test_module_dir}/mod_nss.d -# bend gencert to use ServerName of apache test instance -cp %{buildroot}%{_sbindir}/gencert . -sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert -./gencert %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1 -# create test document -mkdir -p %{apache_test_module_dir}/htdocs -cat << EOF > %{apache_test_module_dir}/htdocs/index.html -HTTPS HELLO -EOF -exit_code=0 -# run apache test instance -%apache_test_module_start_apache -m nss -i mod_nss-test.conf -# get test document -%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt -echo -echo 'Testing /index.html output' -grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1 -if [ $exit_code -eq 0 ]; then - echo 'SUCCESS' -else - echo 'FAILED, error_log:' - cat %{apache_test_module_dir}/error_log -fi -echo -# stop apache test instance -%apache_test_module_stop_apache -set -x -exit $exit_code +# specific file name format for module is required by apache-rex +ln .libs/libmodnss.so .libs/mod_nss.so +%apache_rex_check -m .libs/ -b . mod_nss-basic %post umask 077
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2018-12-06 12:18:29 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.19453 (New) Package is "apache2-mod_nss" Thu Dec 6 12:18:29 2018 rev:31 rq:655362 version:1.0.18 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2018-03-29 11:57:36.982029928 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new.19453/apache2-mod_nss.changes 2018-12-06 12:18:37.589435463 +0100 @@ -1,0 +2,7 @@ +Wed Dec 5 10:22:19 UTC 2018 - Vítězslav Čížek + +- Update to 1.0.18 + * Initial support for new mod_proxy function ssl_engine_set + * Fix some warnings from clang + +--- Old: mod_nss-1.0.17.tar.gz New: mod_nss-1.0.18.tar.gz Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.EewG1t/_old 2018-12-06 12:18:38.313434686 +0100 +++ /var/tmp/diff_new_pack.EewG1t/_new 2018-12-06 12:18:38.317434682 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -25,7 +25,7 @@ %defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version:1.0.17 +Version:1.0.18 Release:0 Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 ++ mod_nss-1.0.17.tar.gz -> mod_nss-1.0.18.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.17/ChangeLog new/mod_nss-1.0.18/ChangeLog --- old/mod_nss-1.0.17/ChangeLog2018-03-27 22:40:30.0 +0200 +++ new/mod_nss-1.0.18/ChangeLog2018-12-04 20:47:45.0 +0100 @@ -1,3 +1,10 @@ +2018-12-04 Rob Crittenden + * Become 1.0.18 + +2018-04-12 Rob Crittenden + * Initial support for new mod_proxy function ssl_engine_set + * Fix some warnings from clang + 2018-03-27 Rob Crittenden * PEP-8 fixups * Add TLS 1.3 support to the cipher tests diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.17/configure.ac new/mod_nss-1.0.18/configure.ac --- old/mod_nss-1.0.17/configure.ac 2018-03-27 22:40:30.0 +0200 +++ new/mod_nss-1.0.18/configure.ac 2018-12-04 20:47:45.0 +0100 @@ -1,5 +1,5 @@ # Required initializer -AC_INIT([mod_nss],[1.0.17]) +AC_INIT([mod_nss],[1.0.18]) m4_include([acinclude.m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.17/mod_nss.c new/mod_nss-1.0.18/mod_nss.c --- old/mod_nss-1.0.17/mod_nss.c2018-03-27 22:40:30.0 +0200 +++ new/mod_nss-1.0.18/mod_nss.c2018-12-04 20:47:45.0 +0100 @@ -220,8 +220,85 @@ return sslconn; } +static int nss_engine_status(conn_rec *c, SSLConnRec *sslconn) +{ +SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + +if (c->master) { +return DECLINED; +} +if (sslconn) { +if (sslconn->disabled) { +return SUSPENDED; +} +if (sslconn->is_proxy) { +if (!sc->proxy_enabled) { +return DECLINED; +} +} +else { +if (sc->enabled != TRUE) { +return DECLINED; +} +} +} +else { +if (sc->enabled != TRUE) { +return DECLINED; +} +} +return OK; +} + static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable; static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; +#ifdef SSL_ENGINE_SET +static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set; + +int nss_engine_set(conn_rec *c, + ap_conf_vector_t *per_dir_config, + int proxy, int enable) +{ +SSLConnRec *sslconn; +int status; + +if (othermod_engine_set) { +return othermod_engine_set(c, per_dir_config, proxy, enable); +} + +// FIXME: Add support for per_dir_config +if (proxy) { +sslconn = nss_init_connection_ctx(c); +sslconn->is_proxy = 1; +} +else { +sslconn = myConnConfig(c); +} + +status = nss_engine_status(c, sslconn); + +if (proxy && status == DECLINED) { +if (enable) { +SSLSrvConfigRec *sc =
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2018-03-29 11:57:32 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Thu Mar 29 11:57:32 2018 rev:30 rq:592034 version:1.0.17 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2018-03-20 22:00:50.444643599 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2018-03-29 11:57:36.982029928 +0200 @@ -1,0 +2,10 @@ +Tue Mar 27 21:16:15 UTC 2018 - vci...@suse.com + +- Update to 1.0.17 + * Add TLSv1.3 support + * Update documentation for TLS 1.3 + * Add TLS 1.3 support to the cipher tests + * PEP-8 fixups + * Change the default certificate database format to SQLite. + +--- Old: mod_nss-1.0.16.tar.gz New: mod_nss-1.0.17.tar.gz Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.aJMz8n/_old 2018-03-29 11:57:37.658005527 +0200 +++ /var/tmp/diff_new_pack.aJMz8n/_new 2018-03-29 11:57:37.658005527 +0200 @@ -25,7 +25,7 @@ %defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version:1.0.16 +Version:1.0.17 Release:0 Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 ++ mod_nss-1.0.16.tar.gz -> mod_nss-1.0.17.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/ChangeLog new/mod_nss-1.0.17/ChangeLog --- old/mod_nss-1.0.16/ChangeLog2018-01-19 21:44:16.0 +0100 +++ new/mod_nss-1.0.17/ChangeLog2018-03-27 22:40:30.0 +0200 @@ -1,3 +1,15 @@ +2018-03-27 Rob Crittenden+ * PEP-8 fixups + * Add TLS 1.3 support to the cipher tests + * Update documentation for TLSv1.3 + * Become 1.0.17 + +2018-03-05 Vitezslav Cizek + * Change the default certificate database format to SQLite. + +2018-02-16 Christian Heimes + * Add TLSv1.3 support + 2018-01-19 Rob Crittenden * Fix some merge issues in the ciphers (that'll teach me to test BEFORE making the tag) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/Makefile.am new/mod_nss-1.0.17/Makefile.am --- old/mod_nss-1.0.16/Makefile.am 2018-01-19 21:44:16.0 +0100 +++ new/mod_nss-1.0.17/Makefile.am 2018-03-27 22:40:30.0 +0200 @@ -22,7 +22,7 @@ ## Set the includes and libraries needed AM_CPPFLAGS = -I@apache_inc@ @nspr_inc@ @nss_inc@ @apr_inc@ -LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4 +LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lplc4 -lplds4 -lnspr4 -lnssutil3 EXTRA_CPPFLAGS=@extra_cppflags@ install-libLTLIBRARIES: libmodnss.la @@ -102,8 +102,8 @@ rm -rf work;\ nosetests -v test_cipher.py;\ if [ `id -u` != 0 ]; then \ - ./setup.sh -s 1;\ - nosetests -v test.py; \ + ./setup.sh -s 1 dbm:; \ + DBPREFIX=dbm: nosetests -v test.py; \ sleep 5;\ rm -rf work;\ ./setup.sh -s 1 sql:; \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.16/configure.ac new/mod_nss-1.0.17/configure.ac --- old/mod_nss-1.0.16/configure.ac 2018-01-19 21:44:16.0 +0100 +++ new/mod_nss-1.0.17/configure.ac 2018-03-27 22:40:30.0 +0200 @@ -1,5 +1,5 @@ # Required initializer -AC_INIT([mod_nss],[1.0.16]) +AC_INIT([mod_nss],[1.0.17]) m4_include([acinclude.m4]) @@ -249,34 +249,53 @@ AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_128_GCM_SHA256, gcm=$enableval, gcm=no) if test "$gcm" = yes; then extra_cppflags="$extra_cppflags -DENABLE_GCM" - echo "ENABLE_GCM=1" > test/variable.py + echo "ENABLE_GCM = 1" > test/variable.py else - echo "ENABLE_GCM=0" > test/variable.py + echo "ENABLE_GCM = 0" > test/variable.py fi AX_CHECK_DEFINE(nss3/sslproto.h, TLS_RSA_WITH_AES_256_GCM_SHA384, sha384=$enableval, sha384=no) if test "$sha384" = yes; then extra_cppflags="$extra_cppflags -DENABLE_SHA384" - echo "ENABLE_SHA384=1" >> test/variable.py + echo "ENABLE_SHA384 = 1" >> test/variable.py else - echo "ENABLE_SHA384=0" >> test/variable.py + echo "ENABLE_SHA384 = 0" >> test/variable.py fi
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2018-03-20 22:00:22 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Tue Mar 20 22:00:22 2018 rev:29 rq:588675 version:1.0.16 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2018-03-11 15:25:33.850541809 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2018-03-20 22:00:50.444643599 +0100 @@ -1,0 +2,15 @@ +Mon Mar 19 15:23:59 UTC 2018 - vci...@suse.com + +- Use fixed upstream 1.0.16 tarball + * https://pagure.io/mod_nss/issue/44 + +--- +Mon Mar 19 11:12:29 UTC 2018 - vci...@suse.com + +- Update to 1.0.16 + * Fix up some broken cipher strings from a bad merge +- adjust distro detection, Tumbleweed has NSS 3.35, Leap 15 has 3.34 +- drop 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch + (upstream) + +--- Old: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch mod_nss-1.0.15.tar.gz New: mod_nss-1.0.16.tar.gz Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.QC2LBR/_old 2018-03-20 22:00:51.296612926 +0100 +++ /var/tmp/diff_new_pack.QC2LBR/_new 2018-03-20 22:00:51.304612638 +0100 @@ -25,7 +25,7 @@ %defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version:1.0.15 +Version:1.0.16 Release:0 Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 @@ -39,7 +39,6 @@ Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch -Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apr-devel @@ -76,7 +75,6 @@ %patch1 -p1 %patch2 -p1 %patch4 -p1 -%patch5 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -130,7 +128,7 @@ install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ -%if 0%{?suse_version} < 1330 +%if 0%{?suse_version} <= 1500 touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db touch %{buildroot}%{apache_sysconf_nssdir}/key3.db @@ -220,7 +218,7 @@ %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ -%if 0%{?suse_version} < 1330 +%if 0%{?suse_version} <= 1500 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db ++ mod_nss-1.0.15.tar.gz -> mod_nss-1.0.16.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.15/ChangeLog new/mod_nss-1.0.16/ChangeLog --- old/mod_nss-1.0.15/ChangeLog2018-01-19 21:29:30.0 +0100 +++ new/mod_nss-1.0.16/ChangeLog2018-01-19 21:44:16.0 +0100 @@ -1,4 +1,9 @@ 2018-01-19 Rob Crittenden+* Fix some merge issues in the ciphers (that'll teach me to test + BEFORE making the tag) + * Become 1.0.16 + +2018-01-19 Rob Crittenden * Resync ciphers and tests with openssl-1.1.0g and nss-3.34.0 * Become 1.0.15 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.15/configure.ac new/mod_nss-1.0.16/configure.ac --- old/mod_nss-1.0.15/configure.ac 2018-01-19 21:29:30.0 +0100 +++ new/mod_nss-1.0.16/configure.ac 2018-01-19 21:44:16.0 +0100 @@ -1,5 +1,5 @@ # Required initializer -AC_INIT([mod_nss],[1.0.15]) +AC_INIT([mod_nss],[1.0.16]) m4_include([acinclude.m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.15/nss_engine_cipher.c new/mod_nss-1.0.16/nss_engine_cipher.c --- old/mod_nss-1.0.15/nss_engine_cipher.c 2018-01-19 21:29:30.0 +0100 +++ new/mod_nss-1.0.16/nss_engine_cipher.c 2018-01-19 21:44:16.0 +0100 @@ -59,7 +59,7 @@ {"fips_3des_sha",
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2018-03-11 15:25:26 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Sun Mar 11 15:25:26 2018 rev:28 rq:585105 version:1.0.15 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-12-29 18:51:14.107286468 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2018-03-11 15:25:33.850541809 +0100 @@ -1,0 +2,42 @@ +Thu Mar 8 13:15:32 UTC 2018 - vci...@suse.com + +- Since the update to NSS 3.35, the default NSS certificate + database format changed from Berkley DB to SQLite +- use %license tag + +--- +Wed Mar 7 16:35:56 UTC 2018 - vci...@suse.com + +- Update to 1.0.15 + * Try to auto-detect the NSS database format if not specified + * Update nss_pcache.8 man page to drop directory and prefix + * When a token is configured in password file only authenticate once + * Return an error when NSSPassPhraseDialog is invalid + * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ + * Add -Werror=implicit-function-declaration to CFLAGS + * Handle group membership when testing for file permissions + * NSS system-wide policy now disables SSLv3, don't use it in tests + * Add missing error messages for libssl errors + * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name + * When including additional test config use specific extension + * Fix the TLS Session ID cache + * Make an invalid protocol setting fatal + * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() + * Add info log message when FIPS is enabled + * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types + * Fix removal of CR from PEM certificates + * Add OCSP caching and timeout tuning knobs + * Check the NSS database directory permissions as well as the files +inside it for read access on startup. + * Add in simple aliases for ciphers to fix those that +don't follow the pattern (dhe_rsa_aes_128_sha256, +dhe_rsa_aes_256_sha256) and those with typos +(camelia_128_sha, camelia_256_sha) + * Fix semaphore leak + * Don't set remote user in fixup hook + * Drop SSLv2 tests because it is completely disabled now +- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch + (upstream) +- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch + +--- Old: 0001-Handle-group-membership-when-testing-for-file-permis.patch mod_nss-1.0.14.tar.gz New: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch mod_nss-1.0.15.tar.gz Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.uLN65b/_old 2018-03-11 15:25:34.650513110 +0100 +++ /var/tmp/diff_new_pack.uLN65b/_new 2018-03-11 15:25:34.658512824 +0100 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ %defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version:1.0.14 +Version:1.0.15 Release:0 Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 @@ -38,8 +38,8 @@ Source5:vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch -Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch +Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apr-devel @@ -51,7 +51,6 @@ BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: iproute2 -BuildRequires: iproute2 BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.25 @@ -62,7 +61,6 @@ Requires: apache2 >= 2.2.12 Requires: findutils Requires: iproute2 -Requires: iproute2 Requires: mozilla-nss >= 3.25 Requires(post): mozilla-nss-tools Provides: mod_nss @@ -77,8 +75,8 @@ %setup -q -n mod_nss-%{version}
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2017-12-29 18:50:58 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Fri Dec 29 18:50:58 2017 rev:27 rq:560006 version:1.0.14 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-12-14 10:59:47.952906675 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2017-12-29 18:51:14.107286468 +0100 @@ -1,0 +2,6 @@ +Tue Dec 19 13:13:22 UTC 2017 - pgaj...@suse.com + +- buildrequire apr-devel instead of libapr1-devel +- buildrequire apr-util-devel instead of libapr-util1-devel + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.kkjfV4/_old 2017-12-29 18:51:14.871067105 +0100 +++ /var/tmp/diff_new_pack.kkjfV4/_new 2017-12-29 18:51:14.871067105 +0100 @@ -42,6 +42,8 @@ Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 +BuildRequires: apr-devel +BuildRequires: apr-util-devel BuildRequires: automake BuildRequires: bison BuildRequires: curl @@ -50,8 +52,6 @@ BuildRequires: gcc-c++ BuildRequires: iproute2 BuildRequires: iproute2 -BuildRequires: libapr-util1-devel -BuildRequires: libapr1-devel BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.25
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2017-12-14 10:59:24 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Thu Dec 14 10:59:24 2017 rev:26 rq:556377 version:1.0.14 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-12-11 18:57:23.971999448 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2017-12-14 10:59:47.952906675 +0100 @@ -1,0 +2,6 @@ +Mon Dec 11 20:41:26 UTC 2017 - vci...@suse.com + +- Fix NSS database startup permission check (bsc#1057776) + * add 0001-Handle-group-membership-when-testing-for-file-permis.patch + +--- New: 0001-Handle-group-membership-when-testing-for-file-permis.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.CoNwit/_old 2017-12-14 10:59:49.552829439 +0100 +++ /var/tmp/diff_new_pack.CoNwit/_new 2017-12-14 10:59:49.556829246 +0100 @@ -38,6 +38,7 @@ Source5:vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch +Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 @@ -76,6 +77,7 @@ %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch4 -p1 # Touch expression parser sources to prevent regenerating it ++ 0001-Handle-group-membership-when-testing-for-file-permis.patch ++ >From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001 From: Rob CrittendenDate: Thu, 23 Feb 2017 13:06:21 -0500 Subject: [PATCH] Handle group membership when testing for file permissions This was a bit of a corner case but group membership wasn't considered when trying to determine if the NSS databases are readable. Resolves BZ 1395300 --- nss_engine_init.c | 45 + 1 file changed, 33 insertions(+), 12 deletions(-) Index: mod_nss-1.0.14/nss_engine_init.c === --- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100 +++ mod_nss-1.0.14/nss_engine_init.c2017-12-11 21:47:22.698850519 +0100 @@ -29,6 +29,7 @@ #include "cert.h" #include #include +#include static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); @@ -57,22 +58,38 @@ static char *version_components[] = { * Return 0 on failure or file doesn't exist * Return 1 on success */ -static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) +static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, + apr_pool_t *p) { apr_finfo_t finfo; -int rv; +PRBool in_group = PR_FALSE; +struct group *gr; +int i = 0; + +if ((apr_stat(, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) +== APR_SUCCESS) { +if ((gr = getgrgid(finfo.group)) == NULL) { +return 0; +} -if ((rv = apr_stat(, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, - p)) == APR_SUCCESS) { +if (gid == finfo.group) { +in_group = PR_TRUE; +} else { +while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { +if (!strcasecmp(user, gr->gr_mem[i++])) { +in_group = PR_TRUE; +break; +} +} +} if (((uid == finfo.user) && ((finfo.protection & APR_FPROT_UREAD))) || -((gid == finfo.group) && -((finfo.protection & APR_FPROT_GREAD))) +(in_group && (finfo.protection & APR_FPROT_GREAD)) || +(finfo.protection & APR_FPROT_WREAD) ) { return 1; } -return 0; } return 0; } @@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { apr_snprintf(filepath, 1024, "%s/key4.db", mc->pCertificateDatabase+4); -if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { +if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2017-12-11 18:57:21 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Mon Dec 11 18:57:21 2017 rev:25 rq:555875 version:1.0.14 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-10-25 17:47:24.247745180 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2017-12-11 18:57:23.971999448 +0100 @@ -1,0 +2,7 @@ +Thu Dec 7 13:19:08 UTC 2017 - vci...@suse.com + +- drop obsolete mod_nss-dont_disable_SSLV2.patch + * bump up minimal NSS version to 3.25, which we now have everywhere +- Require iproute2 for ss, which is used by gencert to gather noise + +--- @@ -26,0 +34 @@ + (bsc#998183) Old: mod_nss-dont_disable_SSLV2.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.g2cgLZ/_old 2017-12-11 18:57:24.603969347 +0100 +++ /var/tmp/diff_new_pack.g2cgLZ/_new 2017-12-11 18:57:24.607969156 +0100 @@ -38,7 +38,6 @@ Source5:vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch -Patch3: mod_nss-dont_disable_SSLV2.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 @@ -49,11 +48,12 @@ BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: iproute2 +BuildRequires: iproute2 BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 -BuildRequires: mozilla-nss-devel >= 3.15.1 +BuildRequires: mozilla-nss-devel >= 3.25 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig Requires: %{apache_mmn} @@ -61,7 +61,8 @@ Requires: apache2 >= 2.2.12 Requires: findutils Requires: iproute2 -Requires: mozilla-nss >= 3.15.1 +Requires: iproute2 +Requires: mozilla-nss >= 3.25 Requires(post): mozilla-nss-tools Provides: mod_nss @@ -75,7 +76,6 @@ %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 -%patch3 -p1 %patch4 -p1 # Touch expression parser sources to prevent regenerating it
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2017-10-25 17:47:23 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Wed Oct 25 17:47:23 2017 rev:24 rq:536370 version:1.0.14 Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-10-10 16:21:12.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2017-10-25 17:47:24.247745180 +0200 @@ -1,0 +2,7 @@ +Mon Oct 23 12:53:12 UTC 2017 - vci...@suse.com + +- Use ss instead of the deprecated netstat in gencert (bsc#1064415) + * add mod_nss-gencert_use_ss_instead_of_netstat.patch +- spec: cleanup and fix URLs + +--- New: mod_nss-gencert_use_ss_instead_of_netstat.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.nuRJUK/_old 2017-10-25 17:47:25.307695433 +0200 +++ /var/tmp/diff_new_pack.nuRJUK/_new 2017-10-25 17:47:25.311695246 +0200 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,25 +16,30 @@ # +%defineapxs %{_sbindir}/apxs2 +%defineapache apache2 +%defineapache_libexecdir %(%{apxs} -q LIBEXECDIR) +%defineapache_sysconfdir %(%{apxs} -q SYSCONFDIR) +%defineapache_includedir %(%{apxs} -q INCLUDEDIR) +%defineapache_serverroot %(%{apxs} -q PREFIX) +%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) +%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss +Version:1.0.14 +Release:0 Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 Group: Productivity/Networking/Web/Servers -Version:1.0.14 -Release:0.4.8 -Url:https://fedorahosted.org/mod_nss -Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz +Url:https://pagure.io/mod_nss +Source: https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz Source1:mod_nss.conf.in Source2:listen_nss.conf Source4:README-SUSE.txt Source5:vhost-nss.template -Provides: mod_nss -Requires: %{apache_mmn} -Requires: %{apache_suse_maintenance_mmn} -Requires: apache2 >= 2.2.12 -Requires: findutils -Requires: mozilla-nss >= 3.15.1 -PreReq: mozilla-nss-tools +Patch1: mod_nss-migrate.patch +Patch2: mod_nss-gencert-correct-ownership.patch +Patch3: mod_nss-dont_disable_SSLV2.patch +Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: automake @@ -43,6 +48,7 @@ BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ +BuildRequires: iproute2 BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel BuildRequires: libtool @@ -50,20 +56,14 @@ BuildRequires: mozilla-nss-devel >= 3.15.1 BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig - -Patch1: mod_nss-migrate.patch -Patch2: mod_nss-gencert-correct-ownership.patch -Patch3: mod_nss-dont_disable_SSLV2.patch - -BuildRoot: %{_tmppath}/%{name}-%{version}-build -%defineapxs /usr/sbin/apxs2 -%defineapache apache2 -%defineapache_libexecdir %(%{apxs} -q LIBEXECDIR) -%defineapache_sysconfdir %(%{apxs} -q SYSCONFDIR) -%defineapache_includedir %(%{apxs} -q INCLUDEDIR) -%defineapache_serverroot %(%{apxs} -q PREFIX) -%defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) -%defineapache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d +Requires: %{apache_mmn} +Requires: %{apache_suse_maintenance_mmn} +Requires: apache2 >= 2.2.12 +Requires: findutils +Requires: iproute2 +Requires: mozilla-nss >= 3.15.1 +Requires(post): mozilla-nss-tools +Provides: mod_nss %description The mod_nss module provides strong cryptography for the Apache Web @@ -76,20 +76,21 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] %build -CFLAGS="$RPM_OPT_FLAGS" +CFLAGS="%{optflags}" export CFLAGS -NSPR_INCLUDE_DIR=`/usr/bin/pkg-config
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-10-10 16:21:11 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-09-17 14:40:32.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-10-10 16:21:12.0 +0200 @@ -1,0 +2,5 @@ +Thu Sep 29 15:26:39 UTC 2016 - jeng...@inai.de + +- Avoid changing permissions through symlinks + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.YVMBTb/_old 2016-10-10 16:21:13.0 +0200 +++ /var/tmp/diff_new_pack.YVMBTb/_new 2016-10-10 16:21:13.0 +0200 @@ -199,8 +199,8 @@ echo "" fi # Make sure that the database ownership is setup properly. -find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \; -find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \; +find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {} + +find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} + %files %defattr(-,root,root,-)
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-09-17 14:40:30 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-08-05 18:16:41.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-09-17 14:40:32.0 +0200 @@ -1,0 +2,15 @@ +Thu Sep 15 10:44:06 UTC 2016 - vci...@suse.com + +- don't disable SSLV2, because it doesn't work with NSS 3.24 + (boo#993642) + * add mod_nss-dont_disable_SSLV2.patch +- remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in + (bsc#998176) +- change ownership of the gencert generated NSS database so apache + can read it (bsc#998180) + * add mod_nss-gencert-correct-ownership.patch +- use correct configuration path in mod_nss.conf.in (bsc#996282) +- remove %post migration code from the old alias directory +- generate dummy certificates if there aren't any in mod_nss.d + +--- New: mod_nss-dont_disable_SSLV2.patch mod_nss-gencert-correct-ownership.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.dmgxzl/_old 2016-09-17 14:40:34.0 +0200 +++ /var/tmp/diff_new_pack.dmgxzl/_new 2016-09-17 14:40:34.0 +0200 @@ -52,6 +52,8 @@ BuildRequires: pkgconfig Patch1: mod_nss-migrate.patch +Patch2: mod_nss-gencert-correct-ownership.patch +Patch3: mod_nss-dont_disable_SSLV2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 @@ -72,6 +74,8 @@ %prep %setup -q -n mod_nss-%{version} %patch1 -p1 +%patch2 -p1 +%patch3 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -188,48 +192,15 @@ %post umask 077 -if [ "$1" -eq 1 ] ; then -# this is first time installation. -if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then +if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." echo "" -fi -# Make sure that the database ownership is setup properly. -find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \; -find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \; -fi -if [ "$1" -eq 2 ]; then -# this is the upgrade case for this %post: -if [ -d %{apache_sysconfdir}/alias ]; then - copied_files="" - for dbfile in *.db; do - if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then - cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile" - copied_files="$copied_files $dbfile" - fi - done - if [ "$copied_files" != "" ]; then - { - echo "This notice was written by the post-install script of the package" - echo "%{name}." - echo "" - echo "The files $copied_files" - echo "have been copied to the directory %{apache_sysconf_nssdir}," - echo "as this directory is not referenced by the default configuration any longer," - echo "and because these files did not exist in %{apache_sysconf_nssdir}." - echo "Existing files have not been modified." - echo "" - echo "Please check your configuration and remove or move your certificate and" - echo "key storage to your desired place, and adjust your module configuration" - echo "accordingly." - echo "" - echo "Thank you." - } > %{apache_sysconfdir}/alias/README-dbfiles.txt - fi -fi fi +# Make sure that the database ownership is setup properly. +find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \; +find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \; %files %defattr(-,root,root,-) @@ -244,7 +215,6 @@ %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log -#%%{apache_sysconf_nssdir}/libnssckbi.so %{_sbindir}/nss_pcache %{_sbindir}/gencert %{_sbindir}/mod_nss_migrate.pl ++ mod_nss-dont_disable_SSLV2.patch ++ Index: mod_nss-1.0.14/nss_engine_init.c
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-08-05 18:16:40 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-04-28 16:57:51.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-08-05 18:16:41.0 +0200 @@ -1,0 +2,7 @@ +Fri Jul 29 18:04:55 UTC 2016 - vci...@suse.com + +- use systemd-ask-password to prompt for a certificate passphrase + (bsc#972968) + * drop obsolete mod_nss-bnc863518-reopen_dev_tty.diff + +--- Old: mod_nss-bnc863518-reopen_dev_tty.diff Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.BxDyVN/_old 2016-08-05 18:16:42.0 +0200 +++ /var/tmp/diff_new_pack.BxDyVN/_new 2016-08-05 18:16:42.0 +0200 @@ -51,7 +51,6 @@ BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig -Patch0: mod_nss-bnc863518-reopen_dev_tty.diff Patch1: mod_nss-migrate.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -72,7 +71,6 @@ %prep %setup -q -n mod_nss-%{version} -%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch1 -p1 # Touch expression parser sources to prevent regenerating it @@ -136,9 +134,7 @@ %check set +x mkdir -p %{apache_test_module_dir} -# create password file including internal token to suppress -# apache 'builtin dialog', see NSSPassPhraseDialog below -# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html) +# create password file including internal token to suppress apache 'builtin dialog' cat << EOF > %{apache_test_module_dir}/password.conf internal:httptest EOF ++ mod_nss.conf.in ++ --- /var/tmp/diff_new_pack.BxDyVN/_old 2016-08-05 18:16:42.0 +0200 +++ /var/tmp/diff_new_pack.BxDyVN/_new 2016-08-05 18:16:42.0 +0200 @@ -26,7 +26,7 @@ # VirtualHosts on the same IP Address and port is not possible. # # Reason: -# The brwoser/client connects to the web server's port 443 and initializes +# The browser/client connects to the web server's port 443 and initializes # an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the # client to specify the host that it wants to connect to, unless the crypto # has been fully initialized already. Similarly, the server cannot present @@ -132,8 +132,7 @@ # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -NSSPassPhraseDialog builtin - +NSSPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass # Pass Phrase Helper: # This helper program stores the token password pins between @@ -188,35 +187,9 @@ # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. -# SSL 3 ciphers. SSL 2 is disabled -#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha - -# The following ciphers are available in SUSE's package after June 2014; -# The GCM mode aes ciphers are of particular interest. -# You may want to add them if so desired: -# -# rsa_aes_128_gcm_sha -# ecdh_ecdsa_aes_128_gcm_sha -# ecdhe_ecdsa_aes_128_gcm_sha -# ecdh_rsa_aes_128_gcm_sha -# ecdhe_rsa_aes_128_gcm_sha - -# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. -# -# Comment out the NSSCipherSuite line above and use the one below if you have -# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography -#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha - -# The following is taken as default with the apache2-mod_nss package, as -# provided with
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-04-28 16:54:54 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-03-31 13:03:47.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-04-28 16:57:51.0 +0200 @@ -1,0 +2,12 @@ +Sat Apr 16 09:12:29 UTC 2016 - vci...@suse.com + +- update to 1.0.14 (fixes boo#973996) + * OpenSSL ciphers stopped parsing at +, CVE-2016-3099 + * Created valgrind suppression files to ease debugging + * Implement SSL_PPTYPE_FILTER to call executables to get +the key password pins. Can be used to prompt with systemd. + * Improvements to migrate.pl +- drop mod_nss_migrate.pl and use upstream migrate script instead + * add mod_nss-migrate.patch + +--- Old: mod_nss-1.0.13.tar.gz mod_nss_migrate.pl New: mod_nss-1.0.14.tar.gz mod_nss-migrate.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.Pu1grj/_old 2016-04-28 16:57:54.0 +0200 +++ /var/tmp/diff_new_pack.Pu1grj/_new 2016-04-28 16:57:54.0 +0200 @@ -20,13 +20,12 @@ Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 Group: Productivity/Networking/Web/Servers -Version:1.0.13 +Version:1.0.14 Release:0.4.8 Url:https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Source1:mod_nss.conf.in Source2:listen_nss.conf -Source3:mod_nss_migrate.pl Source4:README-SUSE.txt Source5:vhost-nss.template Provides: mod_nss @@ -52,7 +51,8 @@ BuildRequires: mozilla-nss-tools BuildRequires: pkgconfig -Patch23:mod_nss-bnc863518-reopen_dev_tty.diff +Patch0: mod_nss-bnc863518-reopen_dev_tty.diff +Patch1: mod_nss-migrate.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 @@ -72,7 +72,8 @@ %prep %setup -q -n mod_nss-%{version} -%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch1 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -123,7 +124,7 @@ install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ -install -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir}/ +install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db ++ mod_nss-1.0.13.tar.gz -> mod_nss-1.0.14.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/ChangeLog new/mod_nss-1.0.14/ChangeLog --- old/mod_nss-1.0.13/ChangeLog2016-03-05 23:39:14.0 +0100 +++ new/mod_nss-1.0.14/ChangeLog2016-04-15 20:27:59.0 +0200 @@ -1,3 +1,19 @@ +2016-04-15 Rob Crittenden+* Become 1.0.14 + +2016-03-31 Rob Crittenden +* Created valgrind suppression files to ease debugging + +2016-03-30 Rob Crittenden +* Implement SSL_PPTYPE_FILTER to call executables to get + the key password pins. Can be used to prompt with systemd. + +2016-03-30 Vitezslav Cizek +* Improvements to migrate.pl + +2016-03-17 Rob Crittenden +* OpenSSL ciphers stopped parsing at +, CVE-2016-3099 + 2016-03-04 Rob Crittenden * Fix a number of issues discovered by clang-analyzer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/configure.ac new/mod_nss-1.0.14/configure.ac --- old/mod_nss-1.0.13/configure.ac 2016-03-05 23:39:14.0 +0100 +++ new/mod_nss-1.0.14/configure.ac 2016-04-15 20:27:59.0 +0200 @@ -1,5 +1,5 @@ # Required initializer -AC_INIT([mod_nss],[1.0.13]) +AC_INIT([mod_nss],[1.0.14]) m4_include([acinclude.m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_nss-1.0.13/docs/mod_nss.html new/mod_nss-1.0.14/docs/mod_nss.html --- old/mod_nss-1.0.13/docs/mod_nss.html
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-03-31 13:03:40 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2016-01-23 01:16:32.0 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-03-31 13:03:47.0 +0200 @@ -1,0 +2,68 @@ +Thu Mar 17 16:27:13 UTC 2016 - vci...@suse.com + +- use a whitelist approach for keeping directives in the migration + script (bsc#961907) + * modify mod_nss_migrate.pl + +--- +Wed Mar 16 14:45:24 UTC 2016 - pgaj...@suse.com + +- fix test: add NSSPassPhraseDialog, point it to plain file + +--- +Mon Mar 14 12:27:37 UTC 2016 - vci...@suse.com + +- update to 1.0.13 + Update default ciphers to something more modern and secure + Check for host and netstat commands in gencert before trying to use them + Add server support for DHE ciphers + Extract SAN from server/client certificates into env + Fix memory leaks and other coding issues caught by clang analyzer + Add support for Server Name Indication (SNI) (#1010751) + Add support for SNI for reverse proxy connections + Add RenegBufferSize? option + Add support for TLS Session Tickets (RFC 5077) + Fix logical AND support in OpenSSL cipher compatibility + Correctly handle disabled ciphers (CVE-2015-5244) + Implement a slew more OpenSSL cipher macros + Fix a number of illegal memory accesses and memory leaks + Support for SHA384 ciphers if they are available in NSS + Add compatibility for mod_ssl-style cipher definitions (#862938) + Add TLSv1.2-specific ciphers + Completely remove support for SSLv2 + Add support for sqlite NSS databases (#1057650) + Compare subject CN and VS hostname during server start up + Add support for enabling TLS v1.2 + Don't enable SSL 3 by default (CVE-2014-3566) + Fix CVE-2013-4566 + Move nss_pcache to /usr/libexec + Support httpd 2.4+ +- drop almost all our patches (upstream) + * 0001-SNI-check-with-NameVirtualHosts.patch + * mod_nss-CVE-2013-4566-NSSVerifyClient.diff + * mod_nss-PK11_ListCerts_2.patch + * mod_nss-add_support_for_enabling_TLS_v1.2.patch + * mod_nss-array_overrun.patch + * mod_nss-cipherlist_update_for_tls12-doc.diff + * mod_nss-cipherlist_update_for_tls12.diff + * mod_nss-clientauth.patch + * mod_nss-compare_subject_CN_and_VS_hostname.patch + * mod_nss-gencert.patch + * mod_nss-httpd24.patch + * mod_nss-lockpcache.patch + * mod_nss-negotiate.patch + * mod_nss-no_shutdown_if_not_init_2.patch + * mod_nss-overlapping_memcpy.patch + * mod_nss-pcachesignal.h + * mod_nss-proxyvariables.patch + * mod_nss-reseterror.patch + * mod_nss-reverse_proxy_send_SNI.patch + * mod_nss-reverseproxy.patch + * mod_nss-sslmultiproxy.patch + * mod_nss-tlsv1_1.patch + * mod_nss-wouldblock.patch + * update-ciphers.patch +- add automake and libtool to BuildRequires +- temporarily comment out %check + +--- Old: 0001-SNI-check-with-NameVirtualHosts.patch mod_nss-1.0.8.tar.gz mod_nss-CVE-2013-4566-NSSVerifyClient.diff mod_nss-PK11_ListCerts_2.patch mod_nss-add_support_for_enabling_TLS_v1.2.patch mod_nss-array_overrun.patch mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff mod_nss-clientauth.patch mod_nss-compare_subject_CN_and_VS_hostname.patch mod_nss-gencert.patch mod_nss-httpd24.patch mod_nss-lockpcache.patch mod_nss-negotiate.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-overlapping_memcpy.patch mod_nss-pcachesignal.h mod_nss-proxyvariables.patch mod_nss-reseterror.patch mod_nss-reverse_proxy_send_SNI.patch mod_nss-reverseproxy.patch mod_nss-sslmultiproxy.patch mod_nss-tlsv1_1.patch mod_nss-wouldblock.patch update-ciphers.patch New: mod_nss-1.0.13.tar.gz Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.ZpLJKc/_old 2016-03-31 13:03:48.0 +0200 +++ /var/tmp/diff_new_pack.ZpLJKc/_new 2016-03-31 13:03:48.0 +0200 @@ -20,7 +20,7 @@ Summary:SSL/TLS module for the Apache HTTP server License:Apache-2.0 Group: Productivity/Networking/Web/Servers -Version:1.0.8 +Version:1.0.13 Release:0.4.8 Url:https://fedorahosted.org/mod_nss Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz @@ -38,6 +38,7
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2016-01-23 01:16:27 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-12-21 12:04:38.0 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2016-01-23 01:16:32.0 +0100 @@ -1,0 +2,5 @@ +Tue Jan 12 08:31:19 UTC 2016 - pgaj...@suse.com + +- %check: access syntax depends on %{apache_branch} + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.26NAUP/_old 2016-01-23 01:16:33.0 +0100 +++ /var/tmp/diff_new_pack.26NAUP/_new 2016-01-23 01:16:33.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -202,7 +202,11 @@ NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 +%if 0%{?apache_branch} >= 204 Require local +%else + Allow from localhost +%endif EOF # create test certificate
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-12-21 12:04:32 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-10-20 00:09:01.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-12-21 12:04:38.0 +0100 @@ -1,0 +2,5 @@ +Fri Dec 11 12:08:09 UTC 2015 - pgaj...@suse.com + +- %{apache_branch} converted to number + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.Ve1Mmo/_old 2015-12-21 12:04:39.0 +0100 +++ /var/tmp/diff_new_pack.Ve1Mmo/_new 2015-12-21 12:04:39.0 +0100 @@ -128,7 +128,7 @@ %patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch # keep this last, otherwise we get fuzzyness from above -%if "%{apache_branch}" != "2.2" +%if %{apache_branch} >= 204 %patch9 -p1 -b .http24 %endif
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-10-19 22:53:58 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is "apache2-mod_nss" Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-07-20 11:21:14.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-10-20 00:09:01.0 +0200 @@ -1,0 +2,39 @@ +Wed Oct 14 09:23:18 UTC 2015 - pgaj...@suse.com + +- mod_nss-httpd24.patch applied depending on %{apache_branch} + instead of %{suse_version}, fixes build for sle11 with new apache + +--- +Fri Oct 2 14:35:41 UTC 2015 - pgaj...@suse.com + +- test module with %apache_test_module_curl + +--- +Mon Sep 7 08:25:03 UTC 2015 - vci...@suse.com + +- unified ciphers with SLE-12 + * modified patches: +mod_nss-cipherlist_update_for_tls12-doc.diff +mod_nss-cipherlist_update_for_tls12.diff +update-ciphers.patch + +--- +Mon Sep 7 08:03:31 UTC 2015 - vci...@suse.com + +- send TLS server name extension on proxy connections (bsc#933832) + * added mod_nss-reverse_proxy_send_SNI.patch +- updates to the SNI code (from Stanislav Tokos): + update update-ciphers.patch + (bsc#928039) + merge changes from the mod_nss-SNI_support.patch to: + 0001-SNI-check-with-NameVirtualHosts.patch + (bnc#927402) + abstract hash for NSSNickname and ServerName, add ServerAliases and Wild + Cards for vhost + (bsc#927402, bsc#928039, bsc#930922) + replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts) + (bsc#930186) + add alert about permission on the certificate database + (bsc#933265) + +--- Old: mod_nss-SNI_support.patch New: 0001-SNI-check-with-NameVirtualHosts.patch mod_nss-reverse_proxy_send_SNI.patch update-ciphers.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.XpMPTp/_old 2015-10-20 00:09:02.0 +0200 +++ /var/tmp/diff_new_pack.XpMPTp/_new 2015-10-20 00:09:02.0 +0200 @@ -39,6 +39,7 @@ BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: bison +BuildRequires: curl BuildRequires: findutils BuildRequires: flex BuildRequires: gcc-c++ @@ -78,7 +79,9 @@ # PATCH-FIX-UPSTREAM bnc#902068 kstreit...@suse.com -- small fixes for TLS-v1.2 Patch25:mod_nss-add_support_for_enabling_TLS_v1.2.patch # PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreit...@suse.com -- add Server Name Indication support -Patch26:mod_nss-SNI_support.patch +Patch26:0001-SNI-check-with-NameVirtualHosts.patch +Patch27:update-ciphers.patch +Patch28:mod_nss-reverse_proxy_send_SNI.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 @@ -120,10 +123,12 @@ %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch %patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch -%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch +%patch26 -p1 -b .SNI_support.rpmpatch +%patch27 -p1 -b .update-ciphers.rpmpatch +%patch28 -p1 -b .reverse_proxy_send_SNI.rpmpatch # keep this last, otherwise we get fuzzyness from above -%if 0%{?suse_version} >= 1300 +%if "%{apache_branch}" != "2.2" %patch9 -p1 -b .http24 %endif @@ -185,8 +190,51 @@ touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert -%clean -rm -rf $RPM_BUILD_ROOT +%check +set +x +mkdir -p %{apache_test_module_dir} +# create test configuration +cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf +NSSEngine on +NSSNickname Server-Cert +NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d +NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache +NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256 +NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 + + Require local + +EOF +# create test certificate +mkdir -p %{apache_test_module_dir}/mod_nss.d +# bend gencert to use ServerName of apache test instance +cp %{buildroot}%{_sbindir}/gencert . +sed -i
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-07-20 11:21:12 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-05-18 22:33:44.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-07-20 11:21:14.0 +0200 @@ -1,0 +2,7 @@ +Thu Jul 16 07:22:02 UTC 2015 - pgaj...@suse.com + +- Requries: %{apache_suse_maintenance_mmn} + This will pull this module to the update (in released distribution) + when apache maintainer thinks it is good (due api/abi changes). + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.Yw1iZ3/_old 2015-07-20 11:21:16.0 +0200 +++ /var/tmp/diff_new_pack.Yw1iZ3/_new 2015-07-20 11:21:16.0 +0200 @@ -30,10 +30,13 @@ Source4:README-SUSE.txt Source5:vhost-nss.template Provides: mod_nss +Requires: %{apache_mmn} +Requires: %{apache_suse_maintenance_mmn} Requires: apache2 = 2.2.12 Requires: findutils Requires: mozilla-nss = 3.15.1 PreReq: mozilla-nss-tools +BuildRequires: apache-rpm-macros BuildRequires: apache2-devel = 2.2.12 BuildRequires: bison BuildRequires: findutils
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-05-18 22:33:43 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-05-10 10:46:58.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-05-18 22:33:44.0 +0200 @@ -1,0 +2,6 @@ +Mon May 18 10:32:12 UTC 2015 - h...@suse.com + +- The package does not carry any .conf files underneath /etc/apache2/mod_nss.d, + therefore use 'IncludeOptional' instead of 'Include' directory in mod_nss.conf. + +--- Other differences: -- ++ mod_nss.conf.in ++ --- /var/tmp/diff_new_pack.xd7xdE/_old 2015-05-18 22:33:45.0 +0200 +++ /var/tmp/diff_new_pack.xd7xdE/_new 2015-05-18 22:33:45.0 +0200 @@ -106,7 +106,7 @@ IfModule mod_nss.c Include /etc/apache2/listen_nss.conf -Include /etc/apache2/mod_nss.d/*.conf +IncludeOptional /etc/apache2/mod_nss.d/*.conf
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-05-10 10:46:55 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2015-04-10 09:52:40.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-05-10 10:46:58.0 +0200 @@ -1,0 +2,5 @@ +Thu May 7 12:27:40 UTC 2015 - kstreit...@suse.com + +- change of url and source address + +--- Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.9ZDWiG/_old 2015-05-10 10:46:59.0 +0200 +++ /var/tmp/diff_new_pack.9ZDWiG/_new 2015-05-10 10:46:59.0 +0200 @@ -22,8 +22,8 @@ Group: Productivity/Networking/Web/Servers Version:1.0.8 Release:0.4.8 -Url:http://directory.fedoraproject.org/wiki/Mod_nss -Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz +Url:https://fedorahosted.org/mod_nss +Source: https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz Source1:mod_nss.conf.in Source2:listen_nss.conf Source3:mod_nss_migrate.pl
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2015-03-09 10:09:27 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-11-06 16:50:56.0 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2015-03-09 10:09:39.0 +0100 @@ -1,0 +2,8 @@ +Tue Mar 3 10:25:27 UTC 2015 - kstreit...@suse.com + +- add mod_nss-SNI_support.patch that brings Server Name Indication + support that allows to have multiple HTTPS websites with multiple + certificates on the same IP address and port. + [fate#318331], [bnc#897712] + +--- New: mod_nss-SNI_support.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.xkC1d8/_old 2015-03-09 10:09:40.0 +0100 +++ /var/tmp/diff_new_pack.xkC1d8/_new 2015-03-09 10:09:40.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -74,6 +74,8 @@ Patch24:mod_nss-compare_subject_CN_and_VS_hostname.patch # PATCH-FIX-UPSTREAM bnc#902068 kstreit...@suse.com -- small fixes for TLS-v1.2 Patch25:mod_nss-add_support_for_enabling_TLS_v1.2.patch +# PATCH-FEATURE-UPSTREAM bnc#897712 fate#318331 kstreit...@suse.com -- add Server Name Indication support +Patch26:mod_nss-SNI_support.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 @@ -115,6 +117,7 @@ %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch %patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch +%patch26 -p1 -b .mod_nss-SNI_support.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} = 1300 ++ mod_nss-SNI_support.patch ++ From 07405e4dbd1e2df6583bb571a6230da78788c19b Mon Sep 17 00:00:00 2001 From: standa sto...@suse.de Date: Thu, 26 Feb 2015 15:23:50 +0100 Subject: [PATCH] SNI check with NameVirtualHosts --- docs/mod_nss.html | 10 ++ mod_nss.c | 3 ++ mod_nss.h | 18 ++ nss_engine_config.c | 11 +++ nss_engine_init.c | 95 - nss_engine_kernel.c | 51 nss_util.c | 19 +++ 7 files changed, 199 insertions(+), 8 deletions(-) Index: mod_nss-1.0.8/docs/mod_nss.html === --- mod_nss-1.0.8.orig/docs/mod_nss.html +++ mod_nss-1.0.8/docs/mod_nss.html @@ -1079,6 +1079,16 @@ components of the client certificate, th br codeNSSRequirebr /codebr +bigbigNSSSNI/big/bigbr +br +Enables or disables Server Name Identification(SNI) extension check for +SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header. +br +br +span style=font-weight: bold;Example/spanbr +br +codeNSSSNI off/codebr +br bigbigNSSProxyEngine/big/bigbr br Enables or disables mod_nss HTTPS support for mod_proxy.br Index: mod_nss-1.0.8/mod_nss.c === --- mod_nss-1.0.8.orig/mod_nss.c +++ mod_nss-1.0.8/mod_nss.c @@ -85,6 +85,9 @@ static const command_rec nss_config_cmds SSL_CMD_SRV(FIPS, FLAG, FIPS 140-1 mode (`on', `off')) +SSL_CMD_SRV(SNI, FLAG, +SNI +(`on', `off')) SSL_CMD_ALL(CipherSuite, TAKE1, Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable (`[+-]XXX,...,[+-]XXX' - see manual)) Index: mod_nss-1.0.8/mod_nss.h === --- mod_nss-1.0.8.orig/mod_nss.h +++ mod_nss-1.0.8/mod_nss.h @@ -308,6 +308,7 @@ struct SSLSrvConfigRec { const char *ocsp_name; BOOL ocsp; BOOL enabled; +BOOL sni; BOOL proxy_enabled; const char *vhost_id; int vhost_id_len; @@ -343,6 +344,20 @@ typedef struct PRInt32 version; /* protocol version valid for this cipher */ } cipher_properties; +typedef struct { + const char *vhost_id[70]; + const char *nick[30]; +} vhostNick[500]; +
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2014-11-06 16:50:15 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-10-31 19:57:44.0 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2014-11-06 16:50:56.0 +0100 @@ -1,0 +2,6 @@ +Tue Nov 4 14:13:46 UTC 2014 - kstreit...@suse.com + +- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch + that adding small fixes for support of TLS v1.2 + +--- New: mod_nss-add_support_for_enabling_TLS_v1.2.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.e5AH66/_old 2014-11-06 16:50:58.0 +0100 +++ /var/tmp/diff_new_pack.e5AH66/_new 2014-11-06 16:50:58.0 +0100 @@ -72,6 +72,8 @@ Patch23:mod_nss-bnc863518-reopen_dev_tty.diff # PATCH-FIX-UPSTREAM bnc#897712 kstreit...@suse.com -- check for the misconfiguration of certificate's CN and virtual name Patch24:mod_nss-compare_subject_CN_and_VS_hostname.patch +# PATCH-FIX-UPSTREAM bnc#902068 kstreit...@suse.com -- small fixes for TLS-v1.2 +Patch25:mod_nss-add_support_for_enabling_TLS_v1.2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 @@ -112,6 +114,7 @@ %patch20 -p0 -b .ciphers.doc.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch %patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch +%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} = 1300 ++ mod_nss-add_support_for_enabling_TLS_v1.2.patch ++ From 78c17097186a8cacfb237af67fdd87599a727e88 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 16 Oct 2014 14:05:05 -0400 Subject: [PATCH] Add support for enabling TLS v1.2 If support is available in NSS then it is just a matter of including TLS 1.2 in the protocol range. --- docs/mod_nss.html | 97 --- mod_nss.c | 4 +-- nss.conf.in | 2 +- nss_engine_init.c | 51 + nss_engine_vars.c | 3 ++ 5 files changed, 86 insertions(+), 71 deletions(-) Index: mod_nss-1.0.8/nss.conf.in === --- mod_nss-1.0.8.orig/nss.conf.in +++ mod_nss-1.0.8/nss.conf.in @@ -98,7 +98,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4 # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha -NSSProtocol SSLv3,TLSv1 +NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. Index: mod_nss-1.0.8/nss_engine_vars.c === --- mod_nss-1.0.8.orig/nss_engine_vars.c +++ mod_nss-1.0.8/nss_engine_vars.c @@ -747,6 +747,9 @@ static char *nss_var_lookup_protocol_ver case SSL_LIBRARY_VERSION_TLS_1_1: result = TLSv1.1; break; +case SSL_LIBRARY_VERSION_TLS_1_2: +result = TLSv1.2; +break; } } } Index: mod_nss-1.0.8/nss_engine_init.c === --- mod_nss-1.0.8.orig/nss_engine_init.c +++ mod_nss-1.0.8/nss_engine_init.c @@ -758,12 +758,12 @@ static void nss_init_ctx_protocol(server * cannot be excluded from this range. NSS will automatically negotiate * to utilize the strongest acceptable protocol for a connection starting * with the maximum specified protocol and downgrading as necessary to the - * minimum specified
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2014-10-31 18:27:35 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-08-25 11:05:02.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2014-10-31 19:57:44.0 +0100 @@ -1,0 +2,9 @@ +Wed Oct 29 14:59:06 UTC 2014 - kstreit...@suse.com + +- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch + that compare CN and VS hostname (use NSS library). Removed + following patches: + * mod_nss-SNI-checks.patch + * mod_nss-SNI-callback.patch + +--- Old: mod_nss-SNI-callback.patch mod_nss-SNI-checks.patch New: mod_nss-compare_subject_CN_and_VS_hostname.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.kxhGZ0/_old 2014-10-31 19:57:46.0 +0100 +++ /var/tmp/diff_new_pack.kxhGZ0/_new 2014-10-31 19:57:46.0 +0100 @@ -69,9 +69,10 @@ Patch18:mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19:mod_nss-cipherlist_update_for_tls12.diff Patch20:mod_nss-cipherlist_update_for_tls12-doc.diff -Patch21:mod_nss-SNI-callback.patch -Patch22:mod_nss-SNI-checks.patch Patch23:mod_nss-bnc863518-reopen_dev_tty.diff +# PATCH-FIX-UPSTREAM bnc#897712 kstreit...@suse.com -- check for the misconfiguration of certificate's CN and virtual name +Patch24:mod_nss-compare_subject_CN_and_VS_hostname.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 %defineapache apache2 @@ -109,9 +110,8 @@ %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch -%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch -%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch +%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} = 1300 ++ mod_nss-compare_subject_CN_and_VS_hostname.patch ++ From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 From: standa sto...@suse.de Date: Wed, 22 Oct 2014 16:14:29 +0200 Subject: [PATCH] Compare subject CN and VS hostname during server start up --- nss_engine_init.c | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/nss_engine_init.c b/nss_engine_init.c index d74f002..2569c8d 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, *KEAtype = NSS_FindCertKEAType(*servercert); +/* Subject/hostname check */ +secstatus = CERT_VerifyCertName(*servercert, s-server_hostname); +if (secstatus != SECSuccess) { + char *cert_dns = CERT_GetCommonName((*servercert)-subject); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + Misconfiguration of certificate's CN and virtual name. + The certificate CN has %s. We expected %s as virtual +name., cert_dns, s-server_hostname); + PORT_Free(cert_dns); +} + /* - * Check for certs that are expired or not yet valid and WARN about it - * no need to refuse working - the client gets a warning, but can work - * with the server we could also verify if the certificate is made out - * for the correct hostname but that would require a reverse DNS lookup - * for every virtual server - too expensive? + * Check for certs that are expired or not yet valid and WARN about it. + * No need to refuse working - the client gets a warning. */ certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); -- 1.9.3 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2014-08-25 11:03:58 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-07-27 18:47:32.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2014-08-25 11:05:02.0 +0200 @@ -1,0 +2,7 @@ +Thu Aug 21 07:50:57 UTC 2014 - meiss...@suse.com + +- mod_nss-cipherlist_update_for_tls12-doc.diff, + mod_nss-cipherlist_update_for_tls12.diff, + mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256. + +--- Other differences: -- ++ mod_nss-cipherlist_update_for_tls12-doc.diff ++ --- /var/tmp/diff_new_pack.B2WRIL/_old 2014-08-25 11:05:04.0 +0200 +++ /var/tmp/diff_new_pack.B2WRIL/_new 2014-08-25 11:05:04.0 +0200 @@ -1,7 +1,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html --- ../mod_nss-1.0.8-o/docs/mod_nss.html 2014-02-18 16:30:19.0 +0100 +++ ./docs/mod_nss.html2014-02-18 16:48:18.0 +0100 -@@ -632,100 +632,121 @@ +@@ -632,100 +632,135 @@ /td td style=vertical-align: top;SSLv3/TLSv1.0/TLSv1.1/TLSv1.2/td /tr @@ -53,11 +53,18 @@ td style=vertical-align: top;SSLv3/TLSv1.0/TLSv1.1/TLSv1.2/td /tr +tr ++ td style=vertical-align: top;rsa_aes_128_sha256br ++ /td ++ td style=vertical-align: top;TLS_RSA_WITH_AES_128_CBC_SHA256br ++ /td ++ td style=vertical-align: top;TLSv1.2/td ++/tr ++tr + td style=vertical-align: top;rsa_aes_128_gcm_shabr + /td + td style=vertical-align: top;TLS_RSA_WITH_AES_128_GCM_SHA256br + /td -+ td style=vertical-align: top;TLSv1.0/TLSv1.1/TLSv1.2/td ++ td style=vertical-align: top;TLSv1.2/td +/tr +tr + td style=vertical-align: top;rsa_camellia_128_shabr @@ -73,6 +80,13 @@ + /td + td style=vertical-align: top;TLSv1.0/TLSv1.1/TLSv1.2/td +/tr ++tr ++ td style=vertical-align: top;rsa_aes_256_sha256br ++ /td ++ td style=vertical-align: top;TLS_RSA_WITH_AES_256_CBC_SHA256br ++ /td ++ td style=vertical-align: top;TLSv1.2/td ++/tr /tbody /table br @@ -123,7 +137,7 @@ tdecdhe_ecdsa_rc4_128_sha/td tdTLS_ECDHE_ECDSA_WITH_RC4_128_SHA/td tdTLSv1.0/TLSv1.1/TLSv1.2/td -@@ -773,100 +794,120 @@ +@@ -773,100 +794,130 @@ tr tdechde_rsa_null/td tdTLS_ECDHE_RSA_WITH_NULL_SHA/td @@ -175,6 +189,16 @@ tdTLSv1.0/TLSv1.1/TLSv1.2/td /tr +tr ++ tdecdh_ecdsa_aes_128_sha256/td ++ tdTLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256/td ++ tdTLSv1.2/td ++/tr ++tr ++ tdecdh_rsa_aes_128_sha256/td ++ tdTLS_ECDH_RSA_WITH_AES_128_CBC_SHA256/td ++ tdTLSv1.2/td ++/tr ++tr + tdecdh_ecdsa_aes_128_gcm_sha/td + tdTLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256/td + tdTLSv1.0/TLSv1.1/TLSv1.2/td ++ mod_nss-cipherlist_update_for_tls12.diff ++ --- /var/tmp/diff_new_pack.B2WRIL/_old 2014-08-25 11:05:04.0 +0200 +++ /var/tmp/diff_new_pack.B2WRIL/_new 2014-08-25 11:05:04.0 +0200 @@ -53,10 +53,10 @@ /* the table itself is defined in nss_engine_init.c */ #ifdef NSS_ENABLE_ECC -#define ciphernum 48 -+#define ciphernum 55 ++#define ciphernum 59 #else -#define ciphernum 23 -+#define ciphernum 26 ++#define ciphernum 28 #endif /* @@ -110,7 +110,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c --- ../mod_nss-1.0.8-o/nss_engine_init.c 2014-02-18 16:30:19.0 +0100 +++ ./nss_engine_init.c2014-02-18 16:30:51.0 +0100 -@@ -15,122 +15,130 @@ +@@ -15,122 +15,134 @@ #include mod_nss.h #include apr_thread_proc.h @@ -161,9 +161,11 @@ {rsa_rc4_56_sha, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS}, /* AES ciphers.*/ {rsa_aes_128_sha, TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS}, ++{rsa_aes_128_sha256, TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS}, +{rsa_aes_128_gcm_sha, TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS}, +{rsa_camellia_128_sha, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS}, {rsa_aes_256_sha, TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS}, ++{rsa_aes_256_sha256, TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS}, +{rsa_camellia_256_sha, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS}, + #ifdef NSS_ENABLE_ECC @@ -178,6 +180,7 @@ {ecdhe_ecdsa_rc4_128_sha, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2014-07-27 18:47:17 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2014-02-22 18:07:11.0 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2014-07-27 18:47:32.0 +0200 @@ -1,0 +2,22 @@ +Thu Jul 24 12:49:29 CEST 2014 - dr...@suse.de + +- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and + open(/dev/tty, ...) to make sure that stdin can be read from. + startproc may inherit wrongly opened file descriptors to httpd. + (Note: An analogous fix exists in startproc(8), too.) + [bnc#863518] +- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now + externalized to /etc/apache2/conf.d/vhost-nss.template and not + activated/read by default. [bnc#878681] +- NSSCipherSuite update following additional ciphers of Feb 18 + change. [bnc#878681] + +--- +Fri Jun 27 16:13:01 CEST 2014 - dr...@suse.de + +- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: + server side SNI was not implemented when mod_nss was made; + patches implement SNI with checks if SNI provided hostname + equals Host: field in http request header. + +--- New: mod_nss-SNI-callback.patch mod_nss-SNI-checks.patch mod_nss-bnc863518-reopen_dev_tty.diff vhost-nss.template Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.2mA94w/_old 2014-07-27 18:47:33.0 +0200 +++ /var/tmp/diff_new_pack.2mA94w/_new 2014-07-27 18:47:33.0 +0200 @@ -21,13 +21,14 @@ License:Apache-2.0 Group: Productivity/Networking/Web/Servers Version:1.0.8 -Release:0.4.RELEASE7 +Release:0.4.8 Url:http://directory.fedoraproject.org/wiki/Mod_nss Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz Source1:mod_nss.conf.in Source2:listen_nss.conf Source3:mod_nss_migrate.pl Source4:README-SUSE.txt +Source5:vhost-nss.template Provides: mod_nss Requires: apache2 = 2.2.12 Requires: findutils @@ -68,6 +69,9 @@ Patch18:mod_nss-CVE-2013-4566-NSSVerifyClient.diff Patch19:mod_nss-cipherlist_update_for_tls12.diff Patch20:mod_nss-cipherlist_update_for_tls12-doc.diff +Patch21:mod_nss-SNI-callback.patch +Patch22:mod_nss-SNI-checks.patch +Patch23:mod_nss-bnc863518-reopen_dev_tty.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 %defineapache apache2 @@ -86,7 +90,7 @@ %prep %setup -q -n mod_nss-%{version} -#%patch1 -p1 -b .conf.rpmpatch +##%patch1 -p1 -b .conf.rpmpatch %patch2 -p1 -b .gencert.rpmpatch %patch3 -p1 -b .wouldblock.rpmpatch %patch4 -p1 -b .negotiate.rpmpatch @@ -105,6 +109,9 @@ %patch18 -p0 -b .CVE-2013-4566.rpmpatch %patch19 -p0 -b .ciphers.rpmpatch %patch20 -p0 -b .ciphers.doc.rpmpatch +%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch +%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch +%patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch # keep this last, otherwise we get fuzzyness from above %if 0%{?suse_version} = 1300 @@ -146,6 +153,7 @@ # the build root. mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d +mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir} @@ -154,6 +162,7 @@ %endif install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ @@ -219,6 +228,7 @@ %defattr(-,root,root,-) %doc README LICENSE docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf +%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so ++ mod_nss-SNI-callback.patch ++ diff -rNU 30 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h --- ../mod_nss-1.0.8-o/mod_nss.h2014-06-23 12:23:17.0 +0200 +++
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2013-08-07 20:43:06 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2013-08-02 15:01:07.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2013-08-07 20:43:07.0 +0200 @@ -1,0 +2,10 @@ +Fri Aug 2 08:29:35 UTC 2013 - meiss...@suse.com + +- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. +- mod_nss-clientauth.patch: merged from RHEL6 pkg +- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg +- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg +- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg +- make it build on both Apache2 2.4 and 2.2 systems + +--- New: mod_nss-PK11_ListCerts_2.patch mod_nss-clientauth.patch mod_nss-no_shutdown_if_not_init_2.patch mod_nss-sslmultiproxy.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.1oLG3Z/_old 2013-08-07 20:43:08.0 +0200 +++ /var/tmp/diff_new_pack.1oLG3Z/_new 2013-08-07 20:43:08.0 +0200 @@ -53,6 +53,11 @@ Patch10:mod_nss-proxyvariables.patch Patch11:mod_nss-tlsv1_1.patch Patch12:mod_nss-array_overrun.patch +Patch13:mod_nss-clientauth.patch +Patch14:mod_nss-no_shutdown_if_not_init_2.patch +Patch15:mod_nss-PK11_ListCerts_2.patch +Patch16:mod_nss-sslmultiproxy.patch +Patch17:mod_nss-overlapping_memcpy.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 %defineapache apache2 @@ -78,12 +83,19 @@ %patch6 -p1 -b .pcachesignal.h %patch7 -p1 -b .reseterror %patch8 -p1 -b .lockpcache -%if 0%{?suse_version} = 1300 -%patch9 -p1 -b .http24 -%endif %patch10 -p1 -b .proxyvariables %patch11 -p1 -b .tlsv1_1 %patch12 -p1 -b .array_overrun +%patch13 -p1 -b .clientauth.patch +%patch14 -p1 -b .no_shutdown_if_not_init_2 +%patch15 -p1 -b .PK11_ListCerts_2 +%patch16 -p1 -b .sslmultiproxy +%patch17 -p1 -b .overlapping_memcpy + +# keep this last, otherwise we get fuzzyness from above +%if 0%{?suse_version} = 1300 +%patch9 -p1 -b .http24 +%endif # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] ++ mod_nss-PK11_ListCerts_2.patch ++ diff -pu mod_nss.h mod_nss.h.PK11_ListCerts --- ./mod_nss.h 2010-09-08 21:06:49.0 +0800 +++ ./mod_nss.h.PK11_ListCerts2010-09-08 21:06:22.0 +0800 @@ -406,7 +406,7 @@ const char *nss_cmd_NSSProxyNickname(cmd /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void nss_init_Child(apr_pool_t *, server_rec *); -void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); apr_status_t nss_init_ModuleKill(void *data); apr_status_t nss_init_ChildKill(void *data); int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); diff -up nss_engine_init.c nss_engine_init.c.PK11_ListCerts --- ./nss_engine_init.c 2010-09-08 21:07:13.0 +0800 +++ ./nss_engine_init.c.PK11_ListCerts2010-09-09 00:21:59.0 +0800 @@ -26,7 +26,7 @@ static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); -static CERTCertificate* FindServerCertFromNickname(const char* name); +static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); /* @@ -485,6 +485,8 @@ int nss_init_Module(apr_pool_t *p, apr_p ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, Init: Initializing (virtual) servers for SSL); +CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + for (s = base_server; s; s = s-next) { sc = mySrvConfig(s); /* @@ -496,7 +498,11 @@ int nss_init_Module(apr_pool_t *p, apr_p /* * Read the server certificate and key */ -nss_init_ConfigureServer(s, p, ptemp, sc); +nss_init_ConfigureServer(s, p, ptemp, sc, clist); +} + +if (clist) { +CERT_DestroyCertList(clist);
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2013-08-02 15:01:05 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2013-07-24 17:28:46.0 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2013-08-02 15:01:07.0 +0200 @@ -1,0 +2,12 @@ +Thu Aug 1 15:06:55 UTC 2013 - meiss...@suse.com + +- Add support for TLS v1.1 and TLS v1.2 + (TLS v1.2 requires mozilla nss 3.15.1 or newer.) + - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch +from redhat to allow tls v1.1 too. + - ported the tls v1.1 patch to be tls v1.2 aware + - added mod_nss-proxyvariables.patch (from RHEL6 package) + - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) +- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun + +--- New: mod_nss-array_overrun.patch mod_nss-proxyvariables.patch mod_nss-tlsv1_1.patch Other differences: -- ++ apache2-mod_nss.spec ++ --- /var/tmp/diff_new_pack.fkDcz2/_old 2013-08-02 15:01:07.0 +0200 +++ /var/tmp/diff_new_pack.fkDcz2/_new 2013-08-02 15:01:07.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,24 +18,25 @@ Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server -Version: 1.0.8 -Release: 3 -Group: Productivity/Networking/Web/Servers License: Apache-2.0 +Group: Productivity/Networking/Web/Servers +Version:1.0.8 +Release:0 Url: http://directory.fedoraproject.org/wiki/Mod_nss Source:http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz Provides: mod_nss Requires: apache2 = 2.0.52 Requires: findutils Requires(post): mozilla-nss-tools +BuildRequires: apache2-devel = 2.0.52 BuildRequires: bison BuildRequires: findutils +BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: libapr1-devel BuildRequires: libapr-util1-devel +BuildRequires: libapr1-devel BuildRequires: mozilla-nspr-devel = 4.6.3 BuildRequires: mozilla-nss-devel = 3.12.6 -BuildRequires: apache2-devel = 2.0.52 BuildRequires: pkgconfig # [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout Patch1:mod_nss-conf.patch @@ -48,7 +49,11 @@ Patch8:mod_nss-lockpcache.patch # Fix build with apache 2.4 Patch9:mod_nss-httpd24.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root + +Patch10:mod_nss-proxyvariables.patch +Patch11:mod_nss-tlsv1_1.patch +Patch12:mod_nss-array_overrun.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build %defineapxs /usr/sbin/apxs2 %defineapache apache2 %defineapache_libexecdir %(%{apxs} -q LIBEXECDIR) @@ -76,6 +81,9 @@ %if 0%{?suse_version} = 1300 %patch9 -p1 -b .http24 %endif +%patch10 -p1 -b .proxyvariables +%patch11 -p1 -b .tlsv1_1 +%patch12 -p1 -b .array_overrun # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] ++ mod_nss-array_overrun.patch ++ mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array child_argv, with 5 elements, at position 5 with index variable 5. https://bugzilla.redhat.com/show_bug.cgi?id=714154 diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c2011-08-01 13:24:34.0 -0400 +++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.0 -0400 @@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p /* Do we need to fire up our password helper? */ if (mc-nInitCount == 1) { -const char * child_argv[5]; +const char * child_argv[6]; apr_status_t rv; struct sembuf sb; char sembuf[32]; ++ mod_nss-proxyvariables.patch ++ diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c2012-10-03 14:28:50.751794000 -0700 +++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700 @@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server tls = 1; } else { if
commit apache2-mod_nss for openSUSE:Factory
Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2013-07-24 17:28:44 Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) Package is apache2-mod_nss Changes: New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2013-07-24 17:28:46.0 +0200 @@ -0,0 +1,28 @@ +--- +Fri Jul 12 10:42:06 UTC 2013 - a...@ajaissle.de + +- Changed source to original tar.gz + +--- +Thu Jul 11 14:50:42 UTC 2013 - a...@ajaissle.de + +- Added mod_nns-httpd24.patch to support build with apache 2.4 + +--- +Tue Jan 22 09:35:41 UTC 2013 - a...@ajaissle.de + +- Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE + dir layout [bnc#799483] +- Cleaned up license tag + +--- +Sun Apr 15 14:17:19 UTC 2012 - w...@rosenauer.org + +- import some patches from Fedora +- removed autoreconf call + +--- +Wed Feb 17 13:30:47 UTC 2010 - n...@opensuse.org + +- Fix mod_nss-conf.patch to work on SUSE +- Rename package from mod_nss to apache2-mod_nss New: apache2-mod_nss.changes apache2-mod_nss.spec mod_nss-1.0.8.tar.gz mod_nss-conf.patch mod_nss-gencert.patch mod_nss-httpd24.patch mod_nss-lockpcache.patch mod_nss-negotiate.patch mod_nss-overlapping_memcpy.patch mod_nss-pcachesignal.h mod_nss-reseterror.patch mod_nss-reverseproxy.patch mod_nss-wouldblock.patch Other differences: -- ++ apache2-mod_nss.spec ++ # # spec file for package apache2-mod_nss # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An Open Source License is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server Version: 1.0.8 Release: 3 Group: Productivity/Networking/Web/Servers License: Apache-2.0 Url: http://directory.fedoraproject.org/wiki/Mod_nss Source:http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz Provides: mod_nss Requires: apache2 = 2.0.52 Requires: findutils Requires(post): mozilla-nss-tools BuildRequires: bison BuildRequires: findutils BuildRequires: gcc-c++ BuildRequires: libapr1-devel BuildRequires: libapr-util1-devel BuildRequires: mozilla-nspr-devel = 4.6.3 BuildRequires: mozilla-nss-devel = 3.12.6 BuildRequires: apache2-devel = 2.0.52 BuildRequires: pkgconfig # [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout Patch1:mod_nss-conf.patch Patch2:mod_nss-gencert.patch Patch3:mod_nss-wouldblock.patch Patch4:mod_nss-negotiate.patch Patch5:mod_nss-reverseproxy.patch Patch6:mod_nss-pcachesignal.h Patch7:mod_nss-reseterror.patch Patch8:mod_nss-lockpcache.patch # Fix build with apache 2.4 Patch9:mod_nss-httpd24.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root %defineapxs /usr/sbin/apxs2 %defineapache apache2 %defineapache_libexecdir %(%{apxs} -q LIBEXECDIR) %defineapache_sysconfdir %(%{apxs} -q SYSCONFDIR) %defineapache_includedir %(%{apxs} -q INCLUDEDIR) %defineapache_serverroot %(%{apxs} -q PREFIX) %defineapache_mmn%(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN $MMN) %description The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library. %prep %setup -q -n mod_nss-%{version} %patch1 -p1 -b .conf %patch2 -p1 -b .gencert %patch3 -p1 -b .wouldblock %patch4 -p1 -b .negotiate %patch5 -p1 -b .reverseproxy %patch6 -p1 -b .pcachesignal.h %patch7 -p1 -b .reseterror %patch8 -p1 -b .lockpcache %if 0%{?suse_version} = 1300 %patch9 -p1 -b .http24 %endif # Touch expression parser sources to prevent regenerating it