diff options
| author | Remi Collet <fedora@famillecollet.com> | 2012-06-13 18:43:31 +0200 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2012-06-13 18:43:31 +0200 |
| commit | df36bf3f7525e3d29d7e9ea8fb4d0cc33f1075c2 (patch) | |
| tree | 5f0820f0dd869640e371ca82c42bc2c161539f0c | |
reorg repo
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | mod_nss-conf.patch | 70 | ||||
| -rw-r--r-- | mod_nss-gencert.patch | 26 | ||||
| -rw-r--r-- | mod_nss-lockpcache.patch | 240 | ||||
| -rw-r--r-- | mod_nss-negotiate.patch | 180 | ||||
| -rw-r--r-- | mod_nss-overlapping_memcpy.patch | 24 | ||||
| -rw-r--r-- | mod_nss-pcachesignal.h | 21 | ||||
| -rw-r--r-- | mod_nss-reseterror.patch | 10 | ||||
| -rw-r--r-- | mod_nss-reverseproxy.patch | 182 | ||||
| -rw-r--r-- | mod_nss-wouldblock.patch | 12 | ||||
| -rw-r--r-- | mod_nss.spec | 269 |
11 files changed, 1038 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1e65467 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../common/Makefile + diff --git a/mod_nss-conf.patch b/mod_nss-conf.patch new file mode 100644 index 0000000..1a3e5fa --- /dev/null +++ b/mod_nss-conf.patch @@ -0,0 +1,70 @@ +--- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400 ++++ mod_nss-1.0.6/nss.conf.in 2006-10-23 15:27:22.000000000 -0400 +@@ -8,14 +8,16 @@ + # consult the online docs. You have been warned. + # + ++LoadModule nss_module modules/libmodnss.so ++ + # + # When we also provide SSL we have to listen to the + # standard HTTP port (see above) and to the HTTPS port + # + # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" ++# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" + # +-Listen 443 ++Listen 8443 + + ## + ## SSL Global Context +@@ -40,7 +42,7 @@ + # Pass Phrase Helper: + # This helper program stores the token password pins between + # restarts of Apache. +-NSSPassPhraseHelper @apache_bin@/nss_pcache ++NSSPassPhraseHelper /usr/sbin/nss_pcache + + # Configure the SSL Session Cache. + # NSSSessionCacheSize is the number of entries in the cache. +@@ -68,17 +70,17 @@ + ## SSL Virtual Host Context + ## + +-<VirtualHost _default_:443> ++<VirtualHost _default_:8443> + + # General setup for the virtual host + #DocumentRoot "@apache_prefix@/htdocs" +-#ServerName www.example.com:443 ++#ServerName www.example.com:8443 + #ServerAdmin you@example.com + + # mod_nss can log to separate log files, you can choose to do that if you'd like + # LogLevel is not inherited from httpd.conf. +-#ErrorLog @apache_prefix@/logs/error_log +-#TransferLog @apache_prefix@/logs/access_log ++ErrorLog @apache_prefix@/logs/error_log ++TransferLog @apache_prefix@/logs/access_log + LogLevel warn + + # SSL Engine Switch: +@@ -113,7 +115,7 @@ + # The NSS security database directory that holds the certificates and + # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. + # Provide the directory that these files exist. +-NSSCertificateDatabase @apache_conf@ ++NSSCertificateDatabase /etc/httpd/alias + + # Database Prefix: + # In order to be able to store multiple NSS databases in one directory +@@ -189,7 +191,7 @@ + <Files ~ "\.(cgi|shtml|phtml|php3?)$"> + NSSOptions +StdEnvVars + </Files> +-<Directory "@apache_prefix@/cgi-bin"> ++<Directory "/var/www/cgi-bin"> + NSSOptions +StdEnvVars + </Directory> + diff --git a/mod_nss-gencert.patch b/mod_nss-gencert.patch new file mode 100644 index 0000000..b328032 --- /dev/null +++ b/mod_nss-gencert.patch @@ -0,0 +1,26 @@ +--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400 ++++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400 +@@ -82,12 +82,11 @@ + + DEST=$1 + +-echo "httptest" > $DEST/pw.txt ++echo -e "\n" > $DEST/pw.txt + + echo "" + echo "#####################################################################" +-echo "Generating new server certificate and key database. The password" +-echo "is httptest" ++echo "Generating new server certificate and key database." + echo "#####################################################################" + $CERTUTIL -N -d $DEST -f $DEST/pw.txt + +@@ -183,8 +182,4 @@ + rm $DEST/pw.txt + rm $DEST/noise + +-echo "" +-echo "The database password is httptest" +-echo "" +- + exit 0 diff --git a/mod_nss-lockpcache.patch b/mod_nss-lockpcache.patch new file mode 100644 index 0000000..e14265b --- /dev/null +++ b/mod_nss-lockpcache.patch @@ -0,0 +1,240 @@ +diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c +--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500 +@@ -152,6 +152,8 @@ + AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL, + "SSLLogLevel directive is no longer supported - use LogLevel."), + #endif ++ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF, ++ "Apache user. Comes from httpd.conf."), + + AP_END_CMD + }; +diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h +--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500 +@@ -41,6 +41,9 @@ + #include "apr_shm.h" + #include "apr_global_mutex.h" + #include "apr_optional.h" ++#include <sys/types.h> ++#include <sys/ipc.h> ++#include <sys/sem.h> + + #define MOD_NSS_VERSION AP_SERVER_BASEREVISION + +@@ -244,6 +247,9 @@ + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; ++ ++ int semid; ++ const char *user; + } SSLModConfigRec; + + typedef struct SSLSrvConfigRec SSLSrvConfigRec; +@@ -412,6 +418,7 @@ + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); ++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c +--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500 +@@ -830,3 +830,12 @@ + + return NULL; + } ++ ++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ SSLModConfigRec *mc = myModConfig(cmd->server); ++ ++ mc->user = arg; ++ ++ return NULL; ++} +diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c +--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500 +@@ -312,6 +312,7 @@ + int sslenabled = FALSE; + int fipsenabled = FALSE; + int threaded = 0; ++ struct semid_ds status; + + mc->nInitCount++; + +@@ -412,10 +413,26 @@ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); + ++ /* The first pass through this function will create the semaphore that ++ * will be used to lock the pipe. The user is still root at that point ++ * so for any later calls the semaphore ops will fail with permission ++ * errors. So switch the user to the Apache user. ++ */ ++ if (mc->semid) { ++ uid_t user_id; ++ ++ user_id = ap_uname2id(mc->user); ++ semctl(mc->semid, 0, IPC_STAT, &status); ++ status.sem_perm.uid = user_id; ++ semctl(mc->semid,0,IPC_SET,&status); ++ } ++ + /* Do we need to fire up our password helper? */ + if (mc->nInitCount == 1) { + const char * child_argv[5]; + apr_status_t rv; ++ struct sembuf sb; ++ char sembuf[32]; + + if (mc->pphrase_dialog_helper == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +@@ -423,11 +440,31 @@ + nss_die(); + } + ++ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); ++ if (mc->semid == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to obtain semaphore."); ++ nss_die(); ++ } ++ ++ /* Initialize the semaphore */ ++ sb.sem_num = 0; ++ sb.sem_op = 1; ++ sb.sem_flg = 0; ++ if ((semop(mc->semid, &sb, 1)) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to initialize semaphore."); ++ nss_die(); ++ } ++ ++ PR_snprintf(sembuf, 32, "%d", mc->semid); ++ + child_argv[0] = mc->pphrase_dialog_helper; +- child_argv[1] = fipsenabled ? "on" : "off"; +- child_argv[2] = mc->pCertificateDatabase; +- child_argv[3] = mc->pDBPrefix; +- child_argv[4] = NULL; ++ child_argv[1] = sembuf; ++ child_argv[2] = fipsenabled ? "on" : "off"; ++ child_argv[3] = mc->pCertificateDatabase; ++ child_argv[4] = mc->pDBPrefix; ++ child_argv[5] = NULL; + + rv = apr_procattr_create(&mc->procattr, mc->pPool); + +diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c +--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400 ++++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500 +@@ -279,6 +279,16 @@ + char buf[1024]; + apr_status_t rv; + apr_size_t nBytes = 1024; ++ struct sembuf sb; ++ ++ /* lock the pipe */ ++ sb.sem_num = 0; ++ sb.sem_op = -1; ++ sb.sem_flg = SEM_UNDO; ++ if (semop(parg->mc->semid, &sb, 1) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "Unable to reserve semaphore resource"); ++ } + + snprintf(buf, 1024, "RETR\t%s", token_name); + rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL); +@@ -293,6 +303,13 @@ + */ + memset(buf, 0, sizeof(buf)); + rv = apr_file_read(parg->mc->proc.out, buf, &nBytes); ++ sb.sem_op = 1; ++ if (semop(parg->mc->semid, &sb, 1) == -1) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "Unable to free semaphore resource"); ++ /* perror("semop free resource id"); */ ++ } ++ + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv); +diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c +--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500 ++++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500 +@@ -21,6 +21,9 @@ + #include <pk11func.h> + #include <secmod.h> + #include <signal.h> ++#include <sys/types.h> ++#include <sys/ipc.h> ++#include <sys/sem.h> + #include "nss_pcache.h" + + static char * getstr(const char * cmd, int el); +@@ -70,6 +73,13 @@ + unsigned char *crypt; + }; + ++union semun { ++ int val; ++ struct semid_ds *buf; ++ unsigned short *array; ++ struct seminfo *__buf; ++}; ++ + /* + * Node - for maintaining link list of tokens with cached PINs + */ +@@ -304,15 +314,19 @@ + char * tokenName; + char * tokenpw; + int fipsmode = 0; ++ int semid = 0; ++ union semun semarg; + +- if (argc < 3 || argc > 4) { +- fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n"); ++ if (argc < 4 || argc > 5) { ++ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n"); + exit(1); + } + + signal(SIGHUP, SIG_IGN); + +- if (!strcasecmp(argv[1], "on")) ++ semid = strtol(argv[1], NULL, 10); ++ ++ if (!strcasecmp(argv[2], "on")) + fipsmode = 1; + + /* Initialize NSPR */ +@@ -322,7 +336,7 @@ + PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); + + /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); +@@ -437,6 +451,11 @@ + } + freeList(pinList); + PR_Close(in); ++ /* Remove the semaphore used for locking here. This is because this ++ * program only goes away when Apache shuts down so we don't have to ++ * worry about reloads. ++ */ ++ semctl(semid, 0, IPC_RMID, semarg); + return 0; + } + +Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig +Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej diff --git a/mod_nss-negotiate.patch b/mod_nss-negotiate.patch new file mode 100644 index 0000000..c385cfb --- /dev/null +++ b/mod_nss-negotiate.patch @@ -0,0 +1,180 @@ + +diff -up ./mod_nss.c.norego ./mod_nss.c +--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 +@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds + SSL_CMD_SRV(Nickname, TAKE1, + "SSL RSA Server Certificate nickname " + "(`Server-Cert'") ++#ifdef SSL_ENABLE_RENEGOTIATION ++ SSL_CMD_SRV(Renegotiation, FLAG, ++ "Enable SSL Renegotiation (default off) " ++ "(`on', `off')") ++ SSL_CMD_SRV(RequireSafeNegotiation, FLAG, ++ "If Rengotiation is allowed, require safe negotiation (default off) " ++ "(`on', `off')") ++#endif + #ifdef NSS_ENABLE_ECC + SSL_CMD_SRV(ECCNickname, TAKE1, + "SSL ECC Server Certificate nickname " +diff -up ./mod_nss.h.norego ./mod_nss.h +--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 +@@ -269,6 +269,10 @@ typedef struct { + int tls; + int tlsrollback; + int enforce; ++#ifdef SSL_ENABLE_RENEGOTIATION ++ int enablerenegotiation; ++ int requiresafenegotiation; ++#endif + const char *nickname; + #ifdef NSS_ENABLE_ECC + const char *eccnickname; +@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p + const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); ++#endif + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); + #endif +diff -up ./nss_engine_config.c.norego ./nss_engine_config.c +--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 +@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t + mctx->tls = PR_FALSE; + mctx->tlsrollback = PR_FALSE; + ++#ifdef SSL_ENABLE_RENEGOTIATION ++ mctx->enablerenegotiation = PR_FALSE; ++ mctx->requiresafenegotiation = PR_FALSE; ++#endif + mctx->enforce = PR_TRUE; + mctx->nickname = NULL; + #ifdef NSS_ENABLE_ECC +@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ + cfgMerge(eccnickname, NULL); + #endif + cfgMerge(enforce, PR_TRUE); ++#ifdef SSL_ENABLE_RENEGOTIATION ++ cfgMerge(enablerenegotiation, PR_FALSE); ++ cfgMerge(requiresafenegotiation, PR_FALSE); ++#endif + } + + static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, +@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm + return NULL; + } + ++#ifdef SSL_ENABLE_RENEGOTIATION ++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; ++ ++ return NULL; ++} ++#endif ++ + #ifdef NSS_ENABLE_ECC + const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, + void *dcfg, +diff -up ./nss_engine_init.c.norego ./nss_engine_init.c +--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 ++++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 +@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r + nss_die(); + } + } ++#ifdef SSL_ENABLE_RENEGOTIATION ++ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, ++ mctx->enablerenegotiation ? ++ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER ++ ) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL renegotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, ++ mctx->requiresafenegotiation) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Unable to set SSL safe negotiation"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); ++ nss_die(); ++ } ++#endif + } + + static void nss_init_ctx_protocol(server_rec *s, + +diff -up ./nss.conf.in.norego ./nss.conf.in +--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000 ++++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000 +@@ -64,6 +64,17 @@ + #NSSRandomSeed startup file:/dev/random 512 + #NSSRandomSeed startup file:/dev/urandom 512 + ++# ++# TLS Negotiation configuration under RFC 5746 ++# ++# Only renegotiate if the peer's hello bears the TLS renegotiation_info ++# extension. Default off. ++NSSRenegotiation off ++ ++# Peer must send Signaling Cipher Suite Value (SCSV) or ++# Renegotiation Info (RI) extension in ALL handshakes. Default: off ++NSSRequireSafeNegotiation off ++ + ## + ## SSL Virtual Host Context + ## + +diff -up ./nss_engine_log.c.norego ./nss_engine_log.c +--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 ++++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 +@@ -27,7 +27,7 @@ + #define LIBSEC_ERROR_BASE (-8192) + #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) + #define LIBSSL_ERROR_BASE (-12288) +-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) ++#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) + + typedef struct l_error_t { + int errorNumber; +@@ -296,7 +296,19 @@ + { 99, "Server requires ciphers more secure than those supported by client" }, + { 100, "Peer reports it experienced an internal error" }, + { 101, "Peer user canceled handshake" }, +- { 102, "Peer does not permit renegotiation of SSL security parameters" } ++ { 102, "Peer does not permit renegotiation of SSL security parameters" }, ++ { 103, "Server cache not configured" }, ++ { 104, "Unsupported extension" }, ++ { 105, "Certificate unobtainable" }, ++ { 106, "Unrecognized name" }, ++ { 107, "Bad certificate status" }, ++ { 108, "Bad certificate hash value" }, ++ { 109, "Unexpected new session ticket" }, ++ { 110, "Malformed new session ticket" }, ++ { 111, "Decompression failure" }, ++ { 112, "Renegotiation not allowed" }, ++ { 113, "Safe negotiation required but not provided by client" }, ++ { 114, "Unexpected uncompressed record" }, + }; + + void nss_die(void) diff --git a/mod_nss-overlapping_memcpy.patch b/mod_nss-overlapping_memcpy.patch new file mode 100644 index 0000000..c60e435 --- /dev/null +++ b/mod_nss-overlapping_memcpy.patch @@ -0,0 +1,24 @@ +Bug 669118 + +memcpy of overlapping memory is no longer allowed by glibc. + +This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 + +--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500 ++++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500 +@@ -123,13 +123,13 @@ + + if (buffer->length > inl) { + /* we have have enough to fill the caller's buffer */ +- memcpy(in, buffer->value, inl); ++ memmove(in, buffer->value, inl); + buffer->value += inl; + buffer->length -= inl; + } + else { + /* swallow remainder of the buffer */ +- memcpy(in, buffer->value, buffer->length); ++ memmove(in, buffer->value, buffer->length); + inl = buffer->length; + buffer->value = NULL; + buffer->length = 0; diff --git a/mod_nss-pcachesignal.h b/mod_nss-pcachesignal.h new file mode 100644 index 0000000..cb2e135 --- /dev/null +++ b/mod_nss-pcachesignal.h @@ -0,0 +1,21 @@ +diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c +--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400 ++++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400 +@@ -20,6 +20,7 @@ + #include <seccomon.h> + #include <pk11func.h> + #include <secmod.h> ++#include <signal.h> + #include "nss_pcache.h" + + static char * getstr(const char * cmd, int el); +@@ -309,6 +310,8 @@ + exit(1); + } + ++ signal(SIGHUP, SIG_IGN); ++ + if (!strcasecmp(argv[1], "on")) + fipsmode = 1; + +Only in mod_nss-1.0.8: nss_pcache.c.rej diff --git a/mod_nss-reseterror.patch b/mod_nss-reseterror.patch new file mode 100644 index 0000000..73ac3e4 --- /dev/null +++ b/mod_nss-reseterror.patch @@ -0,0 +1,10 @@ +--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400 +@@ -348,6 +348,7 @@ + break; + } + ++ PR_SetError(0, 0); + rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); + + if (rc > 0) { diff --git a/mod_nss-reverseproxy.patch b/mod_nss-reverseproxy.patch new file mode 100644 index 0000000..928c92f --- /dev/null +++ b/mod_nss-reverseproxy.patch @@ -0,0 +1,182 @@ +mod_proxy now sets the requested remote host name. Use this to compare +to the CN value of the peer certificate and reject the request if they +do not match (and we are have NSSProxyCheckPeerCN set to on). + +diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html +--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400 ++++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400 +@@ -1028,7 +1028,21 @@ + <br> + <span style="font-weight: bold;">Example</span><br> + <br> +-<code>NSSProxyNickname beta</code><br> ++<code>NSSProxyNickname beta<br> ++<br> ++</code><big><big>NSSProxyCheckPeerCN</big></big><br> ++<br> ++Compare the CN value of the peer certificate with the hostname being ++requested. If this is set to on, the default, then the request will ++fail if they do not match. If this is set to off then this comparison ++is not done. Note that this test is your only protection against a ++man-in-the-middle attack so leaving this as on is strongly recommended.<br> ++<br> ++<span style="font-weight: bold;">Example</span><br> ++<br> ++<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code> ++on<br> ++</code><br> + <h1><a name="Environment"></a>Environment Variables</h1> + Quite a few environment variables (for CGI and SSI) may be set + depending on the NSSOptions configuration. It can be expensive to set +@@ -1435,42 +1449,9 @@ + <h1><a name="FAQ"></a>Frequently Asked Questions</h1> + Q. Does mod_nss support mod_proxy?<br> + <br> +-A. In order to use the mod_nss proxy support you will need to build +-your own mod_proxy by applying a patch found in bug <a +- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>. +-The patch is needed so we can compare the hostname contained in the +-remote certificate with the hostname you meant to visit. This prevents +-man-in-the-middle attacks.<br> +-<br> +-You also have to change the SSL functions that mod_proxy looks to use. +-You'll need to apply this patch:<br> +-<br> +-<code>1038,1039c1038,1039<br> +-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br> +-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br> +----<br> +-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br> +-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br> +-1041,1042c1041,1042<br> +-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = +-NULL;<br> +-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable +-= NULL;<br> +----<br> +-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable = +-NULL;<br> +-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable +-= NULL;<br> +-1069,1070c1069,1070<br> +-< proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br> +-< proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br> +----<br> +-> proxy_ssl_enable = +-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br> +-> proxy_ssl_disable = +-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br> +-</code><br> ++A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy ++provides a single interface for SSL providers and mod_nss defers to ++mod_ssl ++if it is loaded. + </body> + </html> +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c +--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400 +@@ -142,6 +142,8 @@ + SSL_CMD_SRV(ProxyNickname, TAKE1, + "SSL Proxy: client certificate Nickname to be for proxy connections " + "(`nickname')") ++ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, ++ "SSL Proxy: check the peers certificate CN") + + #ifdef IGNORE + /* Deprecated directives. */ +@@ -238,23 +240,30 @@ + SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket) + { + conn_rec *c = (conn_rec *)arg; ++ SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + PRErrorCode err = PR_GetError(); + SECStatus rv = SECFailure; + CERTCertificate *peerCert = SSL_PeerCertificate(socket); ++ const char *hostname_note; + + switch (err) { + case SSL_ERROR_BAD_CERT_DOMAIN: +- if (c->remote_host != NULL) { +- rv = CERT_VerifyCertName(peerCert, c->remote_host); +- if (rv != SECSuccess) { +- char *remote = CERT_GetCommonName(&peerCert->subject); ++ if (sc->proxy_ssl_check_peer_cn == TRUE) { ++ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) { ++ apr_table_unset(c->notes, "proxy-request-hostname"); ++ rv = CERT_VerifyCertName(peerCert, hostname_note); ++ if (rv != SECSuccess) { ++ char *remote = CERT_GetCommonName(&peerCert->subject); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note); ++ PORT_Free(remote); ++ } ++ } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host); +- PORT_Free(remote); ++ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."); + } + } else { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."); ++ rv = SECSuccess; + } + break; + default: +diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h +--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400 +@@ -306,6 +306,7 @@ + int vhost_id_len; + modnss_ctx_t *server; + modnss_ctx_t *proxy; ++ BOOL proxy_ssl_check_peer_cn; + }; + + /* +@@ -410,6 +411,7 @@ + const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *); + const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg); ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); + + /* module initialization */ + int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); +diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c +--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400 ++++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400 +@@ -140,6 +140,7 @@ + sc->vhost_id_len = 0; /* set during module init */ + sc->proxy = NULL; + sc->server = NULL; ++ sc->proxy_ssl_check_peer_cn = TRUE; + + modnss_ctx_init_proxy(sc, p); + +@@ -214,6 +215,7 @@ + cfgMergeBool(fips); + cfgMergeBool(enabled); + cfgMergeBool(proxy_enabled); ++ cfgMergeBool(proxy_ssl_check_peer_cn); + + modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + +@@ -544,6 +546,15 @@ + return NULL; + } + ++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) ++{ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE; ++ ++ return NULL; ++} ++ + const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd, + void *dcfg, + int flag) diff --git a/mod_nss-wouldblock.patch b/mod_nss-wouldblock.patch new file mode 100644 index 0000000..405b67a --- /dev/null +++ b/mod_nss-wouldblock.patch @@ -0,0 +1,12 @@ +--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400 ++++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500 +@@ -259,7 +259,8 @@ + */ + if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) + || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { +- return 0; ++ PR_SetError(PR_WOULD_BLOCK_ERROR, 0); ++ return -1; + } + + if (inctx->rc != APR_SUCCESS) { diff --git a/mod_nss.spec b/mod_nss.spec new file mode 100644 index 0000000..35ec708 --- /dev/null +++ b/mod_nss.spec @@ -0,0 +1,269 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} + +Name: mod_nss +Version: 1.0.8 +Release: 16%{?dist} +Summary: SSL/TLS module for the Apache HTTP server +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://directory.fedoraproject.org/wiki/Mod_nss +Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6 +BuildRequires: httpd-devel, apr-devel, apr-util-devel +BuildRequires: pkgconfig +Requires: httpd-mmn = %{_httpd_mmn} +Requires(post): httpd, nss-tools +Requires: nss >= 3.12.6 +Patch1: mod_nss-conf.patch +Patch2: mod_nss-gencert.patch +Patch3: mod_nss-wouldblock.patch +# Add options for tuning client negotiate in NSS +Patch4: mod_nss-negotiate.patch +Patch5: mod_nss-reverseproxy.patch +Patch6: mod_nss-pcachesignal.h +Patch7: mod_nss-reseterror.patch +Patch8: mod_nss-lockpcache.patch + +%description +The mod_nss module provides strong cryptography for the Apache Web +server via the Secure Sockets Layer (SSL) and Transport Layer +Security (TLS) protocols using the Network Security Services (NSS) +security library. + +%prep +%setup -q +%patch1 -p1 -b .conf +%patch2 -p1 -b .gencert +%patch3 -p1 -b .wouldblock +%patch4 -p1 -b .negotiate +%patch5 -p1 -b .reverseproxy +%patch6 -p1 -b .pcachesignal.h +%patch7 -p1 -b .reseterror +%patch8 -p1 -b .lockpcache + +# Touch expression parser sources to prevent regenerating it +touch nss_expr_*.[chyl] + +%build + +CFLAGS="$RPM_OPT_FLAGS" +APXS=%{_httpd_apxs} + +export CFLAGS APXS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` +NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` +NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` + +NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` + +%configure \ + --with-nss-lib=$NSS_LIB_DIR \ + --with-nss-inc=$NSS_INCLUDE_DIR \ + --with-nspr-lib=$NSPR_LIB_DIR \ + --with-nspr-inc=$NSPR_INCLUDE_DIR \ + --with-apr-config + +make %{?_smp_mflags} all + +%install +# The install target of the Makefile isn't used because that uses apxs +# which tries to enable the module in the build host httpd instead of in +# the build root. +rm -rf $RPM_BUILD_ROOT + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf +mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir} +mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd >= 2.4.x +mkdir -p $RPM_BUILD_ROOT%{_httpd_modconfdir} +sed -n /^LoadModule/p nss.conf > 10-nss.conf +sed -i /^LoadModule/d nss.conf +install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir} +%endif + +install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir} + +install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/ +install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/ +install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ +ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/ +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log + +perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +umask 077 + +if [ "$1" -eq 1 ] ; then + if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then + %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1 + echo "" + echo "%{name} certificate database generated." + echo "" + fi + + # Make sure that the database ownership is setup properly. + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; +fi + +%files +%defattr(-,root,root,-) +%doc README LICENSE docs/mod_nss.html +%config(noreplace) %{_httpd_confdir}/nss.conf +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/10-nss.conf +%endif +%{_libdir}/httpd/modules/libmodnss.so +%dir %{_sysconfdir}/httpd/alias/ +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db +%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log +%{_sysconfdir}/httpd/alias/libnssckbi.so +%{_sbindir}/nss_pcache +%{_sbindir}/gencert + +%changelog +* Tue Apr 24 2012 Remi Collet <RPMS@FamilleCollet.com> 1.0.8-16 +- rebuild for remi repo and http 2.4 + +* Mon Apr 23 2012 Joe Orton <jorton@redhat.com> - 1.0.8-16 +- packaging fixes/updates (#803072) + +* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Mar 7 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-14 +- Add Requires(post) for nss-tools, gencert needs it (#652007) + +* Wed Mar 2 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-13 +- Lock around the pipe to nss_pcache for retrieving the token PIN + (#677701) + +* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-11 +- Use memmove in place of memcpy since the buffers can overlap (#669118) + +* Wed Sep 29 2010 jkeating - 1.0.8-10 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-9 +- Revert mod_nss-wouldblock patch +- Reset NSPR error before calling PR_Read(). This should fix looping + in #620856 + +* Fri Sep 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-8 +- Fix hang when handling large POST under some conditions (#620856) + +* Tue Jun 22 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-7 +- Remove file Requires on libnssckbi.so (#601939) + +* Fri May 14 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-6 +- Ignore SIGHUP in nss_pcache (#591889). + +* Thu May 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-5 +- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224) + +* Thu Mar 18 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-4 +- Patch to add configuration options for new NSS negotiation API (#574187) +- Add (pre) for Requires on httpd so we can be sure the user and group are + already available +- Add file Requires on libnssckbi.so so symlink can't fail +- Use _sysconfdir macro instead of /etc +- Set minimum level of NSS to 3.12.6 + +* Mon Jan 25 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-3 +- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744) + +* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Mar 2 2009 Rob Crittenden <rcritten@redhat.com> - 1.0.8-1 +- Update to 1.0.8 +- Add patch that fixes NSPR layer bug + +* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.0.7-10 +- fix license tag + +* Mon Jul 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-9 +- rebuild to bump NVR + +* Mon Jul 14 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-8 +- Don't force module de-init during the configuration stage (453508) + +* Thu Jul 10 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-7 +- Don't inherit the MP cache in multi-threaded mode (454701) +- Don't initialize NSS in each child if SSL isn't configured + +* Wed Jul 2 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-6 +- Update the patch for FIPS to include fixes for nss_pcache, enforce + the security policy and properly initialize the FIPS token. + +* Mon Jun 30 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-5 +- Include patch to fix NSSFIPS (446851) + +* Mon Apr 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-4 +- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child + and not before. This is in response to a change in the NSS softtokn code + and should have always been done this way. (444348) +- The location of libnssckbi moved from /usr/lib[64] to /lib[64] +- The NSS database needs to be readable by apache since we need to use it + after the root priviledges are dropped. + +* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.7-3 +- Autorebuild for GCC 4.3 + +* Thu Oct 18 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-2 +- Register functions needed by mod_proxy if mod_ssl is not loaded. + +* Fri Jun 1 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-1 +- Update to 1.0.7 +- Remove Requires for nss and nspr since those are handled automatically + by versioned libraries +- Updated URL and Source to reference directory.fedoraproject.org + +* Mon Apr 9 2007 Rob Crittenden <rcritten@redhat.com> 1.0.6-2 +- Patch to properly detect the Apache model and set up NSS appropriately +- Patch to punt if a bad password is encountered +- Patch to fix crash when password.conf is malformatted +- Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7) + +* Mon Oct 23 2006 Rob Crittenden <rcritten@redhat.com> 1.0.6-1 +- Update to 1.0.6 + +* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-4 +- Include LogLevel warn in nss.conf and use separate log files + +* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-3 +- Need to initialize ECC certificate and key variables + +* Fri Aug 04 2006 Jarod Wilson <jwilson@redhat.com> 1.0.3-2 +- Use %%ghost for db files and install.log + +* Tue Jun 20 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-1 +- Initial build |