summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2012-06-13 18:43:31 +0200
committerRemi Collet <fedora@famillecollet.com>2012-06-13 18:43:31 +0200
commitdf36bf3f7525e3d29d7e9ea8fb4d0cc33f1075c2 (patch)
tree5f0820f0dd869640e371ca82c42bc2c161539f0c
reorg repo
-rw-r--r--Makefile4
-rw-r--r--mod_nss-conf.patch70
-rw-r--r--mod_nss-gencert.patch26
-rw-r--r--mod_nss-lockpcache.patch240
-rw-r--r--mod_nss-negotiate.patch180
-rw-r--r--mod_nss-overlapping_memcpy.patch24
-rw-r--r--mod_nss-pcachesignal.h21
-rw-r--r--mod_nss-reseterror.patch10
-rw-r--r--mod_nss-reverseproxy.patch182
-rw-r--r--mod_nss-wouldblock.patch12
-rw-r--r--mod_nss.spec269
11 files changed, 1038 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1e65467
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../common/Makefile
+
diff --git a/mod_nss-conf.patch b/mod_nss-conf.patch
new file mode 100644
index 0000000..1a3e5fa
--- /dev/null
+++ b/mod_nss-conf.patch
@@ -0,0 +1,70 @@
+--- mod_nss-1.0.6/nss.conf.in.orig 2006-10-20 11:08:42.000000000 -0400
++++ mod_nss-1.0.6/nss.conf.in 2006-10-23 15:27:22.000000000 -0400
+@@ -8,14 +8,16 @@
+ # consult the online docs. You have been warned.
+ #
+
++LoadModule nss_module modules/libmodnss.so
++
+ #
+ # When we also provide SSL we have to listen to the
+ # standard HTTP port (see above) and to the HTTPS port
+ #
+ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
+-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
++# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
+ #
+-Listen 443
++Listen 8443
+
+ ##
+ ## SSL Global Context
+@@ -40,7 +42,7 @@
+ # Pass Phrase Helper:
+ # This helper program stores the token password pins between
+ # restarts of Apache.
+-NSSPassPhraseHelper @apache_bin@/nss_pcache
++NSSPassPhraseHelper /usr/sbin/nss_pcache
+
+ # Configure the SSL Session Cache.
+ # NSSSessionCacheSize is the number of entries in the cache.
+@@ -68,17 +70,17 @@
+ ## SSL Virtual Host Context
+ ##
+
+-<VirtualHost _default_:443>
++<VirtualHost _default_:8443>
+
+ # General setup for the virtual host
+ #DocumentRoot "@apache_prefix@/htdocs"
+-#ServerName www.example.com:443
++#ServerName www.example.com:8443
+ #ServerAdmin you@example.com
+
+ # mod_nss can log to separate log files, you can choose to do that if you'd like
+ # LogLevel is not inherited from httpd.conf.
+-#ErrorLog @apache_prefix@/logs/error_log
+-#TransferLog @apache_prefix@/logs/access_log
++ErrorLog @apache_prefix@/logs/error_log
++TransferLog @apache_prefix@/logs/access_log
+ LogLevel warn
+
+ # SSL Engine Switch:
+@@ -113,7 +115,7 @@
+ # The NSS security database directory that holds the certificates and
+ # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+ # Provide the directory that these files exist.
+-NSSCertificateDatabase @apache_conf@
++NSSCertificateDatabase /etc/httpd/alias
+
+ # Database Prefix:
+ # In order to be able to store multiple NSS databases in one directory
+@@ -189,7 +191,7 @@
+ <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ NSSOptions +StdEnvVars
+ </Files>
+-<Directory "@apache_prefix@/cgi-bin">
++<Directory "/var/www/cgi-bin">
+ NSSOptions +StdEnvVars
+ </Directory>
+
diff --git a/mod_nss-gencert.patch b/mod_nss-gencert.patch
new file mode 100644
index 0000000..b328032
--- /dev/null
+++ b/mod_nss-gencert.patch
@@ -0,0 +1,26 @@
+--- mod_nss-1.0/gencert.in 2006-06-20 22:43:33.000000000 -0400
++++ mod_nss-1.0/gencert.in.orig 2006-06-20 22:57:08.000000000 -0400
+@@ -82,12 +82,11 @@
+
+ DEST=$1
+
+-echo "httptest" > $DEST/pw.txt
++echo -e "\n" > $DEST/pw.txt
+
+ echo ""
+ echo "#####################################################################"
+-echo "Generating new server certificate and key database. The password"
+-echo "is httptest"
++echo "Generating new server certificate and key database."
+ echo "#####################################################################"
+ $CERTUTIL -N -d $DEST -f $DEST/pw.txt
+
+@@ -183,8 +182,4 @@
+ rm $DEST/pw.txt
+ rm $DEST/noise
+
+-echo ""
+-echo "The database password is httptest"
+-echo ""
+-
+ exit 0
diff --git a/mod_nss-lockpcache.patch b/mod_nss-lockpcache.patch
new file mode 100644
index 0000000..e14265b
--- /dev/null
+++ b/mod_nss-lockpcache.patch
@@ -0,0 +1,240 @@
+diff -u --recursive mod_nss-1.0.8/mod_nss.c mod_nss-1.0.8.lock/mod_nss.c
+--- mod_nss-1.0.8/mod_nss.c 2011-03-02 16:19:52.000000000 -0500
++++ mod_nss-1.0.8.lock/mod_nss.c 2011-03-02 16:17:48.000000000 -0500
+@@ -152,6 +152,8 @@
+ AP_INIT_RAW_ARGS("NSSLogLevel", ap_set_deprecated, NULL, OR_ALL,
+ "SSLLogLevel directive is no longer supported - use LogLevel."),
+ #endif
++ AP_INIT_TAKE1("User", set_user, NULL, RSRC_CONF,
++ "Apache user. Comes from httpd.conf."),
+
+ AP_END_CMD
+ };
+diff -u --recursive mod_nss-1.0.8/mod_nss.h mod_nss-1.0.8.lock/mod_nss.h
+--- mod_nss-1.0.8/mod_nss.h 2011-03-02 16:19:52.000000000 -0500
++++ mod_nss-1.0.8.lock/mod_nss.h 2011-03-02 16:17:48.000000000 -0500
+@@ -41,6 +41,9 @@
+ #include "apr_shm.h"
+ #include "apr_global_mutex.h"
+ #include "apr_optional.h"
++#include <sys/types.h>
++#include <sys/ipc.h>
++#include <sys/sem.h>
+
+ #define MOD_NSS_VERSION AP_SERVER_BASEREVISION
+
+@@ -244,6 +247,9 @@
+ struct {
+ void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
+ } rCtx;
++
++ int semid;
++ const char *user;
+ } SSLModConfigRec;
+
+ typedef struct SSLSrvConfigRec SSLSrvConfigRec;
+@@ -412,6 +418,7 @@
+ const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
+ const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg);
+
+ /* module initialization */
+ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+diff -u --recursive mod_nss-1.0.8/nss_engine_config.c mod_nss-1.0.8.lock/nss_engine_config.c
+--- mod_nss-1.0.8/nss_engine_config.c 2011-03-02 16:19:52.000000000 -0500
++++ mod_nss-1.0.8.lock/nss_engine_config.c 2011-03-02 16:17:48.000000000 -0500
+@@ -830,3 +830,12 @@
+
+ return NULL;
+ }
++
++const char *set_user(cmd_parms *cmd, void *dummy, const char *arg)
++{
++ SSLModConfigRec *mc = myModConfig(cmd->server);
++
++ mc->user = arg;
++
++ return NULL;
++}
+diff -u --recursive mod_nss-1.0.8/nss_engine_init.c mod_nss-1.0.8.lock/nss_engine_init.c
+--- mod_nss-1.0.8/nss_engine_init.c 2011-03-02 16:19:49.000000000 -0500
++++ mod_nss-1.0.8.lock/nss_engine_init.c 2011-03-02 16:17:48.000000000 -0500
+@@ -312,6 +312,7 @@
+ int sslenabled = FALSE;
+ int fipsenabled = FALSE;
+ int threaded = 0;
++ struct semid_ds status;
+
+ mc->nInitCount++;
+
+@@ -412,10 +413,26 @@
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i");
+
++ /* The first pass through this function will create the semaphore that
++ * will be used to lock the pipe. The user is still root at that point
++ * so for any later calls the semaphore ops will fail with permission
++ * errors. So switch the user to the Apache user.
++ */
++ if (mc->semid) {
++ uid_t user_id;
++
++ user_id = ap_uname2id(mc->user);
++ semctl(mc->semid, 0, IPC_STAT, &status);
++ status.sem_perm.uid = user_id;
++ semctl(mc->semid,0,IPC_SET,&status);
++ }
++
+ /* Do we need to fire up our password helper? */
+ if (mc->nInitCount == 1) {
+ const char * child_argv[5];
+ apr_status_t rv;
++ struct sembuf sb;
++ char sembuf[32];
+
+ if (mc->pphrase_dialog_helper == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+@@ -423,11 +440,31 @@
+ nss_die();
+ }
+
++ mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
++ if (mc->semid == -1) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "Unable to obtain semaphore.");
++ nss_die();
++ }
++
++ /* Initialize the semaphore */
++ sb.sem_num = 0;
++ sb.sem_op = 1;
++ sb.sem_flg = 0;
++ if ((semop(mc->semid, &sb, 1)) == -1) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++ "Unable to initialize semaphore.");
++ nss_die();
++ }
++
++ PR_snprintf(sembuf, 32, "%d", mc->semid);
++
+ child_argv[0] = mc->pphrase_dialog_helper;
+- child_argv[1] = fipsenabled ? "on" : "off";
+- child_argv[2] = mc->pCertificateDatabase;
+- child_argv[3] = mc->pDBPrefix;
+- child_argv[4] = NULL;
++ child_argv[1] = sembuf;
++ child_argv[2] = fipsenabled ? "on" : "off";
++ child_argv[3] = mc->pCertificateDatabase;
++ child_argv[4] = mc->pDBPrefix;
++ child_argv[5] = NULL;
+
+ rv = apr_procattr_create(&mc->procattr, mc->pPool);
+
+diff -u --recursive mod_nss-1.0.8/nss_engine_pphrase.c mod_nss-1.0.8.lock/nss_engine_pphrase.c
+--- mod_nss-1.0.8/nss_engine_pphrase.c 2008-07-02 10:54:37.000000000 -0400
++++ mod_nss-1.0.8.lock/nss_engine_pphrase.c 2011-03-02 16:17:48.000000000 -0500
+@@ -279,6 +279,16 @@
+ char buf[1024];
+ apr_status_t rv;
+ apr_size_t nBytes = 1024;
++ struct sembuf sb;
++
++ /* lock the pipe */
++ sb.sem_num = 0;
++ sb.sem_op = -1;
++ sb.sem_flg = SEM_UNDO;
++ if (semop(parg->mc->semid, &sb, 1) == -1) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
++ "Unable to reserve semaphore resource");
++ }
+
+ snprintf(buf, 1024, "RETR\t%s", token_name);
+ rv = apr_file_write_full(parg->mc->proc.in, buf, strlen(buf), NULL);
+@@ -293,6 +303,13 @@
+ */
+ memset(buf, 0, sizeof(buf));
+ rv = apr_file_read(parg->mc->proc.out, buf, &nBytes);
++ sb.sem_op = 1;
++ if (semop(parg->mc->semid, &sb, 1) == -1) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
++ "Unable to free semaphore resource");
++ /* perror("semop free resource id"); */
++ }
++
+ if (rv != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "Unable to read from pin store for slot: %s APR err: %d", PK11_GetTokenName(slot), rv);
+diff -u --recursive mod_nss-1.0.8/nss_pcache.c mod_nss-1.0.8.lock/nss_pcache.c
+--- mod_nss-1.0.8/nss_pcache.c 2011-03-02 16:19:55.000000000 -0500
++++ mod_nss-1.0.8.lock/nss_pcache.c 2011-03-02 16:19:10.000000000 -0500
+@@ -21,6 +21,9 @@
+ #include <pk11func.h>
+ #include <secmod.h>
+ #include <signal.h>
++#include <sys/types.h>
++#include <sys/ipc.h>
++#include <sys/sem.h>
+ #include "nss_pcache.h"
+
+ static char * getstr(const char * cmd, int el);
+@@ -70,6 +73,13 @@
+ unsigned char *crypt;
+ };
+
++union semun {
++ int val;
++ struct semid_ds *buf;
++ unsigned short *array;
++ struct seminfo *__buf;
++};
++
+ /*
+ * Node - for maintaining link list of tokens with cached PINs
+ */
+@@ -304,15 +314,19 @@
+ char * tokenName;
+ char * tokenpw;
+ int fipsmode = 0;
++ int semid = 0;
++ union semun semarg;
+
+- if (argc < 3 || argc > 4) {
+- fprintf(stderr, "Usage: nss_pcache <fips on/off> <directory> <prefix>\n");
++ if (argc < 4 || argc > 5) {
++ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> <prefix>\n");
+ exit(1);
+ }
+
+ signal(SIGHUP, SIG_IGN);
+
+- if (!strcasecmp(argv[1], "on"))
++ semid = strtol(argv[1], NULL, 10);
++
++ if (!strcasecmp(argv[2], "on"))
+ fipsmode = 1;
+
+ /* Initialize NSPR */
+@@ -322,7 +336,7 @@
+ PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
+
+ /* Initialize NSS and open the certificate database read-only. */
+- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY);
++ rv = NSS_Initialize(argv[3], argc == 4 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
+
+ if (rv != SECSuccess) {
+ fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
+@@ -437,6 +451,11 @@
+ }
+ freeList(pinList);
+ PR_Close(in);
++ /* Remove the semaphore used for locking here. This is because this
++ * program only goes away when Apache shuts down so we don't have to
++ * worry about reloads.
++ */
++ semctl(semid, 0, IPC_RMID, semarg);
+ return 0;
+ }
+
+Only in mod_nss-1.0.8.lock/: nss_pcache.c.orig
+Only in mod_nss-1.0.8.lock/: nss_pcache.c.rej
diff --git a/mod_nss-negotiate.patch b/mod_nss-negotiate.patch
new file mode 100644
index 0000000..c385cfb
--- /dev/null
+++ b/mod_nss-negotiate.patch
@@ -0,0 +1,180 @@
+
+diff -up ./mod_nss.c.norego ./mod_nss.c
+--- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100
++++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100
+@@ -97,6 +97,14 @@ static const command_rec nss_config_cmds
+ SSL_CMD_SRV(Nickname, TAKE1,
+ "SSL RSA Server Certificate nickname "
+ "(`Server-Cert'")
++#ifdef SSL_ENABLE_RENEGOTIATION
++ SSL_CMD_SRV(Renegotiation, FLAG,
++ "Enable SSL Renegotiation (default off) "
++ "(`on', `off')")
++ SSL_CMD_SRV(RequireSafeNegotiation, FLAG,
++ "If Rengotiation is allowed, require safe negotiation (default off) "
++ "(`on', `off')")
++#endif
+ #ifdef NSS_ENABLE_ECC
+ SSL_CMD_SRV(ECCNickname, TAKE1,
+ "SSL ECC Server Certificate nickname "
+diff -up ./mod_nss.h.norego ./mod_nss.h
+--- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100
++++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100
+@@ -269,6 +269,10 @@ typedef struct {
+ int tls;
+ int tlsrollback;
+ int enforce;
++#ifdef SSL_ENABLE_RENEGOTIATION
++ int enablerenegotiation;
++ int requiresafenegotiation;
++#endif
+ const char *nickname;
+ #ifdef NSS_ENABLE_ECC
+ const char *eccnickname;
+@@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p
+ const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg);
++#ifdef SSL_ENABLE_RENEGOTIATION
++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag);
++#endif
+ #ifdef NSS_ENABLE_ECC
+ const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg);
+ #endif
+diff -up ./nss_engine_config.c.norego ./nss_engine_config.c
+--- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100
++++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100
+@@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t
+ mctx->tls = PR_FALSE;
+ mctx->tlsrollback = PR_FALSE;
+
++#ifdef SSL_ENABLE_RENEGOTIATION
++ mctx->enablerenegotiation = PR_FALSE;
++ mctx->requiresafenegotiation = PR_FALSE;
++#endif
+ mctx->enforce = PR_TRUE;
+ mctx->nickname = NULL;
+ #ifdef NSS_ENABLE_ECC
+@@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_
+ cfgMerge(eccnickname, NULL);
+ #endif
+ cfgMerge(enforce, PR_TRUE);
++#ifdef SSL_ENABLE_RENEGOTIATION
++ cfgMerge(enablerenegotiation, PR_FALSE);
++ cfgMerge(requiresafenegotiation, PR_FALSE);
++#endif
+ }
+
+ static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base,
+@@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm
+ return NULL;
+ }
+
++#ifdef SSL_ENABLE_RENEGOTIATION
++const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
++{
++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++
++ sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE;
++
++ return NULL;
++}
++
++const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag)
++{
++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++
++ sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE;
++
++ return NULL;
++}
++#endif
++
+ #ifdef NSS_ENABLE_ECC
+ const char *nss_cmd_NSSECCNickname(cmd_parms *cmd,
+ void *dcfg,
+diff -up ./nss_engine_init.c.norego ./nss_engine_init.c
+--- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100
++++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100
+@@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r
+ nss_die();
+ }
+ }
++#ifdef SSL_ENABLE_RENEGOTIATION
++ if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION,
++ mctx->enablerenegotiation ?
++ SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER
++ ) != SECSuccess) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "Unable to set SSL renegotiation");
++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
++ nss_die();
++ }
++ if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION,
++ mctx->requiresafenegotiation) != SECSuccess) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "Unable to set SSL safe negotiation");
++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
++ nss_die();
++ }
++#endif
+ }
+
+ static void nss_init_ctx_protocol(server_rec *s,
+
+diff -up ./nss.conf.in.norego ./nss.conf.in
+--- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000
++++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000
+@@ -64,6 +64,17 @@
+ #NSSRandomSeed startup file:/dev/random 512
+ #NSSRandomSeed startup file:/dev/urandom 512
+
++#
++# TLS Negotiation configuration under RFC 5746
++#
++# Only renegotiate if the peer's hello bears the TLS renegotiation_info
++# extension. Default off.
++NSSRenegotiation off
++
++# Peer must send Signaling Cipher Suite Value (SCSV) or
++# Renegotiation Info (RI) extension in ALL handshakes. Default: off
++NSSRequireSafeNegotiation off
++
+ ##
+ ## SSL Virtual Host Context
+ ##
+
+diff -up ./nss_engine_log.c.norego ./nss_engine_log.c
+--- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000
++++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000
+@@ -27,7 +27,7 @@
+ #define LIBSEC_ERROR_BASE (-8192)
+ #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155)
+ #define LIBSSL_ERROR_BASE (-12288)
+-#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102)
++#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114)
+
+ typedef struct l_error_t {
+ int errorNumber;
+@@ -296,7 +296,19 @@
+ { 99, "Server requires ciphers more secure than those supported by client" },
+ { 100, "Peer reports it experienced an internal error" },
+ { 101, "Peer user canceled handshake" },
+- { 102, "Peer does not permit renegotiation of SSL security parameters" }
++ { 102, "Peer does not permit renegotiation of SSL security parameters" },
++ { 103, "Server cache not configured" },
++ { 104, "Unsupported extension" },
++ { 105, "Certificate unobtainable" },
++ { 106, "Unrecognized name" },
++ { 107, "Bad certificate status" },
++ { 108, "Bad certificate hash value" },
++ { 109, "Unexpected new session ticket" },
++ { 110, "Malformed new session ticket" },
++ { 111, "Decompression failure" },
++ { 112, "Renegotiation not allowed" },
++ { 113, "Safe negotiation required but not provided by client" },
++ { 114, "Unexpected uncompressed record" },
+ };
+
+ void nss_die(void)
diff --git a/mod_nss-overlapping_memcpy.patch b/mod_nss-overlapping_memcpy.patch
new file mode 100644
index 0000000..c60e435
--- /dev/null
+++ b/mod_nss-overlapping_memcpy.patch
@@ -0,0 +1,24 @@
+Bug 669118
+
+memcpy of overlapping memory is no longer allowed by glibc.
+
+This is mod_ssl bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45444
+
+--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-01-12 12:31:27.339425702 -0500
++++ mod_nss-1.0.8/nss_engine_io.c 2011-01-12 12:31:35.507405595 -0500
+@@ -123,13 +123,13 @@
+
+ if (buffer->length > inl) {
+ /* we have have enough to fill the caller's buffer */
+- memcpy(in, buffer->value, inl);
++ memmove(in, buffer->value, inl);
+ buffer->value += inl;
+ buffer->length -= inl;
+ }
+ else {
+ /* swallow remainder of the buffer */
+- memcpy(in, buffer->value, buffer->length);
++ memmove(in, buffer->value, buffer->length);
+ inl = buffer->length;
+ buffer->value = NULL;
+ buffer->length = 0;
diff --git a/mod_nss-pcachesignal.h b/mod_nss-pcachesignal.h
new file mode 100644
index 0000000..cb2e135
--- /dev/null
+++ b/mod_nss-pcachesignal.h
@@ -0,0 +1,21 @@
+diff -u --recursive mod_nss-1.0.8.orig/nss_pcache.c mod_nss-1.0.8/nss_pcache.c
+--- mod_nss-1.0.8.orig/nss_pcache.c 2008-07-02 10:54:06.000000000 -0400
++++ mod_nss-1.0.8/nss_pcache.c 2010-05-14 13:32:57.000000000 -0400
+@@ -20,6 +20,7 @@
+ #include <seccomon.h>
+ #include <pk11func.h>
+ #include <secmod.h>
++#include <signal.h>
+ #include "nss_pcache.h"
+
+ static char * getstr(const char * cmd, int el);
+@@ -309,6 +310,8 @@
+ exit(1);
+ }
+
++ signal(SIGHUP, SIG_IGN);
++
+ if (!strcasecmp(argv[1], "on"))
+ fipsmode = 1;
+
+Only in mod_nss-1.0.8: nss_pcache.c.rej
diff --git a/mod_nss-reseterror.patch b/mod_nss-reseterror.patch
new file mode 100644
index 0000000..73ac3e4
--- /dev/null
+++ b/mod_nss-reseterror.patch
@@ -0,0 +1,10 @@
+--- mod_nss-1.0.8.orig/nss_engine_io.c 2010-09-23 18:12:56.000000000 -0400
++++ mod_nss-1.0.8/nss_engine_io.c 2010-09-23 18:13:07.000000000 -0400
+@@ -348,6 +348,7 @@
+ break;
+ }
+
++ PR_SetError(0, 0);
+ rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes);
+
+ if (rc > 0) {
diff --git a/mod_nss-reverseproxy.patch b/mod_nss-reverseproxy.patch
new file mode 100644
index 0000000..928c92f
--- /dev/null
+++ b/mod_nss-reverseproxy.patch
@@ -0,0 +1,182 @@
+mod_proxy now sets the requested remote host name. Use this to compare
+to the CN value of the peer certificate and reject the request if they
+do not match (and we are have NSSProxyCheckPeerCN set to on).
+
+diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
+--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
++++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
+@@ -1028,7 +1028,21 @@
+ <br>
+ <span style="font-weight: bold;">Example</span><br>
+ <br>
+-<code>NSSProxyNickname beta</code><br>
++<code>NSSProxyNickname beta<br>
++<br>
++</code><big><big>NSSProxyCheckPeerCN</big></big><br>
++<br>
++Compare the CN value of the peer certificate with the hostname being
++requested. If this is set to on, the default, then the request will
++fail if they do not match. If this is set to off then this comparison
++is not done. Note that this test is your only protection against a
++man-in-the-middle attack so leaving this as on is strongly recommended.<br>
++<br>
++<span style="font-weight: bold;">Example</span><br>
++<br>
++<span style="font-family: monospace;">NSSProcyCheckPeerCN</span><code>
++on<br>
++</code><br>
+ <h1><a name="Environment"></a>Environment Variables</h1>
+ Quite a few environment variables (for CGI and SSI) may be set
+ depending on the NSSOptions configuration. It can be expensive to set
+@@ -1435,42 +1449,9 @@
+ <h1><a name="FAQ"></a>Frequently Asked Questions</h1>
+ Q. Does mod_nss support mod_proxy?<br>
+ <br>
+-A. In order to use the mod_nss proxy support you will need to build
+-your own mod_proxy by applying a patch found in bug <a
+- href="http://issues.apache.org/bugzilla/show_bug.cgi?id=36468">36468</a>.
+-The patch is needed so we can compare the hostname contained in the
+-remote certificate with the hostname you meant to visit. This prevents
+-man-in-the-middle attacks.<br>
+-<br>
+-You also have to change the SSL functions that mod_proxy looks to use.
+-You'll need to apply this patch:<br>
+-<br>
+-<code>1038,1039c1038,1039<br>
+-&lt; APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));<br>
+-&lt; APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));<br>
+----<br>
+-&gt; APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));<br>
+-&gt; APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));<br>
+-1041,1042c1041,1042<br>
+-&lt; static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
+-NULL;<br>
+-&lt; static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
+-= NULL;<br>
+----<br>
+-&gt; static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
+-NULL;<br>
+-&gt; static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
+-= NULL;<br>
+-1069,1070c1069,1070<br>
+-&lt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_enable =
+-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);<br>
+-&lt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_disable =
+-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);<br>
+----<br>
+-&gt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_enable =
+-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);<br>
+-&gt;&nbsp;&nbsp;&nbsp;&nbsp; proxy_ssl_disable =
+-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);<br>
+-</code><br>
++A. Yes but you need to make sure that mod_ssl is not loaded. mod_proxy
++provides a single interface for SSL providers and mod_nss defers to
++mod_ssl
++if it is loaded.
+ </body>
+ </html>
+diff -u --recursive mod_nss-1.0.8.orig/mod_nss.c mod_nss-1.0.8/mod_nss.c
+--- mod_nss-1.0.8.orig/mod_nss.c 2010-05-13 11:24:49.000000000 -0400
++++ mod_nss-1.0.8/mod_nss.c 2010-05-13 11:25:42.000000000 -0400
+@@ -142,6 +142,8 @@
+ SSL_CMD_SRV(ProxyNickname, TAKE1,
+ "SSL Proxy: client certificate Nickname to be for proxy connections "
+ "(`nickname')")
++ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
++ "SSL Proxy: check the peers certificate CN")
+
+ #ifdef IGNORE
+ /* Deprecated directives. */
+@@ -238,23 +240,30 @@
+ SECStatus NSSBadCertHandler(void *arg, PRFileDesc * socket)
+ {
+ conn_rec *c = (conn_rec *)arg;
++ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ PRErrorCode err = PR_GetError();
+ SECStatus rv = SECFailure;
+ CERTCertificate *peerCert = SSL_PeerCertificate(socket);
++ const char *hostname_note;
+
+ switch (err) {
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+- if (c->remote_host != NULL) {
+- rv = CERT_VerifyCertName(peerCert, c->remote_host);
+- if (rv != SECSuccess) {
+- char *remote = CERT_GetCommonName(&peerCert->subject);
++ if (sc->proxy_ssl_check_peer_cn == TRUE) {
++ if ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL) {
++ apr_table_unset(c->notes, "proxy-request-hostname");
++ rv = CERT_VerifyCertName(peerCert, hostname_note);
++ if (rv != SECSuccess) {
++ char *remote = CERT_GetCommonName(&peerCert->subject);
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
++ "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, hostname_note);
++ PORT_Free(remote);
++ }
++ } else {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+- "SSL Proxy: Possible man-in-the-middle attack. The remove server is %s, we expected %s", remote, c->remote_host);
+- PORT_Free(remote);
++ "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.");
+ }
+ } else {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+- "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468.");
++ rv = SECSuccess;
+ }
+ break;
+ default:
+diff -u --recursive mod_nss-1.0.8.orig/mod_nss.h mod_nss-1.0.8/mod_nss.h
+--- mod_nss-1.0.8.orig/mod_nss.h 2010-05-13 11:24:49.000000000 -0400
++++ mod_nss-1.0.8/mod_nss.h 2010-05-13 11:25:42.000000000 -0400
+@@ -306,6 +306,7 @@
+ int vhost_id_len;
+ modnss_ctx_t *server;
+ modnss_ctx_t *proxy;
++ BOOL proxy_ssl_check_peer_cn;
+ };
+
+ /*
+@@ -410,6 +411,7 @@
+ const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *);
+ const char *nss_cmd_NSSProxyCipherSuite(cmd_parms *, void *, const char *);
+ const char *nss_cmd_NSSProxyNickname(cmd_parms *cmd, void *dcfg, const char *arg);
++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
+
+ /* module initialization */
+ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+diff -u --recursive mod_nss-1.0.8.orig/nss_engine_config.c mod_nss-1.0.8/nss_engine_config.c
+--- mod_nss-1.0.8.orig/nss_engine_config.c 2010-05-13 11:24:49.000000000 -0400
++++ mod_nss-1.0.8/nss_engine_config.c 2010-05-13 11:25:42.000000000 -0400
+@@ -140,6 +140,7 @@
+ sc->vhost_id_len = 0; /* set during module init */
+ sc->proxy = NULL;
+ sc->server = NULL;
++ sc->proxy_ssl_check_peer_cn = TRUE;
+
+ modnss_ctx_init_proxy(sc, p);
+
+@@ -214,6 +215,7 @@
+ cfgMergeBool(fips);
+ cfgMergeBool(enabled);
+ cfgMergeBool(proxy_enabled);
++ cfgMergeBool(proxy_ssl_check_peer_cn);
+
+ modnss_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+
+@@ -544,6 +546,15 @@
+ return NULL;
+ }
+
++const char *nss_cmd_NSSProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
++{
++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++
++ sc->proxy_ssl_check_peer_cn = flag ? TRUE : FALSE;
++
++ return NULL;
++}
++
+ const char *nss_cmd_NSSEnforceValidCerts(cmd_parms *cmd,
+ void *dcfg,
+ int flag)
diff --git a/mod_nss-wouldblock.patch b/mod_nss-wouldblock.patch
new file mode 100644
index 0000000..405b67a
--- /dev/null
+++ b/mod_nss-wouldblock.patch
@@ -0,0 +1,12 @@
+--- mod_nss-1.0.3.orig/nss_engine_io.c 2006-04-07 16:17:12.000000000 -0400
++++ mod_nss-1.0.3/nss_engine_io.c 2009-02-17 22:51:44.000000000 -0500
+@@ -259,7 +259,8 @@
+ */
+ if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
+ || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
+- return 0;
++ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
++ return -1;
+ }
+
+ if (inctx->rc != APR_SUCCESS) {
diff --git a/mod_nss.spec b/mod_nss.spec
new file mode 100644
index 0000000..35ec708
--- /dev/null
+++ b/mod_nss.spec
@@ -0,0 +1,269 @@
+%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}}
+%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
+# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
+%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+
+Name: mod_nss
+Version: 1.0.8
+Release: 16%{?dist}
+Summary: SSL/TLS module for the Apache HTTP server
+Group: System Environment/Daemons
+License: ASL 2.0
+URL: http://directory.fedoraproject.org/wiki/Mod_nss
+Source: http://directory.fedoraproject.org/sources/%{name}-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: nspr-devel >= 4.6.3, nss-devel >= 3.12.6
+BuildRequires: httpd-devel, apr-devel, apr-util-devel
+BuildRequires: pkgconfig
+Requires: httpd-mmn = %{_httpd_mmn}
+Requires(post): httpd, nss-tools
+Requires: nss >= 3.12.6
+Patch1: mod_nss-conf.patch
+Patch2: mod_nss-gencert.patch
+Patch3: mod_nss-wouldblock.patch
+# Add options for tuning client negotiate in NSS
+Patch4: mod_nss-negotiate.patch
+Patch5: mod_nss-reverseproxy.patch
+Patch6: mod_nss-pcachesignal.h
+Patch7: mod_nss-reseterror.patch
+Patch8: mod_nss-lockpcache.patch
+
+%description
+The mod_nss module provides strong cryptography for the Apache Web
+server via the Secure Sockets Layer (SSL) and Transport Layer
+Security (TLS) protocols using the Network Security Services (NSS)
+security library.
+
+%prep
+%setup -q
+%patch1 -p1 -b .conf
+%patch2 -p1 -b .gencert
+%patch3 -p1 -b .wouldblock
+%patch4 -p1 -b .negotiate
+%patch5 -p1 -b .reverseproxy
+%patch6 -p1 -b .pcachesignal.h
+%patch7 -p1 -b .reseterror
+%patch8 -p1 -b .lockpcache
+
+# Touch expression parser sources to prevent regenerating it
+touch nss_expr_*.[chyl]
+
+%build
+
+CFLAGS="$RPM_OPT_FLAGS"
+APXS=%{_httpd_apxs}
+
+export CFLAGS APXS
+
+NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
+NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
+
+NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
+NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
+
+NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
+
+%configure \
+ --with-nss-lib=$NSS_LIB_DIR \
+ --with-nss-inc=$NSS_INCLUDE_DIR \
+ --with-nspr-lib=$NSPR_LIB_DIR \
+ --with-nspr-inc=$NSPR_INCLUDE_DIR \
+ --with-apr-config
+
+make %{?_smp_mflags} all
+
+%install
+# The install target of the Makefile isn't used because that uses apxs
+# which tries to enable the module in the build host httpd instead of in
+# the build root.
+rm -rf $RPM_BUILD_ROOT
+
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf
+mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir}
+mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules
+mkdir -p $RPM_BUILD_ROOT%{_sbindir}
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias
+
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+# httpd >= 2.4.x
+mkdir -p $RPM_BUILD_ROOT%{_httpd_modconfdir}
+sed -n /^LoadModule/p nss.conf > 10-nss.conf
+sed -i /^LoadModule/d nss.conf
+install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir}
+%endif
+
+install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir}
+
+install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
+install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
+install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
+ln -s ../../../%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
+touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
+touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db
+touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db
+touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log
+
+perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+umask 077
+
+if [ "$1" -eq 1 ] ; then
+ if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then
+ %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1
+ echo ""
+ echo "%{name} certificate database generated."
+ echo ""
+ fi
+
+ # Make sure that the database ownership is setup properly.
+ /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
+ /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
+fi
+
+%files
+%defattr(-,root,root,-)
+%doc README LICENSE docs/mod_nss.html
+%config(noreplace) %{_httpd_confdir}/nss.conf
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+%config(noreplace) %{_httpd_modconfdir}/10-nss.conf
+%endif
+%{_libdir}/httpd/modules/libmodnss.so
+%dir %{_sysconfdir}/httpd/alias/
+%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db
+%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db
+%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
+%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log
+%{_sysconfdir}/httpd/alias/libnssckbi.so
+%{_sbindir}/nss_pcache
+%{_sbindir}/gencert
+
+%changelog
+* Tue Apr 24 2012 Remi Collet <RPMS@FamilleCollet.com> 1.0.8-16
+- rebuild for remi repo and http 2.4
+
+* Mon Apr 23 2012 Joe Orton <jorton@redhat.com> - 1.0.8-16
+- packaging fixes/updates (#803072)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Mar 7 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-14
+- Add Requires(post) for nss-tools, gencert needs it (#652007)
+
+* Wed Mar 2 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-13
+- Lock around the pipe to nss_pcache for retrieving the token PIN
+ (#677701)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.0.8-11
+- Use memmove in place of memcpy since the buffers can overlap (#669118)
+
+* Wed Sep 29 2010 jkeating - 1.0.8-10
+- Rebuilt for gcc bug 634757
+
+* Thu Sep 23 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-9
+- Revert mod_nss-wouldblock patch
+- Reset NSPR error before calling PR_Read(). This should fix looping
+ in #620856
+
+* Fri Sep 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-8
+- Fix hang when handling large POST under some conditions (#620856)
+
+* Tue Jun 22 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-7
+- Remove file Requires on libnssckbi.so (#601939)
+
+* Fri May 14 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-6
+- Ignore SIGHUP in nss_pcache (#591889).
+
+* Thu May 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-5
+- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224)
+
+* Thu Mar 18 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-4
+- Patch to add configuration options for new NSS negotiation API (#574187)
+- Add (pre) for Requires on httpd so we can be sure the user and group are
+ already available
+- Add file Requires on libnssckbi.so so symlink can't fail
+- Use _sysconfdir macro instead of /etc
+- Set minimum level of NSS to 3.12.6
+
+* Mon Jan 25 2010 Rob Crittenden <rcritten@redhat.com> - 1.0.8-3
+- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Mar 2 2009 Rob Crittenden <rcritten@redhat.com> - 1.0.8-1
+- Update to 1.0.8
+- Add patch that fixes NSPR layer bug
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.0.7-10
+- fix license tag
+
+* Mon Jul 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-9
+- rebuild to bump NVR
+
+* Mon Jul 14 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-8
+- Don't force module de-init during the configuration stage (453508)
+
+* Thu Jul 10 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-7
+- Don't inherit the MP cache in multi-threaded mode (454701)
+- Don't initialize NSS in each child if SSL isn't configured
+
+* Wed Jul 2 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-6
+- Update the patch for FIPS to include fixes for nss_pcache, enforce
+ the security policy and properly initialize the FIPS token.
+
+* Mon Jun 30 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-5
+- Include patch to fix NSSFIPS (446851)
+
+* Mon Apr 28 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.7-4
+- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child
+ and not before. This is in response to a change in the NSS softtokn code
+ and should have always been done this way. (444348)
+- The location of libnssckbi moved from /usr/lib[64] to /lib[64]
+- The NSS database needs to be readable by apache since we need to use it
+ after the root priviledges are dropped.
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.7-3
+- Autorebuild for GCC 4.3
+
+* Thu Oct 18 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-2
+- Register functions needed by mod_proxy if mod_ssl is not loaded.
+
+* Fri Jun 1 2007 Rob Crittenden <rcritten@redhat.com> 1.0.7-1
+- Update to 1.0.7
+- Remove Requires for nss and nspr since those are handled automatically
+ by versioned libraries
+- Updated URL and Source to reference directory.fedoraproject.org
+
+* Mon Apr 9 2007 Rob Crittenden <rcritten@redhat.com> 1.0.6-2
+- Patch to properly detect the Apache model and set up NSS appropriately
+- Patch to punt if a bad password is encountered
+- Patch to fix crash when password.conf is malformatted
+- Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7)
+
+* Mon Oct 23 2006 Rob Crittenden <rcritten@redhat.com> 1.0.6-1
+- Update to 1.0.6
+
+* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-4
+- Include LogLevel warn in nss.conf and use separate log files
+
+* Fri Aug 04 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-3
+- Need to initialize ECC certificate and key variables
+
+* Fri Aug 04 2006 Jarod Wilson <jwilson@redhat.com> 1.0.3-2
+- Use %%ghost for db files and install.log
+
+* Tue Jun 20 2006 Rob Crittenden <rcritten@redhat.com> 1.0.3-1
+- Initial build