diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b764056 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mod_nss-1.0.14.tar.gz diff --git a/.mod_nss.metadata b/.mod_nss.metadata new file mode 100644 index 0000000..9e97382 --- /dev/null +++ b/.mod_nss.metadata @@ -0,0 +1 @@ +a439ff97312a3b88dc86ad779134a0e4f5d492f5 SOURCES/mod_nss-1.0.14.tar.gz diff --git a/SOURCES/mod_nss-brewtest.patch b/SOURCES/mod_nss-brewtest.patch new file mode 100644 index 0000000..0764aa9 --- /dev/null +++ b/SOURCES/mod_nss-brewtest.patch @@ -0,0 +1,83 @@ +From 9736af2af69bd7fc924bb30a4849f55bd6d497cf Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 23 May 2016 18:34:36 -0400 +Subject: [PATCH] Disable SNI and proxy tests, AES128 cipher test + +The SNI tests rely on a tweaked /etc/hosts that points multiple +hostnames to one. + +The proxy test requires Internet access + +The python client isn't returning the re-negotiated cipher +which causes the AES128 to report a failure. Drop the test. +--- + test/suite1.tmpl | 6 ------ + test/test.py | 28 ---------------------------- + 2 files changed, 34 deletions(-) + +diff --git a/test/suite1.tmpl b/test/suite1.tmpl +index 2c09a89..291e173 100644 +--- a/test/suite1.tmpl ++++ b/test/suite1.tmpl +@@ -45,12 +45,6 @@ CoreDumpDirectory $SERVER_ROOT + NSSCipherSuite RC4-SHA + + +- +- # In openssl equivalent of AES:-ECDH:-ADH:-PSK:-DH +- # In NSS equivalent of AES:-ECDH +- NSSCipherSuite AES+RSA +- +- + + NSSCipherSuite +dhe_rsa_aes_128_sha + +diff --git a/test/test.py b/test/test.py +index 866e388..4fdb59a 100644 +--- a/test/test.py ++++ b/test/test.py +@@ -60,13 +60,6 @@ class test_suite1(Declarative): + ), + + dict( +- desc='SSL AES128-SHA cipher check', +- request=('/index.html', {}), +- expected=200, +- cipher='AES128-SHA', +- ), +- +- dict( + desc='Default protocol check', + request=('/', {}), + expected=200, +@@ -271,27 +264,6 @@ class test_suite1(Declarative): + expected=requests.exceptions.SSLError(), + ), + +- dict( +- desc='Basic reverse proxy request', +- request=('/google/', {}), +- expected=200, +- ), +- +- dict( +- desc='SNI request when SNI is disabled', +- request=('/index.html', +- {'host': 'www1.example.com', 'port': 8000} +- ), +- expected=requests.exceptions.SSLError(), +- expected_str='doesn\'t match', +- ), +- +- dict( +- desc='Reverse proxy request when SNI is disabled', +- request=('/proxy/index.html', {}), +- expected=400, +- ), +- + ] + + if ENABLE_SERVER_DHE: +-- +2.5.5 + diff --git a/SOURCES/mod_nss-certdb-permissions.patch b/SOURCES/mod_nss-certdb-permissions.patch new file mode 100644 index 0000000..806fd4c --- /dev/null +++ b/SOURCES/mod_nss-certdb-permissions.patch @@ -0,0 +1,89 @@ +From 7c08aa9b0aa10f4d13e7317c9a7353399188dba4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 21 Sep 2016 13:45:25 -0400 +Subject: [PATCH] Enhance checking on NSS database permissions to include + directory + +Previously I was checking the NSS database files for readability +but not the database directory itself. Since it starts as root if +the directory permissions didn't allow read by the Apache user but +the files themselves did then startup would continue but blow +up due to the inability to chdir into the directory. + +BZ #1312583 +--- + nss_engine_init.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index cd71989..03ac644 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -51,8 +51,7 @@ static char *version_components[] = { + NULL + }; + +-/* See if a uid or gid can read a file at a given path. Ignore world +- * read permissions. ++/* See if a uid or gid can read a file at a given path. + * + * Return 0 on failure or file doesn't exist + * Return 1 on success +@@ -65,14 +64,14 @@ static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) + if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, + p)) == APR_SUCCESS) { + if (((uid == finfo.user) && +- ((finfo.protection & APR_FPROT_UREAD))) || ++ (finfo.protection & APR_FPROT_UREAD)) || + ((gid == finfo.group) && +- ((finfo.protection & APR_FPROT_GREAD))) ++ (finfo.protection & APR_FPROT_GREAD)) || ++ (finfo.protection & APR_FPROT_WREAD) + ) + { + return 1; + } +- return 0; + } + return 0; + } +@@ -158,6 +157,11 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + } + ++ if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) ++ dbdir = (char *)mc->pCertificateDatabase + 4; ++ else ++ dbdir = (char *)mc->pCertificateDatabase; ++ + /* Assuming everything is ok so far, check the cert database permissions + * for the server user before Apache starts forking. We die now or + * get stuck in an endless loop not able to read the NSS database. +@@ -172,6 +176,13 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + "Checking permissions for user %s: uid %d gid %d", + mc->user, pw->pw_uid, pw->pw_gid); + ++ if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Server user %s lacks read access to NSS " ++ "database directory %s.", mc->user, dbdir); ++ nss_die(); ++ } ++ + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { + apr_snprintf(filepath, 1024, "%s/key4.db", + mc->pCertificateDatabase+4); +@@ -231,10 +242,6 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + else + return; + } +- if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) +- dbdir = (char *)mc->pCertificateDatabase + 4; +- else +- dbdir = (char *)mc->pCertificateDatabase; + if (chdir(dbdir) != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Unable to change directory to %s", mc->pCertificateDatabase); +-- +2.5.5 + diff --git a/SOURCES/mod_nss-clean-semaphore.patch b/SOURCES/mod_nss-clean-semaphore.patch new file mode 100644 index 0000000..0c2676a --- /dev/null +++ b/SOURCES/mod_nss-clean-semaphore.patch @@ -0,0 +1,102 @@ +From 985d17d57cfd5a36bfdecc891e9331210ea38ee4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 8 Aug 2016 10:12:01 -0400 +Subject: [PATCH] Fix semaphore leak in nss_pcache + +On shutdown Apache was sending a SIGTERM which caused the helper +to be killed rather than shutting down gracefully, resulting in +a leak of the semaphone lock in nss_pcache. + +Catch that signal and shut down gracefully instead. + +Resolves: #1364560 + +--- + nss_pcache.c | 43 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +diff --git a/nss_pcache.c b/nss_pcache.c +index a8b15f7..5e98adb 100644 +--- a/nss_pcache.c ++++ b/nss_pcache.c +@@ -95,6 +95,37 @@ struct Node + + /* global variables */ + Node *pinList = NULL; ++int semid = 0; ++PRFileDesc *in = NULL; ++PRFileDesc *out = NULL; ++ ++void cleanup() { ++ union semun semarg; ++ ++ freeList(pinList); ++ pinList = NULL; ++ ++ if (in) { ++ PR_Close(in); ++ in = NULL; ++ } ++ ++ if (NSS_IsInitialized()) { ++ NSS_Shutdown(); ++ } ++ ++ /* Remove the semaphore used for locking here. This is because this ++ * program only goes away when Apache shuts down so we don't have to ++ * worry about reloads. ++ */ ++ semctl(semid, 0, IPC_RMID, semarg); ++} ++ ++void signalhandler(int signo) { ++ if (signo == SIGTERM) { ++ cleanup(); ++ } ++} + + /* + * CreatePk11PinStore +@@ -308,8 +339,6 @@ Pk11StoreGetPin(char **out, Pk11PinStore *store) + int main(int argc, char ** argv) + { + SECStatus rv; +- PRFileDesc *in; +- PRFileDesc *out; + PRPollDesc pd; + PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; + char buf[1024]; +@@ -318,7 +347,6 @@ int main(int argc, char ** argv) + char * tokenName; + char * tokenpw; + int fipsmode = 0; +- int semid = 0; + union semun semarg; + + if (argc < 4 || argc > 5) { +@@ -327,6 +355,7 @@ int main(int argc, char ** argv) + } + + signal(SIGHUP, SIG_IGN); ++ signal(SIGTERM, signalhandler); + + semid = strtol(argv[1], NULL, 10); + +@@ -459,13 +488,7 @@ int main(int argc, char ** argv) + } + } + } +- freeList(pinList); +- PR_Close(in); +- /* Remove the semaphore used for locking here. This is because this +- * program only goes away when Apache shuts down so we don't have to +- * worry about reloads. +- */ +- semctl(semid, 0, IPC_RMID, semarg); ++ cleanup(); + return 0; + } + +-- +1.8.3.1 + diff --git a/SOURCES/mod_nss-conf.patch b/SOURCES/mod_nss-conf.patch new file mode 100644 index 0000000..51fd900 --- /dev/null +++ b/SOURCES/mod_nss-conf.patch @@ -0,0 +1,75 @@ +From bc24e3c0a438a2b6f177227b3340b516c15292a8 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 20 Feb 2014 17:21:41 -0500 +Subject: [PATCH] Configure nss.conf.in to match Fedora filesystem layout + +--- + nss.conf.in | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/nss.conf.in b/nss.conf.in +index c941ecf..349a810 100644 +--- a/nss.conf.in ++++ b/nss.conf.in +@@ -8,14 +8,16 @@ + # consult the online docs. You have been warned. + # + ++LoadModule nss_module modules/libmodnss.so ++ + # + # When we also provide SSL we have to listen to the + # standard HTTP port (see above) and to the HTTPS port + # + # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" ++# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" + # +-Listen 443 ++Listen 8443 + + ## + ## SSL Global Context +@@ -79,17 +81,17 @@ NSSRequireSafeNegotiation off + ## SSL Virtual Host Context + ## + +- ++ + + # General setup for the virtual host + #DocumentRoot "@apache_prefix@/htdocs" +-#ServerName www.example.com:443 ++#ServerName www.example.com:8443 + #ServerAdmin you@example.com + + # mod_nss can log to separate log files, you can choose to do that if you'd like + # LogLevel is not inherited from httpd.conf. +-#ErrorLog @apache_prefix@/logs/error_log +-#TransferLog @apache_prefix@/logs/access_log ++ErrorLog @apache_prefix@/logs/error_log ++TransferLog @apache_prefix@/logs/access_log + LogLevel warn + + # SSL Engine Switch: +@@ -133,7 +135,7 @@ NSSNickname Server-Cert + # The NSS security database directory that holds the certificates and + # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. + # Provide the directory that these files exist. +-NSSCertificateDatabase @apache_conf@ ++NSSCertificateDatabase /etc/httpd/alias + + # Database Prefix: + # In order to be able to store multiple NSS databases in one directory +@@ -209,7 +211,7 @@ NSSCertificateDatabase @apache_conf@ + + NSSOptions +StdEnvVars + +- ++ + NSSOptions +StdEnvVars + + +-- +1.7.11.7 + diff --git a/SOURCES/mod_nss-defaultcipherlist.patch b/SOURCES/mod_nss-defaultcipherlist.patch new file mode 100644 index 0000000..85959a2 --- /dev/null +++ b/SOURCES/mod_nss-defaultcipherlist.patch @@ -0,0 +1,53 @@ +From 04b6d11d7745b319fad127622f45bfb99759a8d7 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 17 May 2016 14:02:24 -0400 +Subject: [PATCH] Work around missing ndg-httpsclient breaking import of + pyopenssl + +--- + test/test_request.py | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/test/test_request.py b/test/test_request.py +index 5d2a525..254b31c 100644 +--- a/test/test_request.py ++++ b/test/test_request.py +@@ -8,8 +8,13 @@ import logging + import socket + from requests.packages.urllib3.util import get_host + from requests.packages.urllib3.util.timeout import Timeout +-from requests.packages.urllib3.contrib import pyopenssl + from requests.packages.urllib3.connectionpool import HTTPConnectionPool, HTTPSConnectionPool, VerifiedHTTPSConnection ++try: ++ from requests.packages.urllib3.contrib.pyopenssl import DEFAULT_SSL_CIPHER_LIST ++except ImportError: ++ DEFAULT_SSL_CIPHER_LIST = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:" + \ ++ "ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:" + \ ++ "!aNULL:!MD5:!DSS" + + # Don't bend over backwards for ssl support, assume it is there. + import ssl +@@ -33,7 +38,7 @@ except ImportError: + # Other older python we use the urllib3 bundled copy + from urllib3.packages.ssl_match_hostname import match_hostname, CertificateError + +-SAVE_DEFAULT_SSL_CIPHER_LIST = pyopenssl.DEFAULT_SSL_CIPHER_LIST ++SAVE_DEFAULT_SSL_CIPHER_LIST = DEFAULT_SSL_CIPHER_LIST + + log = logging.getLogger(__name__) + +@@ -141,9 +146,9 @@ class MyVerifiedHTTPSConnection(VerifiedHTTPSConnection): + def connect(self): + if self.sni: + if self.ciphers: +- pyopenssl.DEFAULT_SSL_CIPHER_LIST = self.ciphers ++ DEFAULT_SSL_CIPHER_LIST = self.ciphers + else: +- pyopenssl.DEFAULT_SSL_CIPHER_LIST = SAVE_DEFAULT_SSL_CIPHER_LIST ++ DEFAULT_SSL_CIPHER_LIST = SAVE_DEFAULT_SSL_CIPHER_LIST + return super(MyVerifiedHTTPSConnection, self).connect() + + # Add certificate verification +-- +2.5.5 + diff --git a/SOURCES/mod_nss-gencert.patch b/SOURCES/mod_nss-gencert.patch new file mode 100644 index 0000000..6a8bbde --- /dev/null +++ b/SOURCES/mod_nss-gencert.patch @@ -0,0 +1,44 @@ +From 4908fdb78aaf4434e4519fe0809383dc69778823 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 17 May 2016 11:34:06 -0400 +Subject: [PATCH] Modify gencert to create a password-less database + +--- + gencert.in | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/gencert.in b/gencert.in +index 0fd1c67..659a9fc 100755 +--- a/gencert.in ++++ b/gencert.in +@@ -115,7 +115,7 @@ done + echo "TEST = $TEST" + echo "SNI = $SNI" + +-echo "httptest" > $DEST/pw.txt ++echo -e "\n" > $DEST/pw.txt + + function generate_server_sni_cert { + hostname=$1 +@@ -172,8 +172,7 @@ function generate_server_sni_cert { + + echo "" + echo "#####################################################################" +-echo "Generating new server certificate and key database. The password" +-echo "is httptest" ++echo "Generating new server certificate and key database." + echo "#####################################################################" + $CERTUTIL -N -d $DBDIR -f $DEST/pw.txt + +@@ -328,8 +327,4 @@ echo "#####################################################################" + rm $DEST/pw.txt + rm $DEST/noise + +-echo "" +-echo "The database password is httptest" +-echo "" +- + exit 0 +-- +2.5.5 + diff --git a/SOURCES/mod_nss-group-permissions.patch b/SOURCES/mod_nss-group-permissions.patch new file mode 100644 index 0000000..c4d7ef0 --- /dev/null +++ b/SOURCES/mod_nss-group-permissions.patch @@ -0,0 +1,127 @@ +From 302905ffe8fdcb9abdf36f16bc4420f5e1dbab01 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 23 Feb 2017 13:06:21 -0500 +Subject: [PATCH] Handle group membership when testing for file permissions + +This was a bit of a corner case but group membership wasn't +considered when trying to determine if the NSS databases are +readable. + +Resolves BZ 1395300 +--- + nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 33 insertions(+), 12 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 0bb2054..14f86d8 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -29,6 +29,7 @@ + #include "cert.h" + #include + #include ++#include + + static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); + static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); +@@ -56,17 +57,33 @@ static char *version_components[] = { + * Return 0 on failure or file doesn't exist + * Return 1 on success + */ +-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) ++static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, ++ apr_pool_t *p) + { + apr_finfo_t finfo; +- int rv; ++ PRBool in_group = PR_FALSE; ++ struct group *gr; ++ int i = 0; ++ ++ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) ++ == APR_SUCCESS) { ++ if ((gr = getgrgid(finfo.group)) == NULL) { ++ return 0; ++ } + +- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, +- p)) == APR_SUCCESS) { ++ if (gid == finfo.group) { ++ in_group = PR_TRUE; ++ } else { ++ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { ++ if (!strcasecmp(user, gr->gr_mem[i++])) { ++ in_group = PR_TRUE; ++ break; ++ } ++ } ++ } + if (((uid == finfo.user) && + (finfo.protection & APR_FPROT_UREAD)) || +- ((gid == finfo.group) && +- (finfo.protection & APR_FPROT_GREAD)) || ++ (in_group && (finfo.protection & APR_FPROT_GREAD)) || + (finfo.protection & APR_FPROT_WREAD) + ) + { +@@ -176,7 +193,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + "Checking permissions for user %s: uid %d gid %d", + mc->user, pw->pw_uid, pw->pw_gid); + +- if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, dbdir, p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS " + "database directory %s.", mc->user, dbdir); +@@ -186,7 +203,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { + apr_snprintf(filepath, 1024, "%s/key4.db", + mc->pCertificateDatabase+4); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS key " + "database %s.", mc->user, filepath); +@@ -194,7 +212,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + apr_snprintf(filepath, 1024, "%s/cert9.db", + mc->pCertificateDatabase+4); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS cert " + "database %s.", mc->user, filepath); +@@ -203,7 +222,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } else { + apr_snprintf(filepath, 1024, "%s/key3.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS key " + "database %s.", mc->user, filepath); +@@ -211,7 +231,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + apr_snprintf(filepath, 1024, "%s/cert8.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS cert " + "database %s.", mc->user, filepath); +@@ -219,7 +240,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + apr_snprintf(filepath, 1024, "%s/secmod.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS secmod " + "database %s.", mc->user, filepath); +-- +2.9.3 + diff --git a/SOURCES/mod_nss-invalid-protocol-setting.patch b/SOURCES/mod_nss-invalid-protocol-setting.patch new file mode 100644 index 0000000..4e12a53 --- /dev/null +++ b/SOURCES/mod_nss-invalid-protocol-setting.patch @@ -0,0 +1,29 @@ +From dc6afabbd94fa5b8e1da286ba387814e5df70ff1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 3 Feb 2017 08:06:14 -0500 +Subject: [PATCH] Make an invalid protocol setting fatal + +An invalid protocol setting would end up with the default +list which is a bit unexpected so kill the server and let +the admin figure out what went wrong and fix it. + +Resolves BZ 1389114 +--- + nss_engine_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 03ac644..0bb2054 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -785,6 +785,7 @@ static void nss_init_ctx_protocol(server_rec *s, + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: Unknown protocol '%s' not supported", + protocol_marker, token); ++ nss_die(); + } + } + } +-- +2.9.3 + diff --git a/SOURCES/mod_nss-nss_pcache_man.patch b/SOURCES/mod_nss-nss_pcache_man.patch new file mode 100644 index 0000000..bf29bdc --- /dev/null +++ b/SOURCES/mod_nss-nss_pcache_man.patch @@ -0,0 +1,67 @@ +From e50c94c0e52659633418d590ac68001e44fb5edf Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 10 May 2017 12:32:34 -0400 +Subject: [PATCH] Update nss_pcache.8 man page to drop directory and prefix + +I missed updating this when I made the change to drop sharing the +NSS database between Apache and nss_pcache. +--- + nss_pcache.8 | 31 ++----------------------------- + 1 file changed, 2 insertions(+), 29 deletions(-) + +diff --git a/nss_pcache.8 b/nss_pcache.8 +index 1641f48..5e9743f 100644 +--- a/nss_pcache.8 ++++ b/nss_pcache.8 +@@ -14,12 +14,12 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "nss_pcache" "8" "Jul 1 2013" "Rob Crittenden" "" ++.TH "nss_pcache" "8" "May 10 2017" "Rob Crittenden" "" + .SH "NAME" + nss_pcache \- Helper program used to store token password pins + + .SH "SYNOPSIS" +-nss_pcache [prefix] ++nss_pcache + + .SH "DESCRIPTION" + A helper program used by the Apache \fBhttpd\fP mod_nss plug-in to store the NSS PKCS #11 token password pins between restarts of Apache. +@@ -55,33 +55,6 @@ tab(;); + ll,ll. + ;NSSFIPS on + .TE +-.TP +-.B +-Specifies the destination directory of the NSS databases that will be associated with this executable specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP: +-.IP +-.TS +-tab(;); +-ll,ll. +-;# Server Certificate Database: +-;# The NSS security database directory that holds the +-;# certificates and keys. The database consists +-;# of 3 files: cert8.db, key3.db and secmod.db. +-;# Provide the directory that these files exist. +-;NSSCertificateDatabase /etc/httpd/alias +-.TE +-.TP +-.B [prefix] +-Optional prefix to attach prior to the names of the NSS certificate and key databases contained in the directory referenced by the previous argument and specified by the following entry in \fB/etc/httpd/conf.d/nss.conf\fP (must be uncommented in order to be utilized): +-.IP +-.TS +-tab(;); +-ll,ll. +-;# Database Prefix: +-;# In order to be able to store multiple NSS databases +-;# in one directory they need unique names. This option +-;# sets the database prefix used for cert8.db and key3.db. +-;#NSSDBPrefix my-prefix- +-.TE + + .SH BUGS + Report bugs to http://bugzilla.redhat.com. +-- +2.9.3 + diff --git a/SOURCES/mod_nss-ocsp-tuning-knobs.patch b/SOURCES/mod_nss-ocsp-tuning-knobs.patch new file mode 100644 index 0000000..3635a34 --- /dev/null +++ b/SOURCES/mod_nss-ocsp-tuning-knobs.patch @@ -0,0 +1,303 @@ +From 8d6121731175f3a9a1fa1fbe3752763b0b48a67d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 31 Oct 2016 15:06:36 -0400 +Subject: [PATCH] Add OCSP cache and timeout tuning knobs + +NSS provides functions to control the timeout for connecting to +an OCSP server and for caching the results. This includes the +number of responses to cache and the duration to cache them. + +Based on a patch by Jack Magne +--- + docs/mod_nss.html | 42 ++++++++++++++++++++++++++ + mod_nss.c | 12 ++++++++ + mod_nss.h | 8 +++++ + nss_engine_config.c | 86 +++++++++++++++++++++++++++++++++++++++++++---------- + nss_engine_init.c | 47 +++++++++++++++++++++++++++++ + 5 files changed, 179 insertions(+), 16 deletions(-) + +diff --git a/docs/mod_nss.html b/docs/mod_nss.html +index 65d0bd8..655d2f2 100644 +--- a/docs/mod_nss.html ++++ b/docs/mod_nss.html +@@ -544,6 +544,48 @@ Example
+
+ NSSOCSP on
+
++NSSOCSPTimeout
++
++Configure the maximum time to wait for an OCSP response in seconds. ++There are no constraints or special meanings for this value. The default ++is 60 seconds. ++
++
++Example
++
++NSSOCSPTimeout 30
++
++NSSOCSPCacheSize
++
++Configures the maximum number of entries in the OCSP cache. A value of ++-1 will disable the cache completely. A value of 0 configures an unlimited ++number of cache entries. The default is 1000. ++
++
++Example
++
++NSSOCSPCacheSize 300
++
++NSSOCSPMinCacheEntryDuration
++
++Configure the minimum amount of time an OCSP response is cached in seconds. ++The default is 3600 seconds (1 hour). ++
++
++Example
++
++NSSOCSPMinCacheEntryDuration 30
++
++NSSOCSPMaxCacheEntryDuration
++
++Configure the maximum amount of time an OCSP response is cached in seconds ++before being updated. The default is 86400 seconds (24 hours). ++
++
++Example
++
++NSSOCSPMaxCacheEntryDuration 300
++
+ NSSCipherSuite
+

+ There are two options for configuring the available ciphers. mod_nss +diff --git a/mod_nss.c b/mod_nss.c +index 38098c8..dca5a73 100644 +--- a/mod_nss.c ++++ b/mod_nss.c +@@ -66,6 +66,18 @@ static const command_rec nss_config_cmds[] = { + SSL_CMD_SRV(OCSP, FLAG, + "OCSP (Online Certificate Status Protocol)" + "(`on', `off')") ++ SSL_CMD_SRV(OCSPTimeout, TAKE1, ++ "OCSP Timeout" ++ "(`N' - Max number of seconds to wait for an OCSP response.)") ++ SSL_CMD_SRV(OCSPCacheSize, TAKE1, ++ "OCSP Cache size" ++ "(`N' - number of entries -1 for no cache)") ++ SSL_CMD_SRV(OCSPMinCacheEntryDuration, TAKE1, ++ "OCSP Minimum time until next fetch attempt" ++ "(`N' - Time in seconds)") ++ SSL_CMD_SRV(OCSPMaxCacheEntryDuration, TAKE1, ++ "OCSP Maximum time until next fetch attempt" ++ "(`N' - Time in seconds)") + SSL_CMD_SRV(OCSPDefaultResponder, FLAG, + "Use a default OCSP Responder" + "(`on', `off')") +diff --git a/mod_nss.h b/mod_nss.h +index 226f7a8..8643e88 100644 +--- a/mod_nss.h ++++ b/mod_nss.h +@@ -325,6 +325,10 @@ struct SSLSrvConfigRec { + const char *ocsp_url; + const char *ocsp_name; + BOOL ocsp; ++ int ocsp_timeout; ++ int ocsp_cache_size; ++ int ocsp_min_cache_entry_duration; ++ int ocsp_max_cache_entry_duration; + BOOL enabled; + BOOL sni; + BOOL strict_sni_vhost_check; +@@ -398,6 +402,10 @@ const char *nss_cmd_NSSSNI(cmd_parms *, void *, int); + const char *nss_cmd_NSSStrictSNIVHostCheck(cmd_parms *, void *, int); + const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); + const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); ++const char *nss_cmd_NSSOCSPTimeout(cmd_parms *, void *, const char *arg); ++const char *nss_cmd_NSSOCSPCacheSize(cmd_parms *, void *, const char *arg); ++const char *nss_cmd_NSSOCSPMinCacheEntryDuration(cmd_parms *, void *, const char *arg); ++const char *nss_cmd_NSSOCSPMaxCacheEntryDuration(cmd_parms *, void *, const char *arg); + const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); + const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg); + const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg); +diff --git a/nss_engine_config.c b/nss_engine_config.c +index e1fbe41..597d56d 100644 +--- a/nss_engine_config.c ++++ b/nss_engine_config.c +@@ -129,22 +129,26 @@ static SSLSrvConfigRec *nss_config_server_new(apr_pool_t *p) + { + SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); + +- sc->mc = NULL; +- sc->ocsp = UNSET; +- sc->ocsp_default = UNSET; +- sc->ocsp_url = NULL; +- sc->ocsp_name = NULL; +- sc->fips = UNSET; +- sc->enabled = UNSET; +- sc->sni = TRUE; +- sc->strict_sni_vhost_check = TRUE; +- sc->proxy_enabled = UNSET; +- sc->vhost_id = NULL; /* set during module init */ +- sc->vhost_id_len = 0; /* set during module init */ +- sc->proxy = NULL; +- sc->server = NULL; +- sc->proxy_ssl_check_peer_cn = TRUE; +- sc->session_tickets = FALSE; ++ sc->mc = NULL; ++ sc->ocsp = UNSET; ++ sc->ocsp_timeout = 60; ++ sc->ocsp_cache_size = 1000; ++ sc->ocsp_min_cache_entry_duration = 1*60*60L; ++ sc->ocsp_max_cache_entry_duration = 24*60*60L; ++ sc->ocsp_default = UNSET; ++ sc->ocsp_url = NULL; ++ sc->ocsp_name = NULL; ++ sc->fips = UNSET; ++ sc->enabled = UNSET; ++ sc->sni = TRUE; ++ sc->strict_sni_vhost_check = TRUE; ++ sc->proxy_enabled = UNSET; ++ sc->vhost_id = NULL; /* set during module init */ ++ sc->vhost_id_len = 0; /* set during module init */ ++ sc->proxy = NULL; ++ sc->server = NULL; ++ sc->proxy_ssl_check_peer_cn = TRUE; ++ sc->session_tickets = FALSE; + + modnss_ctx_init_proxy(sc, p); + +@@ -213,6 +217,10 @@ void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv) { + + cfgMerge(mc, NULL); + cfgMergeBool(ocsp); ++ cfgMergeInt(ocsp_timeout); ++ cfgMergeInt(ocsp_cache_size); ++ cfgMergeInt(ocsp_min_cache_entry_duration); ++ cfgMergeInt(ocsp_max_cache_entry_duration); + cfgMergeBool(ocsp_default); + cfgMerge(ocsp_url, NULL); + cfgMerge(ocsp_name, NULL); +@@ -376,6 +384,52 @@ const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) + return NULL; + } + ++const char *nss_cmd_NSSOCSPTimeout(cmd_parms *cmd, void *dcfg, const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_timeout = atoi(arg); ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSOCSPCacheSize(cmd_parms *cmd, void *dcfg, const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_cache_size = atoi(arg); ++ ++ if (sc->ocsp_cache_size < -1) { ++ return "NSSOCSPCacheSize: must be >= -1"; ++ } ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSOCSPMinCacheEntryDuration(cmd_parms *cmd, void *dcfg, ++ const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_min_cache_entry_duration = atoi(arg); ++ ++ return NULL; ++} ++ ++const char *nss_cmd_NSSOCSPMaxCacheEntryDuration(cmd_parms *cmd, void *dcfg, ++ const char *arg) ++{ ++ ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++ ++ sc->ocsp_max_cache_entry_duration = atoi(arg); ++ ++ return NULL; ++} ++ + const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, int flag) + { + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 14f86d8..2571591 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -174,6 +174,18 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + } + ++ if (ocspenabled) { ++ if (sc->ocsp_min_cache_entry_duration > sc->ocsp_max_cache_entry_duration) { ++ ap_log_error(APLOG_MARK,APLOG_ERR, 0, base_server, ++ "OCSP minimum cache duration must be less than the maximum."); ++ ++ if (mc->nInitCount == 1) ++ nss_die(); ++ else ++ return; ++ } ++ } ++ + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) + dbdir = (char *)mc->pCertificateDatabase + 4; + else +@@ -343,10 +355,45 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) + } + + if (ocspenabled) { ++ SECStatus rv; ++ + CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "OCSP is enabled."); + ++ /* Set desired OCSP Cache Settings, values already checked. */ ++ rv = CERT_OCSPCacheSettings((PRInt32)sc->ocsp_cache_size, ++ (PRUint32)sc->ocsp_min_cache_entry_duration, ++ (PRUint32)sc->ocsp_max_cache_entry_duration); ++ ++ if (rv == SECFailure) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Unable to set the OCSP cache settings."); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); ++ if (mc->nInitCount == 1) ++ nss_die(); ++ else ++ return; ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, ++ "OCSP cache size %d, duration %d - %d seconds.", sc->ocsp_cache_size, sc->ocsp_min_cache_entry_duration, sc->ocsp_max_cache_entry_duration); ++ } ++ ++ /* Set OCSP timeout. */ ++ rv = CERT_SetOCSPTimeout((PRUint32) sc->ocsp_timeout); ++ if (rv == SECFailure) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, ++ "Unable to set the OCSP timeout. (this shouldn't happen."); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); ++ if (mc->nInitCount == 1) ++ nss_die(); ++ else ++ return; ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, ++ "OCSP timeout set to %d.", sc->ocsp_timeout); ++ } ++ + /* We ensure that ocspname and ocspurl are not NULL above. */ + if (ocspdefault) { + SECStatus sv; +-- +2.9.3 + diff --git a/SOURCES/mod_nss-pcache_nodbinit.patch b/SOURCES/mod_nss-pcache_nodbinit.patch new file mode 100644 index 0000000..0968caf --- /dev/null +++ b/SOURCES/mod_nss-pcache_nodbinit.patch @@ -0,0 +1,163 @@ +From 395280a1e87ce876f3a601c00a429e852bfc9f3b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 23 Nov 2016 09:53:02 -0500 +Subject: [PATCH] Don't use same NSS db in nss_pcache as mod_nss, use + NSS_NoDB_Init() + +This is to avoid doing the wrapping within an HSM. There have been +reports of disconnects which causes future mod_nss children to fail +to spawn because the PIN cannot be retrieved. + +A side-effect is that nss_pcache is only used for storage now. It used +to also verify that the PIN was correct since it had the NSS database +with the token available. + +mod_nss will be responsible for validating the PIN which it already +does. + +This move is also needed if mod_nss eventually moves to using +NSS Contexts because multiple databases may be configured at once. +--- + docs/mod_nss.html | 4 ++-- + nss_engine_init.c | 6 ++---- + nss_pcache.c | 34 ++++++---------------------------- + nss_pcache.h | 2 +- + 4 files changed, 11 insertions(+), 35 deletions(-) + +diff --git a/docs/mod_nss.html b/docs/mod_nss.html +index 655d2f2..c3ae924 100644 +--- a/docs/mod_nss.html ++++ b/docs/mod_nss.html +@@ -1811,7 +1811,7 @@ httpd.service - The Apache HTTP Server + Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" + CGroup: name=systemd:/system/httpd.service + |_____20807 /usr/sbin/httpd -DFOREGROUND +- |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias ++ |_____20808 /usr/libexec/nss_pcache 10027086 off + |_____20809 /usr/sbin/httpd -DFOREGROUND + |_____20810 /usr/sbin/httpd -DFOREGROUND + |_____20811 /usr/sbin/httpd -DFOREGROUND +@@ -1972,7 +1972,7 @@ httpd.service - The Apache HTTP Server + Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" + CGroup: name=systemd:/system/httpd.service + |_____21299 /usr/sbin/httpd -DFOREGROUND +- |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias ++ |_____21300 /usr/libexec/nss_pcache 10289231 on + |_____21340 /usr/sbin/httpd -DFOREGROUND + |_____21341 /usr/sbin/httpd -DFOREGROUND + |_____21342 /usr/sbin/httpd -DFOREGROUND +diff --git a/nss_engine_init.c b/nss_engine_init.c +index 2571591..bf90994 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -582,7 +582,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + + /* Do we need to fire up our password helper? */ + if (mc->nInitCount == 1) { +- const char * child_argv[6]; ++ const char * child_argv[4]; + apr_status_t rv; + struct sembuf sb; + char sembuf[32]; +@@ -615,9 +615,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + child_argv[0] = mc->pphrase_dialog_helper; + child_argv[1] = sembuf; + child_argv[2] = fipsenabled ? "on" : "off"; +- child_argv[3] = mc->pCertificateDatabase; +- child_argv[4] = mc->pDBPrefix; +- child_argv[5] = NULL; ++ child_argv[3] = NULL; + + rv = apr_procattr_create(&mc->procattr, mc->pPool); + +diff --git a/nss_pcache.c b/nss_pcache.c +index 5e98adb..d0e457b 100644 +--- a/nss_pcache.c ++++ b/nss_pcache.c +@@ -131,7 +131,7 @@ void signalhandler(int signo) { + * CreatePk11PinStore + */ + int +-CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin) ++CreatePk11PinStore(Pk11PinStore **out, const char *pin) + { + int err = PIN_SUCCESS; + Pk11PinStore *store; +@@ -146,29 +146,9 @@ CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin) + store->params = 0; + store->crypt = 0; + +- /* Use the tokenName to find a PKCS11 slot */ +- store->slot = PK11_FindSlotByName((char *)tokenName); ++ store->slot = PK11_GetInternalSlot(); + if (store->slot == 0) { err = PIN_NOSUCHTOKEN; break; } + +- /* Check the password/PIN. This allows access to the token */ +- { +- SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin); +- +- if (rv == SECSuccess) +- ; +- else if (rv == SECWouldBlock) +- { +- /* NSS returns a blocking error when the pin is wrong */ +- err = PIN_INCORRECTPW; +- break; +- } +- else +- { +- err = PIN_SYSTEMERROR; +- break; +- } +- } +- + /* Find the mechanism that this token can do */ + { + const mech_item *tp; +@@ -349,8 +329,8 @@ int main(int argc, char ** argv) + int fipsmode = 0; + union semun semarg; + +- if (argc < 4 || argc > 5) { +- fprintf(stderr, "Usage: nss_pcache [prefix]\n"); ++ if (argc != 3) { ++ fprintf(stderr, "Usage: nss_pcache \n"); + exit(1); + } + +@@ -368,8 +348,7 @@ int main(int argc, char ** argv) + /* Set the PKCS #11 strings for the internal token. */ + PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); + +- /* Initialize NSS and open the certificate database read-only. */ +- rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY); ++ rv = NSS_NoDB_Init(NULL); + + if (rv != SECSuccess) { + fprintf(stderr, "Unable to initialize NSS database: %d\n", rv); +@@ -436,8 +415,7 @@ int main(int argc, char ** argv) + node->next = 0; + + if (err == PIN_SUCCESS) +- err = CreatePk11PinStore(&node->store, +- tokenName, tokenpw); ++ err = CreatePk11PinStore(&node->store, tokenpw); + memset(tokenpw, 0, strlen(tokenpw)); + } + } else +diff --git a/nss_pcache.h b/nss_pcache.h +index 74cb19d..a0b8e62 100644 +--- a/nss_pcache.h ++++ b/nss_pcache.h +@@ -21,7 +21,7 @@ + + typedef struct Pk11PinStore Pk11PinStore; + +-int CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin); ++int CreatePk11PinStore(Pk11PinStore **out, const char *pin); + + int Pk11StoreGetPin(char **out, Pk11PinStore *store); + +-- +2.9.3 + diff --git a/SOURCES/mod_nss-remove-deprecated-NSSSessionCacheTimeout.patch b/SOURCES/mod_nss-remove-deprecated-NSSSessionCacheTimeout.patch new file mode 100644 index 0000000..f2eac44 --- /dev/null +++ b/SOURCES/mod_nss-remove-deprecated-NSSSessionCacheTimeout.patch @@ -0,0 +1,41 @@ +From 84b4350da4e77a3cb313e531fa0c2979d74a2503 Mon Sep 17 00:00:00 2001 +From: Vitezslav Cizek +Date: Wed, 14 Sep 2016 14:50:52 -0400 +Subject: [PATCH] Remove deprecated NSSSessionCacheTimeout from default config. + +Signed-off-by: Vitezslav Cizek +--- + nss.conf.in | 2 -- + test/suite1.tmpl | 1 - + 2 files changed, 3 deletions(-) + +diff --git a/nss.conf.in b/nss.conf.in +index 9b9ffc8..09402a8 100644 +--- a/nss.conf.in ++++ b/nss.conf.in +@@ -44,10 +44,8 @@ NSSPassPhraseHelper /usr/libexec/nss_pcache + + # Configure the SSL Session Cache. + # NSSSessionCacheSize is the number of entries in the cache. +-# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). + # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). + NSSSessionCacheSize 10000 +-NSSSessionCacheTimeout 100 + NSSSession3CacheTimeout 86400 + + # +diff --git a/test/suite1.tmpl b/test/suite1.tmpl +index 2c09a89..a1bede1 100644 +--- a/test/suite1.tmpl ++++ b/test/suite1.tmpl +@@ -4,7 +4,6 @@ NSSPassPhraseDialog file:$SERVER_ROOT/conf/password.conf + NSSPassPhraseHelper $SERVER_ROOT/bin/nss_pcache + + NSSSessionCacheSize 10000 +-NSSSessionCacheTimeout 100 + NSSSession3CacheTimeout 86400 + + Listen 0.0.0.0:$SERVER_PORT +-- +2.9.5 + diff --git a/SOURCES/mod_nss-remove-r-user-from-hook-fixup.patch b/SOURCES/mod_nss-remove-r-user-from-hook-fixup.patch new file mode 100644 index 0000000..41dda9f --- /dev/null +++ b/SOURCES/mod_nss-remove-r-user-from-hook-fixup.patch @@ -0,0 +1,21 @@ +diff -rupN mod_nss-1.0.14.orig/nss_engine_kernel.c mod_nss-1.0.14/nss_engine_kernel.c +--- mod_nss-1.0.14.orig/nss_engine_kernel.c 2016-04-15 12:27:59.000000000 -0600 ++++ mod_nss-1.0.14/nss_engine_kernel.c 2016-06-27 13:18:09.571283114 -0600 +@@ -953,17 +953,6 @@ int nss_hook_Fixup(request_rec *r) + } + + /* +- * Set r->user if requested +- */ +- if (dc->szUserName) { +- val = nss_var_lookup(r->pool, r->server, r->connection, +- r, (char *)dc->szUserName); +- if (val && val[0]) { +- r->user = val; +- } +- } +- +- /* + * Annotate the SSI/CGI environment with standard SSL information + */ + /* the always present HTTPS (=HTTP over SSL) flag! */ diff --git a/SOURCES/mod_nss-session_cache.patch b/SOURCES/mod_nss-session_cache.patch new file mode 100644 index 0000000..e73bbc5 --- /dev/null +++ b/SOURCES/mod_nss-session_cache.patch @@ -0,0 +1,76 @@ +From 5709d481a3cd327c157a1f39a2e9018e0feefd75 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 7 Feb 2017 10:46:56 -0500 +Subject: [PATCH] Fix the TLS Session ID cache + +At some point that I never noticed the way I was trying to +determine whether the worker or prefork model was being used +broke such that the reverse of what I intended was happening +causing no session ID caching at all. + +My first crack at this fixed the query to be used which fixed +the prefork model but the worker model was only caching about +20% of requests. This is because it is a hybrid of +forked/threading so still needs the MP cache. + +By configuring MP for all I now get the expected level of +caching. I used the NSS tool strsclnt to confirm levels of +caching. +--- + nss_engine_init.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index aec845a..2ffff53 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -430,7 +430,6 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + server_rec *s; + int sslenabled = FALSE; + int fipsenabled = FALSE; +- int threaded = 0; + struct semid_ds status; + char *split_vhost_id = NULL; + char *last1; +@@ -637,11 +636,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "Initializing SSL Session Cache of size %d. SSL3/TLS timeout = %d.", mc->session_cache_size, mc->ssl3_session_cache_timeout); +- ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded); +- if (!threaded) +- SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); +- else +- SSL_ConfigServerSessionIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); ++ SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); + + /* Load our layer */ + nss_io_layer_init(); +@@ -1525,7 +1520,6 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server) + SSLModConfigRec *mc = myModConfig(base_server); + SSLSrvConfigRec *sc; + server_rec *s; +- int threaded = 0; + int sslenabled = FALSE; + + mc->pid = getpid(); /* only call getpid() once per-process */ +@@ -1555,13 +1549,10 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server) + return; + } + +- ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded); +- if (!threaded) { +- if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL_InheritMPServerSIDCache failed"); +- nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL); +- } ++ if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "SSL_InheritMPServerSIDCache failed"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL); + } + + nss_init_SSLLibrary(base_server, mc->pPool); +-- +2.9.4 + diff --git a/SOURCES/mod_nss-test-cipherlist.patch b/SOURCES/mod_nss-test-cipherlist.patch new file mode 100644 index 0000000..2a5f76e --- /dev/null +++ b/SOURCES/mod_nss-test-cipherlist.patch @@ -0,0 +1,37 @@ +From 6bf887340626e35e0497deaf246a9f034d8fe8ee Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 23 May 2016 17:21:11 -0400 +Subject: [PATCH] Add back export and low-security ciphers + +These are disabled in OpenSSL 1.02g but are still enabled in +the version in RHEL 7. +--- + test/test_cipher.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/test/test_cipher.py b/test/test_cipher.py +index 1cce9e4..8b12f26 100644 +--- a/test/test_cipher.py ++++ b/test/test_cipher.py +@@ -40,7 +40,7 @@ if ENABLE_SERVER_DHE == 0: + OPENSSL_CIPHERS_IGNORE += ':-DH' + + def assert_equal_openssl(ciphers): +- nss_ciphers = ciphers + ":-EXP:-LOW" ++ nss_ciphers = ciphers + ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE + (nss, err, rc) = run([exe, "--o", nss_ciphers]) + assert rc == 0 +@@ -270,8 +270,7 @@ class test_ciphers(object): + assert_no_NULL("DEFAULT:aRSA") + + def test_SYSTEM_DEFAULT(self): +- # I've added in !DHE here which differs from F-23 default +- assert_equal_openssl("!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!DHE") ++ assert_equal_openssl("!SSLv2:kEECDH:kRSA:kEDH:kPSK:DH:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES") + + def test_cipher_reorder(self): + # re-ordering now allowed but shouldn't blow up either +-- +2.5.5 + diff --git a/SPECS/mod_nss.spec b/SPECS/mod_nss.spec new file mode 100644 index 0000000..b41102a --- /dev/null +++ b/SPECS/mod_nss.spec @@ -0,0 +1,524 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}} + +Name: mod_nss +Version: 1.0.14 +Release: 12%{?dist} +Summary: SSL/TLS module for the Apache HTTP server +Group: System Environment/Daemons +License: ASL 2.0 +URL: https://pagure.io/mod_nss/ +Source: http://releases.pagure.org/mod_nss/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= 4.10.8, nss-devel >= 3.19.1 +BuildRequires: httpd-devel, apr-devel, apr-util-devel +BuildRequires: pkgconfig +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +# Needed for make check +BuildRequires: openssl +BuildRequires: python-nose +BuildRequires: python-requests +BuildRequires: python-urllib3 +Requires: httpd-mmn = %{_httpd_mmn} +Requires(post): httpd, nss-tools +Requires: nss%{?_isa} >= 3.19.1 +# Although the following change reverses the desire of Bugzilla Bug #601939, it +# was provided to suppress the dangling symlink warning of Bugzilla Bug #906089 +# as exposed via 'rpmlint'. +Requires: %{_libdir}/libnssckbi.so + +# Change configuration to not conflict with mod_ssl +Patch1: mod_nss-conf.patch +# Generate a password-less NSS database +Patch2: mod_nss-gencert.patch +# Set DEFAULT_SSL_CIPHER_LIST manually if pyopenssl can't be imported +Patch3: mod_nss-defaultcipherlist.patch +# Match the available ciphers in RHEL OpenSSL so tests pass +Patch4: mod_nss-test-cipherlist.patch +# Disable and fix tests to work inside of brew +Patch5: mod_nss-brewtest.patch +# Remove setting 'r->user' in nss_hook_Fixup() +Patch6: mod_nss-remove-r-user-from-hook-fixup.patch +# Cleanup nss_pcache semaphore on shutdown +Patch7: mod_nss-clean-semaphore.patch +# Check certificate database directory permissions +Patch8: mod_nss-certdb-permissions.patch +# Die on invalid Protocol settings +Patch9: mod_nss-invalid-protocol-setting.patch +# Handle group membership when testing file perms +Patch10: mod_nss-group-permissions.patch +# Add OCSP cache tuning directives +Patch11: mod_nss-ocsp-tuning-knobs.patch +# Use NoDBInit in nss_pcache +Patch12: mod_nss-pcache_nodbinit.patch +# Update nss_pcache man page to drop directory and prefix +Patch13: mod_nss-nss_pcache_man.patch +# Fix TLS Session cache +Patch14: mod_nss-session_cache.patch +# Remove NSSSessionCacheTimeout from default config +Patch15: mod_nss-remove-deprecated-NSSSessionCacheTimeout.patch + +%description +The mod_nss module provides strong cryptography for the Apache Web +server via the Secure Sockets Layer (SSL) and Transport Layer +Security (TLS) protocols using the Network Security Services (NSS) +security library. + +%prep +%setup -q +%patch1 -p1 -b .conf +%patch2 -p1 -b .gencert +%patch3 -p1 -b .defaultcipherlist +%patch4 -p1 -b .testcipherlist +%patch5 -p1 -b .brewtest +%patch6 -p1 -b .remove_r_user +%patch7 -p1 -b .semaphore +%patch8 -p1 -b .permissions +%patch9 -p1 -b .protocol_fatal +%patch10 -p1 -b .group_permissions +%patch11 -p1 -b .ocsp_tuning +%patch12 -p1 -b .pcache_nodbinit +%patch13 -p1 -b .pcache_man +%patch14 -p1 -b .session_cache +%patch15 -p1 -b .deprecated_sessioncachetimeout + +# Touch expression parser sources to prevent regenerating it +touch nss_expr_*.[chyl] + +%build + +CFLAGS="$RPM_OPT_FLAGS" +APXS=%{_httpd_apxs} + +export CFLAGS APXS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr` +NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr` + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss` +NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss` + +NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss` + +autoreconf -i -f +%configure \ + --with-nss-lib=$NSS_LIB_DIR \ + --with-nss-inc=$NSS_INCLUDE_DIR \ + --with-nspr-lib=$NSPR_LIB_DIR \ + --with-nspr-inc=$NSPR_INCLUDE_DIR \ + --with-apr-config --enable-ecc + +make %{?_smp_mflags} all + +%install +# The install target of the Makefile isn't used because that uses apxs +# which tries to enable the module in the build host httpd instead of in +# the build root. +rm -rf $RPM_BUILD_ROOT + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf +mkdir -p $RPM_BUILD_ROOT%{_httpd_confdir} +mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules +mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8 + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd >= 2.4.x +mkdir -p $RPM_BUILD_ROOT%{_httpd_modconfdir} +sed -n /^LoadModule/p nss.conf > 10-nss.conf +sed -i /^LoadModule/d nss.conf +install -m 644 10-nss.conf $RPM_BUILD_ROOT%{_httpd_modconfdir} +%endif + +install -m 644 gencert.8 $RPM_BUILD_ROOT%{_mandir}/man8/ +install -m 644 nss_pcache.8 $RPM_BUILD_ROOT%{_mandir}/man8/ + +install -m 644 nss.conf $RPM_BUILD_ROOT%{_httpd_confdir} + +install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/ +install -m 755 nss_pcache $RPM_BUILD_ROOT%{_libexecdir}/ +# Provide a compatibility link to prevent disruption of customized deployments. +# +# NOTE: This link may be deprecated in a future release of 'mod_nss'. +# +ln -s %{_libexecdir}/nss_pcache $RPM_BUILD_ROOT%{_sbindir}/nss_pcache +install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/ +ln -s %{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/ +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db +touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/install.log + +perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert + +%check +make check + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +umask 077 + +if [ "$1" -eq 1 ] ; then + if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then + %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1 + echo "" + echo "%{name} certificate database generated." + echo "" + fi + + # Make sure that the database ownership is setup properly. + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; + /bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; +fi + +%files +%defattr(-,root,root,-) +%doc README LICENSE docs/mod_nss.html +%{_mandir}/man8/* +%config(noreplace) %{_httpd_confdir}/nss.conf +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/10-nss.conf +%endif +%{_libdir}/httpd/modules/libmodnss.so +%dir %{_sysconfdir}/httpd/alias/ +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db +%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db +%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log +%{_sysconfdir}/httpd/alias/libnssckbi.so +%{_libexecdir}/nss_pcache +%{_sbindir}/nss_pcache +%{_sbindir}/gencert + +%changelog +* Fri Nov 3 2017 Rob Crittenden - 1.0.14-12 +- Correct URL and Source entries to point to pagure.io (#1502362) +- Remove deprecated NSSSessionCacheTimeout from default config (#1257662) + +* Wed Jul 19 2017 Rob Crittenden - 1.0.14-11 +- TLS session cache was not working (#1461580) + +* Wed May 10 2017 Rob Crittenden - 1.0.14-10 +- Apply the nss_pcache man page patch (#1382102) + +* Wed May 10 2017 Rob Crittenden - 1.0.14-9 +- Update nss_pcache.8 to drop directory and prefix options (#1382102) + +- Don't share mod_nss NSS database with nss_pcache (#1382102) +* Thu Feb 23 2017 Rob Crittenden - 1.0.14-8 +- Fail start start when there are invalid Protocols defined (#1389114) +- Handle group membership when testing NSS database filesystem + permissions (#1395300) +- Add OCSP cache tuning directives (#1392582) +- Don't share mod_nss NSS database with nss_pcache (#1382102) + +* Wed Sep 21 2016 Rob Crittenden - 1.0.14-7 +- Add the permission patch to the repository (#1312583) + +* Wed Sep 21 2016 Rob Crittenden - 1.0.14-6 +- Check the NSS certificate database directory for read permissions + by the Apache user. (#1312583) + +* Wed Aug 10 2016 Rob Crittenden - 1.0.14-5 +- Update clean semaphore patch to not free the pinList twice. + (#1364560) + +* Tue Aug 9 2016 Rob Crittenden - 1.0.14-4 +- Update clean semaphore patch to not close pipe twice and to + shutdown NSS database (#1364560) + +* Mon Aug 8 2016 Rob Crittenden - 1.0.14-3 +- Clean up semaphore in nss_pcache on shutdown (#1364560) + +* Tue Jun 28 2016 Matthew Harmsen - 1.0.14-2 +- mod_nss sets r->user in fixup even if it was long ago changed + by other module (#1347298) + +* Mon May 23 2016 Rob Crittenden - 1.0.14-1 +- Rebase to 1.0.14 (#1299063) +- Add support for Server Name Indication (SNI) (#1053327) +- Use upstream method to not execute live tests as root (#1256887) +- Always call SSL_ShutdownServerSessionIDCache() in ModuleKill + (#1263301, #1296685) +- Don't require NSSProxyNickname (#1280287) +- Make link to libnssckbi.so an absolute link (#1288471) +- Fail for colons in credentials with FakeBasicAuth (#1295970) +- Don't ignore NSSProtocol when NSSFIPS is enabled (#1312491) +- Check filesystem permissions on NSS database at startup (#1312583) +- OpenSSL ciphers stopped parsing at +, CVE-2016-3099 (#1323913) +- Patch to match available ciphers so tests pass (#1299063) +- Patch to fix tests in brew (#1299063) + +* Tue Sep 22 2015 Rob Crittenden - 1.0.11-6 +- Add the supported NSS SHA384 ciphers (#1253570) +- Add kECDH, AECDH, ECDSA and aECDSA macros (#1253570) +- Bump the NSS BR and Requires so the new ciphers are available +- Bump the NSPR Requires to match NSS + +* Mon Sep 21 2015 Rob Crittenden - 1.0.11-5 +- Don't enable NULL ciphers in DEFAULT macro (#1253570) +- Add OpenSSL cipher macro EECDH (#1160745) +- Disable the live server testing in make check because it + may run as root and fail horribly (#1160745) + +* Thu Aug 27 2015 Rob Crittenden - 1.0.11-4 +- Handle permanently disabled ciphers in call to SSL_CipherPrefSet + (#1160745) + +* Mon Aug 17 2015 Rob Crittenden - 1.0.11-3 +- Fix logical and support in cipher strings CVE-2015-3277 + (#1253570) +- Add missing BuildRequires and small patch to use requests.urllib3 + to fix make check (#1253570) + +* Wed Jul 29 2015 Matthew Harmsen - 1.0.11-2 +- Resolves: rhbz #1066236 +- Bugzilla Bug #1066236 - mod_nss: documentation formatting fixes + +* Thu Jun 11 2015 Rob Crittenden - 1.0.11-1 +- Resolves: rhbz #1160745 - Rebase mod_nss to 1.0.11 + +* Mon Jan 5 2015 Matthew Harmsen - 1.0.8-33 +- Resolves: rhbz #1169871 +- Bugzilla Bug #1169871 - Default configuration enables SSL3 + +* Fri Jan 24 2014 Daniel Mach - 1.0.8-32 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 Matthew Harmsen - 1.0.8-31 +- Resolves: rhbz #1029360 +- Bugzilla Bug #1029360 - ambiguous/invalid ENVR in httpd-mmn Provides/Requires +- corrected typo on date + +* Mon Jan 13 2014 Matthew Harmsen - 1.0.8-30 +- Resolves: rhbz #1029360 +- Bugzilla Bug #1029360 - ambiguous/invalid ENVR in httpd-mmn Provides/Requires + +* Fri Dec 27 2013 Daniel Mach - 1.0.8-29 +- Mass rebuild 2013-12-27 + +* Wed Nov 27 2013 Matthew Harmsen - 1.0.8-28 +- Resolves: rhbz #1030276 +- [mod_nss-usecases.patch] +- Bugzilla Bug #1030276 - mod_nss not working in FIPS mode + +* Fri Nov 15 2013 Rob Crittenden - 1.0.8-27 +- Resolves: CVE-2013-4566 +- Bugzilla Bug #1024536 - mod_nss: incorrect handling of NSSVerifyClient in + directory context [rhel-7.0] (rcritten) +- Bugzilla Bug #1030845 - mod_nss: do not use %%configure in %%changelog + (mharmsen) + +* Tue Nov 12 2013 Joe Orton - 1.0.8-26 +- [mod_nss-SSLEngine-off.patch] +- Bugzilla Bug #1029042 - Implicit SSLEngine for 443 port breaks mod_nss + configuration (jorton) +- [mod_nss-unused-filter_ctx.patch] +- Bugzilla Bug #1029665 - Remove unused variable 'filter_ctx' (mharmsen) + +* Fri Nov 1 2013 Tomas Hoger - 1.0.8-25 +- Bugzilla Bug #1025317 - mod_nss: documentation formatting fixes [rhel-7] + +* Thu Oct 24 2013 Matthew Harmsen - 1.0.8-24 +- Add '--enable-ecc' option to %%configure line under %%build section of + this spec file (mharmsen) +- Bumped version build/runtime requirements for NSPR and NSS (mharmsen) +- [mod_nss-PK11_ListCerts_2.patch] +- Bugzilla Bug #1022295 - PK11_ListCerts called to retrieve all user + certificates for every server (rcritten) +- [mod_nss-array_overrun.patch] +- Bugzilla Bug #1022298 - overrunning array when executing nss_pcache + (rcritten) +- [mod_nss-clientauth.patch] +- Bugzilla Bug #1022921 - mod_nss: FakeBasicAuth authentication bypass + [rhel-7.0] (rcritten) +- [mod_nss-no_shutdown_if_not_init_2.patch] +- Bugzilla Bug #1022303 - File descriptor leak after "service httpd reload" + or httpd doesn't reload (rrelyea) +- [mod_nss-proxyvariables.patch] +- Bugzilla Bug #1022309 - mod_nss insists on Required value NSSCipherSuite + not set. (mharmsen) +- [mod_nss-tlsv1_1.patch] +- Bugzilla Bug #1022310 - current nss support TLS 1.1 so mod_nss should pick + it up (mharmsen) +- [mod_nss-sslmultiproxy_2.patch] +- Fixes Bugzilla Bug #1021458 - [RFE] Support ability to share mod_proxy with + other SSL providers (jorton, mharmsen, nkinder, & rcritten) + +* Tue Jul 30 2013 Joe Orton - 1.0.8-23 +- add dependency on httpd-mmn + +* Wed Jul 3 2013 Matthew Harmsen - 1.0.8-22 +- Moved 'nss_pcache' from %%sbindir to %%libexecdir + (provided compatibility link) + +* Tue Jul 2 2013 Matthew Harmsen - 1.0.8-21.1 +- Add the following explanation to the 'Dangling symlinks' textbox in rpmdiff: + Symlink 'etc/httpd/alias/libnssckbi.so' is deliberate. + This test does not belong in rpmdiff. This test belongs in TPS. + Since the symlink points to a file in another package, e.g. a + dependency or a system file, rpmdiff cannot detect this. Remember, + rpmdiff does not install or even know about package dependencies. + That's TPS's job. +- Add the following explanation to the 'Brewtap results' textbox in rpmdiff: + The '/etc/httpd/conf.d/nss.conf' file does not require a man page + because its parameters are sufficiently documented within the + configuration file itself. + The '/etc/httpd/conf.modules.d/10-nss.conf' file does not require + a man page because the file merely contains the line + 'LoadModule nss_module modules/libmodnss.so' to support httpd + loading of Dynamic Shared Objects ('/etc/httpd/conf/httpd.conf'). + +* Tue Jun 25 2013 Matthew Harmsen - 1.0.8-21 +- Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff + testing +- Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache +- Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss +- Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec +- Bugzilla Bug #948601 - Man page scan results for mod_nss + +* Thu Feb 14 2013 Fedora Release Engineering - 1.0.8-20.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 1.0.8-19.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 18 2012 Joe Orton - 1.0.8-18.1 +- fix build for RHEL7 + +* Fri Jun 15 2012 Rob Crittenden - 1.0.8-18 +- Actually apply the patch to use memmove in place of memcpy since the + buffers can overlap (#669118) + +* Tue Jun 12 2012 Nathan Kinder - 1.0.8-17 +- Port mod_nss to work with httpd 2.4 + +* Mon Apr 23 2012 Joe Orton - 1.0.8-16 +- packaging fixes/updates (#803072) + +* Fri Jan 13 2012 Fedora Release Engineering - 1.0.8-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Mar 7 2011 Rob Crittenden - 1.0.8-14 +- Add Requires(post) for nss-tools, gencert needs it (#652007) + +* Wed Mar 2 2011 Rob Crittenden - 1.0.8-13 +- Lock around the pipe to nss_pcache for retrieving the token PIN + (#677701) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.0.8-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Rob Crittenden - 1.0.8-11 +- Use memmove in place of memcpy since the buffers can overlap (#669118) + +* Wed Sep 29 2010 jkeating - 1.0.8-10 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Rob Crittenden - 1.0.8-9 +- Revert mod_nss-wouldblock patch +- Reset NSPR error before calling PR_Read(). This should fix looping + in #620856 + +* Fri Sep 17 2010 Rob Crittenden - 1.0.8-8 +- Fix hang when handling large POST under some conditions (#620856) + +* Tue Jun 22 2010 Rob Crittenden - 1.0.8-7 +- Remove file Requires on libnssckbi.so (#601939) + +* Fri May 14 2010 Rob Crittenden - 1.0.8-6 +- Ignore SIGHUP in nss_pcache (#591889). + +* Thu May 13 2010 Rob Crittenden - 1.0.8-5 +- Use remote hostname set by mod_proxy to compare to CN in peer cert (#591224) + +* Thu Mar 18 2010 Rob Crittenden - 1.0.8-4 +- Patch to add configuration options for new NSS negotiation API (#574187) +- Add (pre) for Requires on httpd so we can be sure the user and group are + already available +- Add file Requires on libnssckbi.so so symlink can't fail +- Use _sysconfdir macro instead of /etc +- Set minimum level of NSS to 3.12.6 + +* Mon Jan 25 2010 Rob Crittenden - 1.0.8-3 +- The location of libnssckbi moved from /lib[64] to /usr/lib[64] (556744) + +* Sat Jul 25 2009 Fedora Release Engineering - 1.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Mar 2 2009 Rob Crittenden - 1.0.8-1 +- Update to 1.0.8 +- Add patch that fixes NSPR layer bug + +* Wed Feb 25 2009 Fedora Release Engineering - 1.0.7-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Aug 11 2008 Tom "spot" Callaway - 1.0.7-10 +- fix license tag + +* Mon Jul 28 2008 Rob Crittenden - 1.0.7-9 +- rebuild to bump NVR + +* Mon Jul 14 2008 Rob Crittenden - 1.0.7-8 +- Don't force module de-init during the configuration stage (453508) + +* Thu Jul 10 2008 Rob Crittenden - 1.0.7-7 +- Don't inherit the MP cache in multi-threaded mode (454701) +- Don't initialize NSS in each child if SSL isn't configured + +* Wed Jul 2 2008 Rob Crittenden - 1.0.7-6 +- Update the patch for FIPS to include fixes for nss_pcache, enforce + the security policy and properly initialize the FIPS token. + +* Mon Jun 30 2008 Rob Crittenden - 1.0.7-5 +- Include patch to fix NSSFIPS (446851) + +* Mon Apr 28 2008 Rob Crittenden - 1.0.7-4 +- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child + and not before. This is in response to a change in the NSS softtokn code + and should have always been done this way. (444348) +- The location of libnssckbi moved from /usr/lib[64] to /lib[64] +- The NSS database needs to be readable by apache since we need to use it + after the root priviledges are dropped. + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.7-3 +- Autorebuild for GCC 4.3 + +* Thu Oct 18 2007 Rob Crittenden 1.0.7-2 +- Register functions needed by mod_proxy if mod_ssl is not loaded. + +* Fri Jun 1 2007 Rob Crittenden 1.0.7-1 +- Update to 1.0.7 +- Remove Requires for nss and nspr since those are handled automatically + by versioned libraries +- Updated URL and Source to reference directory.fedoraproject.org + +* Mon Apr 9 2007 Rob Crittenden 1.0.6-2 +- Patch to properly detect the Apache model and set up NSS appropriately +- Patch to punt if a bad password is encountered +- Patch to fix crash when password.conf is malformatted +- Don't enable ECC support as NSS doesn't have it enabled (3.11.4-0.7) + +* Mon Oct 23 2006 Rob Crittenden 1.0.6-1 +- Update to 1.0.6 + +* Fri Aug 04 2006 Rob Crittenden 1.0.3-4 +- Include LogLevel warn in nss.conf and use separate log files + +* Fri Aug 04 2006 Rob Crittenden 1.0.3-3 +- Need to initialize ECC certificate and key variables + +* Fri Aug 04 2006 Jarod Wilson 1.0.3-2 +- Use %%ghost for db files and install.log + +* Tue Jun 20 2006 Rob Crittenden 1.0.3-1 +- Initial build