rpms/mod_nss/F-9 mod_nss-nofork.patch, 1.1, 1.2 mod_nss.spec, 1.9, 1.10
Robert Crittenden (rcritten)
fedora-extras-commits at redhat.com
Mon Apr 28 15:19:39 UTC 2008
- Previous message (by thread): rpms/tokyocabinet/F-8 .cvsignore, 1.2, 1.3 sources, 1.2, 1.3 tokyocabinet.spec, 1.1, 1.2
- Next message (by thread): rpms/texmaker/devel .cvsignore, 1.6, 1.7 sources, 1.6, 1.7 texmaker-tools.patch, 1.7, 1.8 texmaker.spec, 1.16, 1.17
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rcritten
Update of /cvs/extras/rpms/mod_nss/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4665
Modified Files:
mod_nss-nofork.patch mod_nss.spec
Log Message:
- New fork patch that more gracefully handles errors
- The location of libnssckbi moved from /usr/lib[64] to /lib[64]
- The NSS database needs to be readable by apache since we need to use it
after the root priviledges are dropped.
mod_nss-nofork.patch:
Index: mod_nss-nofork.patch
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-9/mod_nss-nofork.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_nss-nofork.patch 28 Apr 2008 13:30:28 -0000 1.1
+++ mod_nss-nofork.patch 28 Apr 2008 15:19:02 -0000 1.2
@@ -17,11 +17,11 @@
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
/* Apache API hooks */
-Only in mod_nss-1.0.7-nofork: newdiff
+Only in mod_nss-1.0.7-nofork/: newdiff
diff -u --recursive mod_nss-1.0.7/nss_engine_init.c mod_nss-1.0.7-nofork/nss_engine_init.c
--- mod_nss-1.0.7/nss_engine_init.c 2007-05-31 17:36:03.000000000 -0400
-+++ mod_nss-1.0.7-nofork/nss_engine_init.c 2008-04-28 00:29:37.000000000 -0400
-@@ -135,101 +135,59 @@
++++ mod_nss-1.0.7-nofork/nss_engine_init.c 2008-04-28 10:26:11.000000000 -0400
+@@ -135,112 +135,85 @@
* Initialize SSL library
*
*/
@@ -104,7 +104,10 @@
+ if ((ocspurl == NULL) || (ocspname == NULL)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
+ "When NSSOCSPDefaultResponder is enabled both a default URL (NSSOCSPDefaultUrl) and certificate nickname (NSSOCSPDefaultName) are required.");
-+ nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
+ }
}
- /* Set a 30-second read/write timeout */
@@ -133,13 +136,21 @@
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Unable to determine current working directory");
- nss_die();
+- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
if (chdir(mc->pCertificateDatabase) != 0) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Unable to change directory to %s", mc->pCertificateDatabase);
- nss_die();
+- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
/* Initialize NSS and open the certificate database read-only. */
rv = NSS_Initialize(mc->pCertificateDatabase, mc->pDBPrefix, mc->pDBPrefix, "secmod.db", NSS_INIT_READONLY);
@@ -147,22 +158,31 @@
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Unable to change directory to %s", cwd);
- nss_die();
+- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
-@@ -237,9 +195,9 @@
+
/* Assuming everything is ok so far, check the cert database password(s). */
if (rv != SECSuccess) {
NSS_Shutdown();
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "NSS initialization failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration");
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+- nss_die();
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
+ "NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
-@@ -250,39 +208,38 @@
+ if (fipsenabled) {
+@@ -250,39 +223,47 @@
if ((SECMOD_DeleteInternalModule(internal_name) != SECSuccess) ||
!PK11_IsFIPS()) {
@@ -171,8 +191,12 @@
"Unable to enable FIPS mode on certificate database %s.", mc->pCertificateDatabase);
NSS_Shutdown();
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+- nss_die();
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
PR_smprintf_free(internal_name);
} /* FIPS is already enabled, nothing to do */
@@ -185,8 +209,12 @@
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"NSS initialization failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration");
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+- nss_die();
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
if (NSS_SetDomesticPolicy() != SECSuccess) {
@@ -195,8 +223,12 @@
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"NSS set domestic policy failed on certificate database %s.", mc->pCertificateDatabase);
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+- nss_die();
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
if (ocspenabled) {
@@ -211,7 +243,7 @@
if (ocspdefault) {
SECStatus sv;
-@@ -290,21 +247,28 @@
+@@ -290,21 +271,34 @@
ocspurl, ocspname);
if (sv == SECFailure) {
@@ -219,8 +251,12 @@
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Unable to set OCSP default responder nickname %s.", ocspname);
- nss_log_nss_error(APLOG_MARK, APLOG_INFO, s);
+- nss_die();
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
sv = CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
@@ -229,8 +265,12 @@
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Unable to enable the OCSP default responder, %s (this shouldn't happen).", ocspname);
- nss_log_nss_error(APLOG_MARK, APLOG_INFO, s);
+- nss_die();
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server);
- nss_die();
++ if (mc->nInitCount == 1)
++ nss_die();
++ else
++ return;
}
}
}
@@ -244,7 +284,7 @@
}
int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
-@@ -316,20 +280,12 @@
+@@ -316,20 +310,12 @@
server_rec *s;
int sslenabled = FALSE;
int fipsenabled = FALSE;
@@ -268,7 +308,7 @@
/*
* Any init round fixes the global config
*/
-@@ -384,6 +340,10 @@
+@@ -384,6 +370,10 @@
sc->ocsp = FALSE;
}
@@ -279,7 +319,7 @@
/* If any servers have SSL, we want sslenabled set so we
* can initialize the database. fipsenabled is similar. If
* any of the servers have it set, they all will need to use
-@@ -398,69 +358,112 @@
+@@ -398,69 +388,112 @@
sc->proxy_enabled = FALSE;
}
@@ -435,7 +475,7 @@
/*
* Announce mod_nss and SSL library in HTTP Server field
-@@ -802,9 +805,9 @@
+@@ -802,9 +835,9 @@
}
static void nss_init_server_check(server_rec *s,
@@ -448,7 +488,7 @@
{
#ifdef NSS_ENABLE_ECC
if (mctx->servercert != NULL || mctx->eccservercert != NULL) {
-@@ -1007,8 +1010,6 @@
+@@ -1007,8 +1040,6 @@
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
@@ -457,7 +497,7 @@
nss_init_ctx(s, p, ptemp, sc->proxy);
nss_init_server_certs(s, p, ptemp, sc->proxy);
-@@ -1019,8 +1020,6 @@
+@@ -1019,8 +1050,6 @@
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
@@ -466,7 +506,7 @@
nss_init_server_check(s, p, ptemp, sc->server);
nss_init_ctx(s, p, ptemp, sc->server);
-@@ -1049,20 +1048,60 @@
+@@ -1049,20 +1078,60 @@
}
}
@@ -491,7 +531,7 @@
+ /* Configure all virtual servers */
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
-+ if (sc->server->servercert == NULL)
++ if (sc->server->servercert == NULL && NSS_IsInitialized())
+ nss_init_ConfigureServer(s, p, mc->ptemp, sc);
+ }
+
@@ -530,7 +570,7 @@
/*
* Free the non-pool allocated structures
* in the per-server configurations
-@@ -1112,13 +1151,7 @@
+@@ -1112,13 +1181,7 @@
nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
}
Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-9/mod_nss.spec,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- mod_nss.spec 28 Apr 2008 13:30:28 -0000 1.9
+++ mod_nss.spec 28 Apr 2008 15:19:02 -0000 1.10
@@ -1,6 +1,6 @@
Name: mod_nss
Version: 1.0.7
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: Apache Software License
@@ -70,7 +70,7 @@
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
-ln -s ../../..%{_libdir}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
+ln -s ../../../%{_lib}/libnssckbi.so $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db
@@ -91,6 +91,10 @@
echo "%{name} certificate database generated."
echo ""
fi
+
+ # Make sure that the database ownership is setup properly.
+ /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \;
+ /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \;
fi
%files
@@ -99,15 +103,21 @@
%config(noreplace) %{_sysconfdir}/httpd/conf.d/nss.conf
%{_libdir}/httpd/modules/libmodnss.so
%dir %{_sysconfdir}/httpd/alias/
-%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db
-%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db
-%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
+%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db
+%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db
+%ghost %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
%ghost %config(noreplace) %{_sysconfdir}/httpd/alias/install.log
%{_sysconfdir}/httpd/alias/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%changelog
+* Mon Apr 28 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-5
+- New fork patch that more gracefully handles errors
+- The location of libnssckbi moved from /usr/lib[64] to /lib[64]
+- The NSS database needs to be readable by apache since we need to use it
+ after the root priviledges are dropped.
+
* Sun Apr 28 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-4
- Apply patch so that mod_nss calls NSS_Init() after Apache forks a child
and not before. This is in response to a change in the NSS softtokn code
- Previous message (by thread): rpms/tokyocabinet/F-8 .cvsignore, 1.2, 1.3 sources, 1.2, 1.3 tokyocabinet.spec, 1.1, 1.2
- Next message (by thread): rpms/texmaker/devel .cvsignore, 1.6, 1.7 sources, 1.6, 1.7 texmaker-tools.patch, 1.7, 1.8 texmaker.spec, 1.16, 1.17
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list