rpms/mod_nss/devel mod_nss-inherit.patch, NONE, 1.1 mod_nss-kill.patch, NONE, 1.1 mod_nss.spec, 1.11, 1.12
Robert Crittenden (rcritten)
fedora-extras-commits at redhat.com
Wed Jul 16 18:03:52 UTC 2008
- Previous message (by thread): rpms/paraview/F-9 paraview-3.2.2-hdf5-1.8.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 paraview-3.2.1-gcc43.patch, 1.3, 1.4 paraview.spec, 1.26, 1.27 sources, 1.5, 1.6 paraview-3.2-qt.patch, 1.1, NONE
- Next message (by thread): rpms/krb5/devel krb5-1.6.3-login-lpass.patch, NONE, 1.1 krb5-1.6.1-pam.patch, 1.6, 1.7 krb5-CVE-2008-0947.patch, 1.1, 1.2 krb5-trunk-doublelog.patch, 1.1, 1.2 krb5-trunk-manpaths.patch, 1.1, 1.2 krb5.spec, 1.171, 1.172 krb5-1.2.7-login-lpass.patch, 1.2, NONE krb5-1.2.7-reject-bad-transited.patch, 1.5, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rcritten
Update of /cvs/extras/rpms/mod_nss/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4081
Modified Files:
mod_nss.spec
Added Files:
mod_nss-inherit.patch mod_nss-kill.patch
Log Message:
1.0.7-8
- Don't force module de-init during the configuration stage (453508)
1.0.7-7
- Don't inherit the MP cache in multi-threaded mode (454701)
- Don't initialize NSS in each child if SSL isn't configured
Resolves: #453508, #454701
mod_nss-inherit.patch:
--- NEW FILE mod_nss-inherit.patch ---
--- mod_nss-1.0.7-orig/nss_engine_init.c 16 May 2008 15:16:02 -0000 1.32
+++ mod_nss-1.0.7/nss_engine_init.c 9 Jul 2008 22:22:46 -0000
@@ -1079,23 +1079,54 @@
}
}
void nss_init_Child(apr_pool_t *p, server_rec *base_server)
{
SSLModConfigRec *mc = myModConfig(base_server);
SSLSrvConfigRec *sc;
server_rec *s;
+ int threaded = 0;
+ int sslenabled = FALSE;
mc->pid = getpid(); /* only call getpid() once per-process */
- if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL_InheritMPServerSIDCache failed");
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+ /*
+ * First, see if ssl is enabled at all
+ */
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+ /* If any servers have SSL, we want sslenabled set so we
+ * can perform further initialization
+ */
+
+ if (sc->enabled == UNSET) {
+ sc->enabled = FALSE;
+ }
+
+ if (sc->proxy_enabled == UNSET) {
+ sc->proxy_enabled = FALSE;
+ }
+
+ if ((sc->enabled == TRUE) || (sc->proxy_enabled == TRUE)) {
+ sslenabled = TRUE;
+ }
+ }
+
+ if (sslenabled == FALSE) { /* we are not an SSL/TLS server */
+ return;
+ }
+
+ ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded);
+ if (!threaded) {
+ if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "SSL_InheritMPServerSIDCache failed");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+ }
}
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server->servercert == NULL && NSS_IsInitialized())
mod_nss-kill.patch:
--- NEW FILE mod_nss-kill.patch ---
--- mod_nss-1.0.7.orig/nss_engine_init.c 14 Jul 2008 20:25:53 -0000 1.33
+++ mod_nss-1.0.7/nss_engine_init.c 14 Jul 2008 20:28:13 -0000
+++ nss_engine_init.c 14 Jul 2008 20:35:34 -0000
@@ -315,6 +315,13 @@
mc->nInitCount++;
+ /*
+ * Let us cleanup on restarts and exists
+ */
+ apr_pool_cleanup_register(p, base_server,
+ nss_init_ModuleKill,
+ apr_pool_cleanup_null);
+
mc->ptemp = ptemp;
/*
@@ -491,9 +498,6 @@
*/
nss_init_ConfigureServer(s, p, ptemp, sc);
}
-
- nss_init_ChildKill(base_server);
- nss_init_ModuleKill(base_server);
}
/*
@@ -1144,12 +1148,16 @@
apr_status_t nss_init_ModuleKill(void *data)
{
server_rec *base_server = (server_rec *)data;
+ SSLModConfigRec *mc = myModConfig(base_server);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Shutting down SSL Session ID Cache");
SSL_ShutdownServerSessionIDCache();
+ if (mc->nInitCount == 1)
+ nss_init_ChildKill(base_server);
+
/* NSS_Shutdown() gets called in nss_init_ChildKill */
return APR_SUCCESS;
}
Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/devel/mod_nss.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- mod_nss.spec 2 Jul 2008 15:25:41 -0000 1.11
+++ mod_nss.spec 16 Jul 2008 18:02:54 -0000 1.12
@@ -1,6 +1,8 @@
+%define _default_patch_fuzz 2
+
Name: mod_nss
Version: 1.0.7
-Release: 6%{?dist}
+Release: 8%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: Apache Software License
@@ -16,6 +18,8 @@
Patch3: mod_nss-proxy.patch
Patch4: mod_nss-nofork.patch
Patch5: mod_nss-fips.patch
+Patch6: mod_nss-inherit.patch
+Patch7: mod_nss-kill.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -30,6 +34,8 @@
%patch3 -p1 -b .proxy
%patch4 -p1 -b .nofork
%patch5 -p1 -b .fips
+%patch6 -p1 -b .inherit
+%patch7 -p1 -b .kill
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -114,6 +120,13 @@
%{_sbindir}/gencert
%changelog
+* Mon Jul 14 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-8
+- Don't force module de-init during the configuration stage (453508)
+
+* Thu Jul 10 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-7
+- Don't inherit the MP cache in multi-threaded mode (454701)
+- Don't initialize NSS in each child if SSL isn't configured
+
* Wed Jul 2 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-6
- Update the patch for FIPS to include fixes for nss_pcache, enforce
the security policy and properly initialize the FIPS token.
- Previous message (by thread): rpms/paraview/F-9 paraview-3.2.2-hdf5-1.8.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 paraview-3.2.1-gcc43.patch, 1.3, 1.4 paraview.spec, 1.26, 1.27 sources, 1.5, 1.6 paraview-3.2-qt.patch, 1.1, NONE
- Next message (by thread): rpms/krb5/devel krb5-1.6.3-login-lpass.patch, NONE, 1.1 krb5-1.6.1-pam.patch, 1.6, 1.7 krb5-CVE-2008-0947.patch, 1.1, 1.2 krb5-trunk-doublelog.patch, 1.1, 1.2 krb5-trunk-manpaths.patch, 1.1, 1.2 krb5.spec, 1.171, 1.172 krb5-1.2.7-login-lpass.patch, 1.2, NONE krb5-1.2.7-reject-bad-transited.patch, 1.5, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list