[Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
Alexander Bokovoy
abokovoy at redhat.com
Tue Nov 26 11:34:14 UTC 2013
On Tue, 26 Nov 2013, Jan Cholasta wrote:
>Hi,
>
>the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4021>.
>
>Honza
>
>--
>Jan Cholasta
>>From f880aa215ad268a156e5367e9ee8a915c1e07e35 Mon Sep 17 00:00:00 2001
>From: Jan Cholasta <jcholast at redhat.com>
>Date: Tue, 26 Nov 2013 08:53:34 +0000
>Subject: [PATCH] Remove mod_ssl port workaround.
>
>https://fedorahosted.org/freeipa/ticket/4021
>---
> freeipa.spec.in | 8 ++++++--
> install/tools/ipa-upgradeconfig | 2 +-
> ipaserver/install/httpinstance.py | 17 ++++++++---------
> 3 files changed, 15 insertions(+), 12 deletions(-)
>
>diff --git a/freeipa.spec.in b/freeipa.spec.in
>index ebc2f15..2a738dd 100644
>--- a/freeipa.spec.in
>+++ b/freeipa.spec.in
>@@ -114,14 +114,14 @@ Requires: krb5-server >= 1.10
> Requires: krb5-pkinit-openssl
> Requires: cyrus-sasl-gssapi%{?_isa}
> Requires: ntp
>-Requires: httpd
>+Requires: httpd >= 2.4.6-6
> Requires: mod_wsgi
> %if 0%{?fedora} >= 18
> Requires: mod_auth_kerb >= 5.4-16
> %else
> Requires: mod_auth_kerb >= 5.4-8
> %endif
>-Requires: mod_nss >= 1.0.8-24
>+Requires: mod_nss >= 1.0.8-26
> Requires: python-ldap
> Requires: python-krbV
> Requires: acl
>@@ -839,6 +839,10 @@ fi
> %endif # ONLY_CLIENT
>
> %changelog
>+* Tue Nov 26 2013 Jan Cholasta <jcholast at redhat.com> - 3.3.90-6
>+- Set minimum version of httpd to 2.4.6-6
>+- Set minimum version of mod_nss to 1.0.8-26
>+
> * Tue Nov 12 2013 Tomas Babej<tbabej at redhat.com> - 3.3.90-5
> - Add Fedora 19 platform files
>
>diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
>index 41c5126..10526f2 100644
>--- a/install/tools/ipa-upgradeconfig
>+++ b/install/tools/ipa-upgradeconfig
>@@ -1047,7 +1047,7 @@ def main():
> http.remove_httpd_ccache()
> http.configure_selinux_for_httpd()
> http.configure_httpd_ccache()
>- http.change_mod_nss_port_to_http()
>+ http.change_mod_nss_port_from_http()
>
> ds = dsinstance.DsInstance()
> ds.configure_dirsrv_ccache()
>diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
>index 689e657..e61a0c6 100644
>--- a/ipaserver/install/httpinstance.py
>+++ b/ipaserver/install/httpinstance.py
>@@ -253,25 +253,24 @@ class HTTPInstance(service.Service):
> http_fd.close()
> os.chmod(target_fname, 0644)
>
>- def change_mod_nss_port_to_http(self):
>+ def change_mod_nss_port_from_http(self):
> # mod_ssl enforces SSLEngine on for vhost on 443 even though
> # the listener is mod_nss. This then crashes the httpd as mod_nss
> # listened port obviously does not match mod_ssl requirements.
> #
>- # Change port to http to workaround the mod_ssl check, the SSL is
>- # enforced in the vhost later, so it is benign.
>+ # The workaround for this was to change port to http. It is no longer
>+ # necessary, as mod_nss now ships with default configuration which
>+ # sets SSLEngine off when mod_ssl is installed.
> #
>- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
>- # is fixed.
>- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
>- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
>- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
>+ # Remove the workaround.
>+ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
>+ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
>+ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
>
> def __set_mod_nss_port(self):
> self.fstore.backup_file(NSS_CONF)
> if installutils.update_file(NSS_CONF, '8443', '443') != 0:
> print "Updating port in %s failed." % NSS_CONF
>- self.change_mod_nss_port_to_http()
>
> def __set_mod_nss_nickname(self, nickname):
> installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
ACK.
P.S. When do we start removing changelog entries from the spec.in in
git master? :)
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list