[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] branch master updated (419b507 -> 1e38cf7)
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:21 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a change to branch master
in repository libapache2-mod-nss.
from 419b507 releasing package libapache2-mod-nss version 1.0.8-4
new f6ecd9d Initial import of mod_nss
new aabd41a By default, don't start with an expired cert. Add option SSLEnforceValid Cert on/off to allow one to start with a bad cert.
new e5a4f20 The path to the cert database was hardcoded, use the value passed in by Apache.
new 2143559 Add support for apr-config. Print out some nice notes alerting the user to verify that mod_ssl is disabled. Tell the user about gencert so they can generate their own self-signed certificate.
new e001ab8 Remove check for Define SSL Comment out a few entries that the average user won't need Do some general cleanups and fixups
new 49fe778 First crack at migrating an existing ssl.conf to nss.conf.
new 0eba132 Enable more ciphers than just fips_3des_sha.
new 32a0cc4 Terminate echo'd strings
new 77042d5 When doing SSLVerifyCert require then we need to always require the certificate to match what OpenSSL does.
new d4ead13 Add support for the SSL_CLIENT_CERT_CHAIN_ environment variable. SSL_CLIENT_I_DN_ was incorrectly parsing the client certificate subject instead of the issuer subject. Print out PEM files the same way as OpenSSL
new b2aee92 Generate gencert so we can set the NSS and NSPR directories and make things easier for the user. Also try really, really hard to get the FQDN so we can create a host-specific self-signed certificate.
new 102486d Changed function and configuration names so mod_nss can peacefully co-exist with mod_ssl.
new 348a79c Remove message about co-existing with mod_ssl, that works ok now. Also fix nasty typo.
new 62d308e Initialize enforcement of valid certificates to true.
new d99ab1c Fix formatting and variable name in error message.
new 505e42a Basic documentation on the mod_nss module.
new ffb5fab Reflect new Directive naming convention
new 765a354 Zero length file for now so autoconf will shut up.
new e882f30 Add NSS database prefix support
new 398e33b Earlier versions of Apache 2.0 (such as on RHEL 3) don't support AP_BUCKET_IS_EOC. Define around it.
new 08d5d7d Fix lunasa problem. The key we generate must work for both encryption and decryption. By default generate key only returns encryption keys.
new c656f45 Add in support for older versions of NSS that don't have the function PK11_TokenKeyGenWithFlags(). Older versions of NSS will only work with software certificates when using nss_pcache. The workaround is to store the token passwords in a file instead.
new 3103cc0 Don't assume that apr-config is in the PATH. Let the user specify which one to run, just like with apxs.
new feb631f Clarify things a bit, change directive name to match new naming scheme.
new b4164d9 Add libsoftokn3.so for nss_pcache.
new 64342aa Add more information related to gencert Tell user's where to find more documentation
new f1d0c79 Added Database Management section. Added links to NSS and NSPR
new d3a1b4f Changed 2 function names from SSL -> NSS I had missed in earlier cleanup
new 70d2235 Properly clean up the SSL environment so NSS can be shut down gracefully.
new bb9b72e Also clean up the SSL Session ID Cache when shutting down. If we are using the forked model, use the MP version of the Session ID cache. Don't call PR_Cleanup(), this could cause problems.
new 203bed3 More correct detection of NSS version when determining whether we should expect PK11_TokenKeyGenWithFlags(). It hasn't been included as of NSS 3.10.0.
new 8625526 Add a FIPS configuration option. This enables the FIPS internal database module, configures for SSLv3 and TLSv1 and enables the 2 FIPS ciphers (and disables all the others).
new c1a0fd4 Add OCSP support
new a160145 Add information about how to use built-in CA's via libnssckbi.so
new 800a72a Add short example of how to use certutil to generate a certificate request suitable for submission to a 3rd party CA such as Verisign.
new 4283b33 Improve FIPS configuration: - The NSS ciphers are enumerated to find those that are FIPS approved - This list of approved ciphers is compared to the NSSCipherSuite entry and those enabled, approved ciphers are configured. This way you aren't forced to use all of the FIPS ciphers (in case you don't want a 56-bit cipher enabled). - Only TLSv1 should be enabled.
new 609e2db Update to reflect changes to the NSSFIPS directive
new 3e58b2e Make SSL2 an optional protocol, disabled by default.
new 3db52e3 Adding files required by the Apache 2.0 License
new 250b8ca Add missing copyright block
new 4bd0341 separate with options for include and lib directories - use nspr and nss instead of mozilla-nspr and -nss
new cd6deed force checkin of autoconf files
new bbde2f3 Add proxy support to mod_nss. Most of the changes are related to adding new configuration directives. For the others we need to initialize an NSS socket differently whether we will be acting as a client or a server.
new 98c66d1 Remove a debug msg that was left in on accident.
new 252fddb Add support for seeding the NSS Random Number Generator. This adds a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed directive.
new 90314a1 Close the proxy model socket so NSS can be shutdown gracefully. Also correct an error where the PKCS#11 slot isn't closed unless a the certificate key is obtained. This also affected NSS_Shutdown().
new 5f55572 Add in check to be sure that the same server isn't initialized with SSL more than once. This avoids a crash during shutdown where the same certificates and keys will try to be released multiple times. This is based on ssl_init_server_check() from mod_ssl.
new 50fe6b1 added mod_nss.spec and makerpm.sh
new 683960d had to recreate these on rhel3 because I nuked them on rhel4
new 1a9c5d3 removed empty flavor from spec
new d4cb1bb Fix command-line argument miscounting caused by the addition of the FIPS flag. The result was that the database prefix was always missed.
new 6286793 Changes to allow the mod_nss to work in Apache 2.2.0. Based on a patch from Oden Eriksson.
new 0f8282d This file was copied directly from the Apache distribution. Remove the extra per-module stuff that doesn't apply.
new 7d1b05a [179394] HP-UX IPF support autoconf 2.59/libtool 1.5
new 55c7696 [179394] HP-UX IPF support autoconf 2.59/libtool 1.5
new deb5f50 Make configure automatically find the correct versions of apr-config and apxs
new b5291c8 [179394] HP-UX IPF/PA-RISC support updated hppa*64* with hppa2.* in aclocal.m4 to support 64 bit PA_RISC. CAUTION: this file could be automatically updated by "aclocal" command using libtool.m4, which contains the expression: "hppa*64*". But 64 bit PA_RISC generates, this string "build_cpu='hppa2.0w'", which does not match "hppa*64*". So, if aclocal.m4 is updated, hppa*64* needs to be replaced.
new 05b6031 Checking in automatically generated aclocal.m4 and derived files. aclocal-1.6; automake-1.6; autoconf
new 50ad8c9 upgraded config.guess and config.sub to 2004-09-07 (same as mod_admserv)
new b9131c4 Add support for Elliptical Curve Cryptography (ECC). This is disabled by default. To enable it, pass --enable-ecc to configure.
new 8ae9591 force checkin of autoconf files
new 7eed0dc 188300
new 77378f6 196070
new c6435b2 Drop dependency on ksh and use bash instead.
new 330ebd5 Remove some invalid comments
new 073a857 196070
new 7a16cfd mod_proxy support has been around for a while. We want SNI support as soon as NSS allows it.
new 12d492f 197681
new 7a9b1da 200855
new 7896430 200855
new f1040b4 200610
new f2f7282 Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=161958
new ecf3a7e Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=104700
new a2c5668 Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=290965
new f85e30e Merge in http://svn.apache.org/viewvc?view=rev&revision=354394
new 09e5676 Initialize the NSS cache before NSS_Init is called. A race condition was being triggered during the first module unload when calling NSS_Shutdown because the cache wasn't finished setting itself up in MP mode.
new 555efa7 204138
new bb0f6ca Add information about ECC including required versions of NSPR and NSS and the available ciphers.
new 16f50b3 208848
new 4d3a405 211139
new 803d86b 211612
new 9a894d9 212426
new ff38e91 213081
new c6f1107 222173
new dd8e415 226747
new 61cadf2 229660
new 68b364f Resolves: 241936
new 0cd05b4 Populate the changelog.
new bc1e4b1 The wrong variable was being used to report that NSSPassPhraseHelper wasn't found.
new e2baea5 Only NSSPassPhraseHelper needs to be required.
new 4aa4a80 The error message was wrong if NSSPassPhraseHelper pointed to a non-existant file. Don't require a password file AND NSSPassPhraseHelper. Only the helper is required.
new 0c14c8a If mod_ssl isn't loaded then register the hooks to mod_proxy so we can do at least secure proxy in front of an unsecure host.
new 7793b9e Resolves BZ 248722
new f0cbeb2 NSS has been modified to not allow a fork after an NSS_Init() in the soft token. It apparently always did this for hardware tokens as it is part of the PKCS#11 spec.
new 7060463 Make FIPS mode work. This fixes 2 problems:
new 80f966c No need to link with softokn3
new 3b2e9ed Fix parsing error where a token with no password would end up with a trailing tab in its value causing NSS to not find it.
new 9576f57 Don't allow blank passwords if FIPS is enabled. This is not allowed by the NSS FIPS 140-2 security policy.
new 503b4df Don't inherit the MP cache when running in threaded mode Don't initialize the database if the SSL is disabled in the configuration
new d26e83a Restore moduleKill function so that NSS remains initialized during the entire configuration state. Other modules were relying on mod_nss leaving NSS initialized.
new e19d59b Bring up-to-date to mod_nss 1.0.8
new 14d6276 Fix bug in disabling mod_ssl when installing mod_nss with 'make install'
new 2870f90 Return -1 on a read failure and set the appropriate NSPR error message.
new 118abee Fix another place we should set PR_WOULD_BLOCK_ERROR during a read.
new 6344040 Add controls for managing SSL renegotiation
new 78df57b Add TLS renegotiation options to the configuration file
new 00dd8c4 Update list of error messages
new 04119e7 Compare CN value of remote host with requested host in reverse proxy. Add configuration option to disable this, defaulting to on.
new 08cfa88 Ignore SIGHUP in nss_pcache (#591889).
new 52b20c7 2010-05-14 Rob Crittenden <rcritten at redhat.com> * Ignore SIGHUP in nss_pcache (#591889). Contributed by Joshua Roys <roysjosh at gmail.com>
new cb69869 Fix endless read loop in some situations when handling POST data (#620856)
new d3da91e Only call PK11_ListCerts once and pass it when configuring each virtual server. This saves considerable time when there are a lot of certificates and/or virtual servers.
new 883452c Bring up to date.
new cb1d3ff Revert PR_WOULD_BLOCK change and reset the NSPR error value before callling PR_Read().
new 4aba0ec Bug 669118
new 3c0f6bd * Don't use memcpy as it may operate on overlapping memory (#669118) Patch ported from mod_ssl by Stephen Gallagher <sgallagh at redhat.com>
new 1a10bf6 Add man page for gencert
new f656ffc Add a semaphore lock around retrieving token PINs from the nss_pcache pipe. Rarely requests to the pipe were getting overridden causing that child to not enable SSL.
new a6c3370 Always copy in client certificate and fix FakeBasicAuth
new 78fe734 No need to shut things down if NSS isn't initialized.
new a2bada0 Fix static array overrun when generating arg list for nss_pcache
new b8bc6fe Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache.
new 97a6da1 Moved 'nss_pcache' and provided compatibility link.
new 399685f Only clear the SSL Session Cache when shutting the server down.
new 25e23d6 Add support for TLS v1.1, protocol ranges.
new 680e899 Documentation formatting fixes
new 14ce3fc Fix usage string in nss_pcache to include semid
new 2a8b281 Clarify the error messages to distinguish between server and proxy
new e339e2f Install nss_pcache.8 man page
new 8eff5df Document sample mod_nss use cases, including FIPS.
new 6ea9bd8 Work with mod_proxy when mod_ssl is also loaded.
new 04a38bc Move nss_pcache to /usr/libexec
new 84672b9 Fix argument handling in nss_pcache
new ff76371 Fix incorrect handling of NSSVerifyClient in directory context
new d80edeb Update Changelog and AUTHORS
new 9e9b886 Remove a bunch of auto-generated files
new 3413bbd Rename configure.in to configure.ac
new ed17d95 Apache 2.4 compatibility changes
new b50b13b Remove an unused variable
new c2ac0d1 Finally added a .gitignore
new 07c2729 Add some basic functional tests.
new 80ba95f Merge remote-tracking branch 'origin/upstream' into master-n
new 7777f25 update paths
new 9c939f3 control: Use canonical vcs urls.
new bdbd987 compat: Bump to 9.
new 4ab8f77 Merge branch 'master' into master-n
new c2de77c debian/nss.conf: Removed, use the patched upstream conf instead.
new 82eb270 bump the version
new 436f3c3 control, rules: Use dh and dh-autoreconf.
new a7ea280 install: Install nss_pcache in /usr/lib/libapache2-mod-nss instead of /usr/sbin.
new b4e755f update patches, remove upstreamed ones
new cf35769 gencert: Create sqlite-based db's.
new afe9343 rules: Disable tests, too many fedoraisms.
new 088d3e0 install manpages, symlink to nss_pcache
new ea0207a rules: Add a symlink to libnssckbi.so to the nssdb.
new 1e38cf7 postinst, postrm: Create the nssdb on postinst, clear on postrm.
The 156 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Summary of changes:
.gitignore | 31 +
AUTHORS | 10 +
ChangeLog | 110 +
INSTALL | 328 +-
Makefile.am | 31 +-
Makefile.in | 600 -
README | 22 +-
TODO | 5 +-
aclocal.m4 | 6683 -------
config.guess | 1447 --
config.m4 | 51 -
config.sub | 1555 --
configure | 21483 ----------------------
configure.in => configure.ac | 0
debian/changelog | 22 +
debian/compat | 2 +-
debian/control | 10 +-
debian/libapache2-mod-nss.dirs | 2 +-
debian/libapache2-mod-nss.install | 4 +-
debian/libapache2-mod-nss.links | 1 +
debian/libapache2-mod-nss.manpages | 2 +
debian/libapache2-mod-nss.postinst | 18 +
debian/libapache2-mod-nss.postrm | 14 +
debian/nss.conf | 203 -
debian/patches/fix_build | 14 -
debian/patches/mod_nss-clientauth.patch | 50 -
debian/patches/mod_nss-conf.patch | 77 +-
debian/patches/mod_nss-gencert.patch | 67 +-
debian/patches/mod_nss-httpd24.patch | 135 -
debian/patches/mod_nss-lockpcache.patch | 240 -
debian/patches/mod_nss-negotiate.patch | 184 -
debian/patches/mod_nss-nssverifyclient.patch | 12 -
debian/patches/mod_nss-overlapping_memcpy.patch | 24 -
debian/patches/mod_nss-pcachesignal.patch | 21 -
debian/patches/mod_nss-reseterror.patch | 10 -
debian/patches/mod_nss-reverseproxy.patch | 182 -
debian/patches/mod_nss-wouldblock.patch | 12 -
debian/patches/series | 11 -
debian/rules | 104 +-
depcomp | 529 -
docs/mod_nss.html | 657 +-
gencert.8 | 59 +
gencert.in | 24 +-
install-sh | 251 -
ltmain.sh | 6870 -------
migrate.pl | 3 +-
missing | 336 -
mkinstalldirs | 40 -
mod_nss.c | 71 +-
mod_nss.h | 39 +-
nss.conf.in | 24 +-
nss_engine_config.c | 48 +
nss_engine_init.c | 393 +-
nss_engine_io.c | 28 +-
nss_engine_kernel.c | 15 +-
nss_engine_log.c | 20 +-
nss_engine_pphrase.c | 17 +
nss_engine_vars.c | 42 +-
nss_pcache.8 | 95 +
nss_pcache.c | 30 +-
test/createinstance.sh | 59 +
test/httpd.conf.tmpl | 999 +
test/setup.sh | 55 +
test/suite1.tmpl | 65 +
test/test.py | 138 +
test/test_config.py | 186 +
test/test_request.py | 190 +
test/test_util.py | 52 +
68 files changed, 3616 insertions(+), 41496 deletions(-)
create mode 100644 .gitignore
delete mode 100644 Makefile.in
delete mode 100644 aclocal.m4
delete mode 100755 config.guess
delete mode 100644 config.m4
delete mode 100755 config.sub
delete mode 100755 configure
rename configure.in => configure.ac (100%)
create mode 100644 debian/libapache2-mod-nss.links
create mode 100644 debian/libapache2-mod-nss.manpages
create mode 100644 debian/libapache2-mod-nss.postinst
create mode 100644 debian/libapache2-mod-nss.postrm
delete mode 100644 debian/nss.conf
delete mode 100644 debian/patches/fix_build
delete mode 100644 debian/patches/mod_nss-clientauth.patch
delete mode 100644 debian/patches/mod_nss-httpd24.patch
delete mode 100644 debian/patches/mod_nss-lockpcache.patch
delete mode 100644 debian/patches/mod_nss-negotiate.patch
delete mode 100644 debian/patches/mod_nss-nssverifyclient.patch
delete mode 100644 debian/patches/mod_nss-overlapping_memcpy.patch
delete mode 100644 debian/patches/mod_nss-pcachesignal.patch
delete mode 100644 debian/patches/mod_nss-reseterror.patch
delete mode 100644 debian/patches/mod_nss-reverseproxy.patch
delete mode 100644 debian/patches/mod_nss-wouldblock.patch
delete mode 100755 depcomp
create mode 100644 gencert.8
delete mode 100755 install-sh
delete mode 100644 ltmain.sh
delete mode 100755 missing
delete mode 100755 mkinstalldirs
create mode 100644 nss_pcache.8
create mode 100755 test/createinstance.sh
create mode 100644 test/httpd.conf.tmpl
create mode 100755 test/setup.sh
create mode 100644 test/suite1.tmpl
create mode 100644 test/test.py
create mode 100644 test/test_config.py
create mode 100644 test/test_request.py
create mode 100644 test/test_util.py
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list