[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] branch upstream updated (5b6aaed -> 07c2729)

Timo Aaltonen tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:57:16 UTC 2014

This is an automated email from the git hooks/post-receive script.

tjaalton-guest pushed a change to branch upstream
in repository libapache2-mod-nss.

     omits  5b6aaed   Imported Upstream version 1.0.8
      adds  f6ecd9d   Initial import of mod_nss
      adds  aabd41a   By default, don't start with an expired cert. Add option SSLEnforceValid Cert on/off to allow one to start with a bad cert.
      adds  e5a4f20   The path to the cert database was hardcoded, use the value passed in by Apache.
      adds  2143559   Add support for apr-config. Print out some nice notes alerting the user to verify that mod_ssl is disabled. Tell the user about gencert so they can generate their own self-signed certificate.
      adds  e001ab8   Remove check for Define SSL Comment out a few entries that the average user won't need Do some general cleanups and fixups
      adds  49fe778   First crack at migrating an existing ssl.conf to nss.conf.
      adds  0eba132   Enable more ciphers than just fips_3des_sha.
      adds  32a0cc4   Terminate echo'd strings
      adds  77042d5   When doing SSLVerifyCert require then we need to always require the certificate to match what OpenSSL does.
      adds  d4ead13   Add support for the SSL_CLIENT_CERT_CHAIN_ environment variable. SSL_CLIENT_I_DN_ was incorrectly parsing the client certificate subject instead of the issuer subject. Print out PEM files the same way as OpenSSL
      adds  b2aee92   Generate gencert so we can set the NSS and NSPR directories and make things easier for the user. Also try really, really hard to get the FQDN so we can create a host-specific self-signed certificate.
      adds  102486d   Changed function and configuration names so mod_nss can peacefully co-exist with mod_ssl.
      adds  348a79c   Remove message about co-existing with mod_ssl, that works ok now. Also fix nasty typo.
      adds  62d308e   Initialize enforcement of valid certificates to true.
      adds  d99ab1c   Fix formatting and variable name in error message.
      adds  505e42a   Basic documentation on the mod_nss module.
      adds  ffb5fab   Reflect new Directive naming convention
      adds  765a354   Zero length file for now so autoconf will shut up.
      adds  e882f30   Add NSS database prefix support
      adds  398e33b   Earlier versions of Apache 2.0 (such as on RHEL 3) don't support AP_BUCKET_IS_EOC. Define around it.
      adds  08d5d7d   Fix lunasa problem. The key we generate must work for both encryption and decryption. By default generate key only returns encryption keys.
      adds  c656f45   Add in support for older versions of NSS that don't have the function PK11_TokenKeyGenWithFlags(). Older versions of NSS will only work with software certificates when using nss_pcache. The workaround is to store the token passwords in a file instead.
      adds  3103cc0   Don't assume that apr-config is in the PATH. Let the user specify which one to run, just like with apxs.
      adds  feb631f   Clarify things a bit, change directive name to match new naming scheme.
      adds  b4164d9   Add libsoftokn3.so for nss_pcache.
      adds  64342aa   Add more information related to gencert Tell user's where to find more documentation
      adds  f1d0c79   Added Database Management section. Added links to NSS and NSPR
      adds  d3a1b4f   Changed 2 function names from SSL -> NSS I had missed in earlier cleanup
      adds  70d2235   Properly clean up the SSL environment so NSS can be shut down gracefully.
      adds  bb9b72e   Also clean up the SSL Session ID Cache when shutting down. If we are using the forked model, use the MP version of the Session ID cache. Don't call PR_Cleanup(), this could cause problems.
      adds  203bed3   More correct detection of NSS version when determining whether we should expect PK11_TokenKeyGenWithFlags(). It hasn't been included as of NSS 3.10.0.
      adds  8625526   Add a FIPS configuration option. This enables the FIPS internal database module, configures for SSLv3 and TLSv1 and enables the 2 FIPS ciphers (and disables all the others).
      adds  c1a0fd4   Add OCSP support
      adds  a160145   Add information about how to use built-in CA's via libnssckbi.so
      adds  800a72a   Add short example of how to use certutil to generate a certificate request suitable for submission to a 3rd party CA such as Verisign.
      adds  4283b33   Improve FIPS configuration:   - The NSS ciphers are enumerated to find those that are FIPS approved   - This list of approved ciphers is compared to the NSSCipherSuite entry     and those enabled, approved ciphers are configured. This way you aren't     forced to use all of the FIPS ciphers (in case you don't want a     56-bit cipher enabled).   - Only TLSv1 should be enabled.
      adds  609e2db   Update to reflect changes to the NSSFIPS directive
      adds  3e58b2e   Make SSL2 an optional protocol, disabled by default.
      adds  3db52e3   Adding files required by the Apache 2.0 License
      adds  250b8ca   Add missing copyright block
      adds  4bd0341   separate with options for include and lib directories - use nspr and nss instead of mozilla-nspr and -nss
      adds  cd6deed   force checkin of autoconf files
      adds  bbde2f3   Add proxy support to mod_nss. Most of the changes are related to adding new configuration directives. For the others we need to initialize an NSS socket differently whether we will be acting as a client or a server.
      adds  98c66d1   Remove a debug msg that was left in on accident.
      adds  252fddb   Add support for seeding the NSS Random Number Generator. This adds a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed directive.
      adds  90314a1   Close the proxy model socket so NSS can be shutdown gracefully. Also correct an error where the PKCS#11 slot isn't closed unless a the certificate key is obtained. This also affected NSS_Shutdown().
      adds  5f55572   Add in check to be sure that the same server isn't initialized with SSL more than once. This avoids a crash during shutdown where the same certificates and keys will try to be released multiple times. This is based on ssl_init_server_check() from mod_ssl.
      adds  50fe6b1   added mod_nss.spec and makerpm.sh
      adds  683960d   had to recreate these on rhel3 because I nuked them on rhel4
      adds  1a9c5d3   removed empty flavor from spec
      adds  d4cb1bb   Fix command-line argument miscounting caused by the addition of the FIPS flag. The result was that the database prefix was always missed.
      adds  6286793   Changes to allow the mod_nss to work in Apache 2.2.0. Based on a patch from Oden Eriksson.
      adds  0f8282d   This file was copied directly from the Apache distribution. Remove the extra per-module stuff that doesn't apply.
      adds  7d1b05a   [179394] HP-UX IPF support autoconf 2.59/libtool 1.5
      adds  55c7696   [179394] HP-UX IPF support autoconf 2.59/libtool 1.5
      adds  deb5f50   Make configure automatically find the correct versions of apr-config and apxs
      adds  b5291c8   [179394] HP-UX IPF/PA-RISC support updated hppa*64* with hppa2.* in aclocal.m4 to support 64 bit PA_RISC. CAUTION: this file could be automatically updated by "aclocal" command using libtool.m4, which contains the expression: "hppa*64*".    But 64 bit PA_RISC generates, this string "build_cpu='hppa2.0w'", which does not match "hppa*64*". So, if aclocal.m4 is updated, hppa*64* needs to be replaced.
      adds  05b6031   Checking in automatically generated aclocal.m4 and derived files. aclocal-1.6; automake-1.6; autoconf
      adds  50ad8c9   upgraded config.guess and config.sub to 2004-09-07 (same as mod_admserv)
      adds  b9131c4   Add support for Elliptical Curve Cryptography (ECC). This is disabled by default. To enable it, pass --enable-ecc to configure.
      adds  8ae9591   force checkin of autoconf files
      adds  7eed0dc   188300
      adds  77378f6   196070
      adds  c6435b2   Drop dependency on ksh and use bash instead.
      adds  330ebd5   Remove some invalid comments
      adds  073a857   196070
      adds  7a16cfd   mod_proxy support has been around for a while. We want SNI support as soon as NSS allows it.
      adds  12d492f   197681
      adds  7a9b1da   200855
      adds  7896430   200855
      adds  f1040b4   200610
      adds  f2f7282   Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=161958
      adds  ecf3a7e   Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=104700
      adds  a2c5668   Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=290965
      adds  f85e30e   Merge in http://svn.apache.org/viewvc?view=rev&revision=354394
      adds  09e5676   Initialize the NSS cache before NSS_Init is called. A race condition was being triggered during the first module unload when calling NSS_Shutdown because the cache wasn't finished setting itself up in MP mode.
      adds  555efa7   204138
      adds  bb0f6ca   Add information about ECC including required versions of NSPR and NSS and the available ciphers.
      adds  16f50b3   208848
      adds  4d3a405   211139
      adds  803d86b   211612
      adds  9a894d9   212426
      adds  ff38e91   213081
      adds  c6f1107   222173
      adds  dd8e415   226747
      adds  61cadf2   229660
      adds  68b364f   Resolves: 241936
      adds  0cd05b4   Populate the changelog.
      adds  bc1e4b1   The wrong variable was being used to report that NSSPassPhraseHelper wasn't found.
      adds  e2baea5   Only NSSPassPhraseHelper needs to be required.
      adds  4aa4a80   The error message was wrong if NSSPassPhraseHelper pointed to a non-existant file. Don't require a password file AND NSSPassPhraseHelper. Only the helper is required.
      adds  0c14c8a   If mod_ssl isn't loaded then register the hooks to mod_proxy so we can do at least secure proxy in front of an unsecure host.
      adds  7793b9e   Resolves BZ 248722
      adds  f0cbeb2   NSS has been modified to not allow a fork after an NSS_Init() in the soft token. It apparently always did this for hardware tokens as it is part of the PKCS#11 spec.
      adds  7060463   Make FIPS mode work. This fixes 2 problems:
      adds  80f966c   No need to link with softokn3
      adds  3b2e9ed   Fix parsing error where a token with no password would end up with a trailing tab in its value causing NSS to not find it.
      adds  9576f57   Don't allow blank passwords if FIPS is enabled. This is not allowed by the NSS FIPS 140-2 security policy.
      adds  503b4df   Don't inherit the MP cache when running in threaded mode Don't initialize the database if the SSL is disabled in the configuration
      adds  d26e83a   Restore moduleKill function so that NSS remains initialized during the entire configuration state. Other modules were relying on mod_nss leaving NSS initialized.
      adds  e19d59b   Bring up-to-date to mod_nss 1.0.8
      adds  14d6276   Fix bug in disabling mod_ssl when installing mod_nss with 'make install'
      adds  2870f90   Return -1 on a read failure and set the appropriate NSPR error message.
      adds  118abee   Fix another place we should set PR_WOULD_BLOCK_ERROR during a read.
      adds  6344040   Add controls for managing SSL renegotiation
      adds  78df57b   Add TLS renegotiation options to the configuration file
      adds  00dd8c4   Update list of error messages
      adds  04119e7   Compare CN value of remote host with requested host in reverse proxy. Add configuration option to disable this, defaulting to on.
      adds  08cfa88   Ignore SIGHUP in nss_pcache (#591889).
      adds  52b20c7   2010-05-14  Rob Crittenden <rcritten at redhat.com>     * Ignore SIGHUP in nss_pcache (#591889).       Contributed by Joshua Roys <roysjosh at gmail.com>
      adds  cb69869   Fix endless read loop in some situations when handling POST data (#620856)
      adds  d3da91e   Only call PK11_ListCerts once and pass it when configuring each virtual server. This saves considerable time when there are a lot of certificates and/or virtual servers.
      adds  883452c   Bring up to date.
      adds  cb1d3ff   Revert PR_WOULD_BLOCK change and reset the NSPR error value before callling PR_Read().
      adds  4aba0ec   Bug 669118
      adds  3c0f6bd   * Don't use memcpy as it may operate on overlapping memory (#669118)   Patch ported from mod_ssl by Stephen Gallagher <sgallagh at redhat.com>
      adds  1a10bf6   Add man page for gencert
      adds  f656ffc   Add a semaphore lock around retrieving token PINs from the nss_pcache pipe. Rarely requests to the pipe were getting overridden causing that child to not enable SSL.
      adds  a6c3370   Always copy in client certificate and fix FakeBasicAuth
      adds  78fe734   No need to shut things down if NSS isn't initialized.
      adds  a2bada0   Fix static array overrun when generating arg list for nss_pcache
      adds  b8bc6fe   Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache.
      adds  97a6da1   Moved 'nss_pcache' and provided compatibility link.
      adds  399685f   Only clear the SSL Session Cache when shutting the server down.
      adds  25e23d6   Add support for TLS v1.1, protocol ranges.
      adds  680e899   Documentation formatting fixes
      adds  14ce3fc   Fix usage string in nss_pcache to include semid
      adds  2a8b281   Clarify the error messages to distinguish between server and proxy
      adds  e339e2f   Install nss_pcache.8 man page
      adds  8eff5df   Document sample mod_nss use cases, including FIPS.
      adds  6ea9bd8   Work with mod_proxy when mod_ssl is also loaded.
      adds  04a38bc   Move nss_pcache to /usr/libexec
      adds  84672b9   Fix argument handling in nss_pcache
      adds  ff76371   Fix incorrect handling of NSSVerifyClient in directory context
      adds  d80edeb   Update Changelog and AUTHORS
      adds  9e9b886   Remove a bunch of auto-generated files
      adds  3413bbd   Rename configure.in to configure.ac
      adds  ed17d95   Apache 2.4 compatibility changes
      adds  b50b13b   Remove an unused variable
      adds  c2ac0d1   Finally added a .gitignore
      adds  07c2729   Add some basic functional tests.

This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version.  This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:

 * -- * -- B -- O -- O -- O   (5b6aaed)
             N -- N -- N   refs/heads/upstream (07c2729)

You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.

Any revisions marked "omits" are not gone; other references still
refer to them.  Any revisions marked "discards" are gone forever.

No new revisions were added by this update.

Summary of changes:
 .gitignore                   |    31 +
 AUTHORS                      |    10 +
 ChangeLog                    |   110 +
 INSTALL                      |   328 +-
 Makefile.am                  |    31 +-
 Makefile.in                  |   600 --
 README                       |    22 +-
 TODO                         |     5 +-
 aclocal.m4                   |  6683 -------------
 config.guess                 |  1447 ---
 config.m4                    |    51 -
 config.sub                   |  1555 ---
 configure                    | 21483 -----------------------------------------
 configure.in => configure.ac |     0
 depcomp                      |   529 -
 docs/mod_nss.html            |   657 +-
 gencert.8                    |    59 +
 gencert.in                   |    24 +-
 install-sh                   |   251 -
 ltmain.sh                    |  6870 -------------
 migrate.pl                   |     3 +-
 missing                      |   336 -
 mkinstalldirs                |    40 -
 mod_nss.c                    |    71 +-
 mod_nss.h                    |    39 +-
 nss.conf.in                  |    24 +-
 nss_engine_config.c          |    48 +
 nss_engine_init.c            |   393 +-
 nss_engine_io.c              |    28 +-
 nss_engine_kernel.c          |    15 +-
 nss_engine_log.c             |    20 +-
 nss_engine_pphrase.c         |    17 +
 nss_engine_vars.c            |    42 +-
 nss_pcache.8                 |    95 +
 nss_pcache.c                 |    30 +-
 test/createinstance.sh       |    59 +
 test/httpd.conf.tmpl         |   999 ++
 test/setup.sh                |    55 +
 test/suite1.tmpl             |    65 +
 test/test.py                 |   138 +
 test/test_config.py          |   186 +
 test/test_request.py         |   190 +
 test/test_util.py            |    52 +
 43 files changed, 3428 insertions(+), 40263 deletions(-)
 create mode 100644 .gitignore
 delete mode 100644 Makefile.in
 delete mode 100644 aclocal.m4
 delete mode 100755 config.guess
 delete mode 100644 config.m4
 delete mode 100755 config.sub
 delete mode 100755 configure
 rename configure.in => configure.ac (100%)
 delete mode 100755 depcomp
 create mode 100644 gencert.8
 delete mode 100755 install-sh
 delete mode 100644 ltmain.sh
 delete mode 100755 missing
 delete mode 100755 mkinstalldirs
 create mode 100644 nss_pcache.8
 create mode 100755 test/createinstance.sh
 create mode 100644 test/httpd.conf.tmpl
 create mode 100755 test/setup.sh
 create mode 100644 test/suite1.tmpl
 create mode 100644 test/test.py
 create mode 100644 test/test_config.py
 create mode 100644 test/test_request.py
 create mode 100644 test/test_util.py

Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git

More information about the Pkg-fedora-ds-maintainers mailing list