[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] branch upstream updated (5b6aaed -> 07c2729)
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:57:16 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a change to branch upstream
in repository libapache2-mod-nss.
omits 5b6aaed Imported Upstream version 1.0.8
adds f6ecd9d Initial import of mod_nss
adds aabd41a By default, don't start with an expired cert. Add option SSLEnforceValid Cert on/off to allow one to start with a bad cert.
adds e5a4f20 The path to the cert database was hardcoded, use the value passed in by Apache.
adds 2143559 Add support for apr-config. Print out some nice notes alerting the user to verify that mod_ssl is disabled. Tell the user about gencert so they can generate their own self-signed certificate.
adds e001ab8 Remove check for Define SSL Comment out a few entries that the average user won't need Do some general cleanups and fixups
adds 49fe778 First crack at migrating an existing ssl.conf to nss.conf.
adds 0eba132 Enable more ciphers than just fips_3des_sha.
adds 32a0cc4 Terminate echo'd strings
adds 77042d5 When doing SSLVerifyCert require then we need to always require the certificate to match what OpenSSL does.
adds d4ead13 Add support for the SSL_CLIENT_CERT_CHAIN_ environment variable. SSL_CLIENT_I_DN_ was incorrectly parsing the client certificate subject instead of the issuer subject. Print out PEM files the same way as OpenSSL
adds b2aee92 Generate gencert so we can set the NSS and NSPR directories and make things easier for the user. Also try really, really hard to get the FQDN so we can create a host-specific self-signed certificate.
adds 102486d Changed function and configuration names so mod_nss can peacefully co-exist with mod_ssl.
adds 348a79c Remove message about co-existing with mod_ssl, that works ok now. Also fix nasty typo.
adds 62d308e Initialize enforcement of valid certificates to true.
adds d99ab1c Fix formatting and variable name in error message.
adds 505e42a Basic documentation on the mod_nss module.
adds ffb5fab Reflect new Directive naming convention
adds 765a354 Zero length file for now so autoconf will shut up.
adds e882f30 Add NSS database prefix support
adds 398e33b Earlier versions of Apache 2.0 (such as on RHEL 3) don't support AP_BUCKET_IS_EOC. Define around it.
adds 08d5d7d Fix lunasa problem. The key we generate must work for both encryption and decryption. By default generate key only returns encryption keys.
adds c656f45 Add in support for older versions of NSS that don't have the function PK11_TokenKeyGenWithFlags(). Older versions of NSS will only work with software certificates when using nss_pcache. The workaround is to store the token passwords in a file instead.
adds 3103cc0 Don't assume that apr-config is in the PATH. Let the user specify which one to run, just like with apxs.
adds feb631f Clarify things a bit, change directive name to match new naming scheme.
adds b4164d9 Add libsoftokn3.so for nss_pcache.
adds 64342aa Add more information related to gencert Tell user's where to find more documentation
adds f1d0c79 Added Database Management section. Added links to NSS and NSPR
adds d3a1b4f Changed 2 function names from SSL -> NSS I had missed in earlier cleanup
adds 70d2235 Properly clean up the SSL environment so NSS can be shut down gracefully.
adds bb9b72e Also clean up the SSL Session ID Cache when shutting down. If we are using the forked model, use the MP version of the Session ID cache. Don't call PR_Cleanup(), this could cause problems.
adds 203bed3 More correct detection of NSS version when determining whether we should expect PK11_TokenKeyGenWithFlags(). It hasn't been included as of NSS 3.10.0.
adds 8625526 Add a FIPS configuration option. This enables the FIPS internal database module, configures for SSLv3 and TLSv1 and enables the 2 FIPS ciphers (and disables all the others).
adds c1a0fd4 Add OCSP support
adds a160145 Add information about how to use built-in CA's via libnssckbi.so
adds 800a72a Add short example of how to use certutil to generate a certificate request suitable for submission to a 3rd party CA such as Verisign.
adds 4283b33 Improve FIPS configuration: - The NSS ciphers are enumerated to find those that are FIPS approved - This list of approved ciphers is compared to the NSSCipherSuite entry and those enabled, approved ciphers are configured. This way you aren't forced to use all of the FIPS ciphers (in case you don't want a 56-bit cipher enabled). - Only TLSv1 should be enabled.
adds 609e2db Update to reflect changes to the NSSFIPS directive
adds 3e58b2e Make SSL2 an optional protocol, disabled by default.
adds 3db52e3 Adding files required by the Apache 2.0 License
adds 250b8ca Add missing copyright block
adds 4bd0341 separate with options for include and lib directories - use nspr and nss instead of mozilla-nspr and -nss
adds cd6deed force checkin of autoconf files
adds bbde2f3 Add proxy support to mod_nss. Most of the changes are related to adding new configuration directives. For the others we need to initialize an NSS socket differently whether we will be acting as a client or a server.
adds 98c66d1 Remove a debug msg that was left in on accident.
adds 252fddb Add support for seeding the NSS Random Number Generator. This adds a new directive, NSSRandomSeed based on the mod_ssl SSLRandomSeed directive.
adds 90314a1 Close the proxy model socket so NSS can be shutdown gracefully. Also correct an error where the PKCS#11 slot isn't closed unless a the certificate key is obtained. This also affected NSS_Shutdown().
adds 5f55572 Add in check to be sure that the same server isn't initialized with SSL more than once. This avoids a crash during shutdown where the same certificates and keys will try to be released multiple times. This is based on ssl_init_server_check() from mod_ssl.
adds 50fe6b1 added mod_nss.spec and makerpm.sh
adds 683960d had to recreate these on rhel3 because I nuked them on rhel4
adds 1a9c5d3 removed empty flavor from spec
adds d4cb1bb Fix command-line argument miscounting caused by the addition of the FIPS flag. The result was that the database prefix was always missed.
adds 6286793 Changes to allow the mod_nss to work in Apache 2.2.0. Based on a patch from Oden Eriksson.
adds 0f8282d This file was copied directly from the Apache distribution. Remove the extra per-module stuff that doesn't apply.
adds 7d1b05a [179394] HP-UX IPF support autoconf 2.59/libtool 1.5
adds 55c7696 [179394] HP-UX IPF support autoconf 2.59/libtool 1.5
adds deb5f50 Make configure automatically find the correct versions of apr-config and apxs
adds b5291c8 [179394] HP-UX IPF/PA-RISC support updated hppa*64* with hppa2.* in aclocal.m4 to support 64 bit PA_RISC. CAUTION: this file could be automatically updated by "aclocal" command using libtool.m4, which contains the expression: "hppa*64*". But 64 bit PA_RISC generates, this string "build_cpu='hppa2.0w'", which does not match "hppa*64*". So, if aclocal.m4 is updated, hppa*64* needs to be replaced.
adds 05b6031 Checking in automatically generated aclocal.m4 and derived files. aclocal-1.6; automake-1.6; autoconf
adds 50ad8c9 upgraded config.guess and config.sub to 2004-09-07 (same as mod_admserv)
adds b9131c4 Add support for Elliptical Curve Cryptography (ECC). This is disabled by default. To enable it, pass --enable-ecc to configure.
adds 8ae9591 force checkin of autoconf files
adds 7eed0dc 188300
adds 77378f6 196070
adds c6435b2 Drop dependency on ksh and use bash instead.
adds 330ebd5 Remove some invalid comments
adds 073a857 196070
adds 7a16cfd mod_proxy support has been around for a while. We want SNI support as soon as NSS allows it.
adds 12d492f 197681
adds 7a9b1da 200855
adds 7896430 200855
adds f1040b4 200610
adds f2f7282 Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=161958
adds ecf3a7e Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=104700
adds a2c5668 Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=290965
adds f85e30e Merge in http://svn.apache.org/viewvc?view=rev&revision=354394
adds 09e5676 Initialize the NSS cache before NSS_Init is called. A race condition was being triggered during the first module unload when calling NSS_Shutdown because the cache wasn't finished setting itself up in MP mode.
adds 555efa7 204138
adds bb0f6ca Add information about ECC including required versions of NSPR and NSS and the available ciphers.
adds 16f50b3 208848
adds 4d3a405 211139
adds 803d86b 211612
adds 9a894d9 212426
adds ff38e91 213081
adds c6f1107 222173
adds dd8e415 226747
adds 61cadf2 229660
adds 68b364f Resolves: 241936
adds 0cd05b4 Populate the changelog.
adds bc1e4b1 The wrong variable was being used to report that NSSPassPhraseHelper wasn't found.
adds e2baea5 Only NSSPassPhraseHelper needs to be required.
adds 4aa4a80 The error message was wrong if NSSPassPhraseHelper pointed to a non-existant file. Don't require a password file AND NSSPassPhraseHelper. Only the helper is required.
adds 0c14c8a If mod_ssl isn't loaded then register the hooks to mod_proxy so we can do at least secure proxy in front of an unsecure host.
adds 7793b9e Resolves BZ 248722
adds f0cbeb2 NSS has been modified to not allow a fork after an NSS_Init() in the soft token. It apparently always did this for hardware tokens as it is part of the PKCS#11 spec.
adds 7060463 Make FIPS mode work. This fixes 2 problems:
adds 80f966c No need to link with softokn3
adds 3b2e9ed Fix parsing error where a token with no password would end up with a trailing tab in its value causing NSS to not find it.
adds 9576f57 Don't allow blank passwords if FIPS is enabled. This is not allowed by the NSS FIPS 140-2 security policy.
adds 503b4df Don't inherit the MP cache when running in threaded mode Don't initialize the database if the SSL is disabled in the configuration
adds d26e83a Restore moduleKill function so that NSS remains initialized during the entire configuration state. Other modules were relying on mod_nss leaving NSS initialized.
adds e19d59b Bring up-to-date to mod_nss 1.0.8
adds 14d6276 Fix bug in disabling mod_ssl when installing mod_nss with 'make install'
adds 2870f90 Return -1 on a read failure and set the appropriate NSPR error message.
adds 118abee Fix another place we should set PR_WOULD_BLOCK_ERROR during a read.
adds 6344040 Add controls for managing SSL renegotiation
adds 78df57b Add TLS renegotiation options to the configuration file
adds 00dd8c4 Update list of error messages
adds 04119e7 Compare CN value of remote host with requested host in reverse proxy. Add configuration option to disable this, defaulting to on.
adds 08cfa88 Ignore SIGHUP in nss_pcache (#591889).
adds 52b20c7 2010-05-14 Rob Crittenden <rcritten at redhat.com> * Ignore SIGHUP in nss_pcache (#591889). Contributed by Joshua Roys <roysjosh at gmail.com>
adds cb69869 Fix endless read loop in some situations when handling POST data (#620856)
adds d3da91e Only call PK11_ListCerts once and pass it when configuring each virtual server. This saves considerable time when there are a lot of certificates and/or virtual servers.
adds 883452c Bring up to date.
adds cb1d3ff Revert PR_WOULD_BLOCK change and reset the NSPR error value before callling PR_Read().
adds 4aba0ec Bug 669118
adds 3c0f6bd * Don't use memcpy as it may operate on overlapping memory (#669118) Patch ported from mod_ssl by Stephen Gallagher <sgallagh at redhat.com>
adds 1a10bf6 Add man page for gencert
adds f656ffc Add a semaphore lock around retrieving token PINs from the nss_pcache pipe. Rarely requests to the pipe were getting overridden causing that child to not enable SSL.
adds a6c3370 Always copy in client certificate and fix FakeBasicAuth
adds 78fe734 No need to shut things down if NSS isn't initialized.
adds a2bada0 Fix static array overrun when generating arg list for nss_pcache
adds b8bc6fe Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache.
adds 97a6da1 Moved 'nss_pcache' and provided compatibility link.
adds 399685f Only clear the SSL Session Cache when shutting the server down.
adds 25e23d6 Add support for TLS v1.1, protocol ranges.
adds 680e899 Documentation formatting fixes
adds 14ce3fc Fix usage string in nss_pcache to include semid
adds 2a8b281 Clarify the error messages to distinguish between server and proxy
adds e339e2f Install nss_pcache.8 man page
adds 8eff5df Document sample mod_nss use cases, including FIPS.
adds 6ea9bd8 Work with mod_proxy when mod_ssl is also loaded.
adds 04a38bc Move nss_pcache to /usr/libexec
adds 84672b9 Fix argument handling in nss_pcache
adds ff76371 Fix incorrect handling of NSSVerifyClient in directory context
adds d80edeb Update Changelog and AUTHORS
adds 9e9b886 Remove a bunch of auto-generated files
adds 3413bbd Rename configure.in to configure.ac
adds ed17d95 Apache 2.4 compatibility changes
adds b50b13b Remove an unused variable
adds c2ac0d1 Finally added a .gitignore
adds 07c2729 Add some basic functional tests.
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (5b6aaed)
\
N -- N -- N refs/heads/upstream (07c2729)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omits" are not gone; other references still
refer to them. Any revisions marked "discards" are gone forever.
No new revisions were added by this update.
Summary of changes:
.gitignore | 31 +
AUTHORS | 10 +
ChangeLog | 110 +
INSTALL | 328 +-
Makefile.am | 31 +-
Makefile.in | 600 --
README | 22 +-
TODO | 5 +-
aclocal.m4 | 6683 -------------
config.guess | 1447 ---
config.m4 | 51 -
config.sub | 1555 ---
configure | 21483 -----------------------------------------
configure.in => configure.ac | 0
depcomp | 529 -
docs/mod_nss.html | 657 +-
gencert.8 | 59 +
gencert.in | 24 +-
install-sh | 251 -
ltmain.sh | 6870 -------------
migrate.pl | 3 +-
missing | 336 -
mkinstalldirs | 40 -
mod_nss.c | 71 +-
mod_nss.h | 39 +-
nss.conf.in | 24 +-
nss_engine_config.c | 48 +
nss_engine_init.c | 393 +-
nss_engine_io.c | 28 +-
nss_engine_kernel.c | 15 +-
nss_engine_log.c | 20 +-
nss_engine_pphrase.c | 17 +
nss_engine_vars.c | 42 +-
nss_pcache.8 | 95 +
nss_pcache.c | 30 +-
test/createinstance.sh | 59 +
test/httpd.conf.tmpl | 999 ++
test/setup.sh | 55 +
test/suite1.tmpl | 65 +
test/test.py | 138 +
test/test_config.py | 186 +
test/test_request.py | 190 +
test/test_util.py | 52 +
43 files changed, 3428 insertions(+), 40263 deletions(-)
create mode 100644 .gitignore
delete mode 100644 Makefile.in
delete mode 100644 aclocal.m4
delete mode 100755 config.guess
delete mode 100644 config.m4
delete mode 100755 config.sub
delete mode 100755 configure
rename configure.in => configure.ac (100%)
delete mode 100755 depcomp
create mode 100644 gencert.8
delete mode 100755 install-sh
delete mode 100644 ltmain.sh
delete mode 100755 missing
delete mode 100755 mkinstalldirs
create mode 100644 nss_pcache.8
create mode 100755 test/createinstance.sh
create mode 100644 test/httpd.conf.tmpl
create mode 100755 test/setup.sh
create mode 100644 test/suite1.tmpl
create mode 100644 test/test.py
create mode 100644 test/test_config.py
create mode 100644 test/test_request.py
create mode 100644 test/test_util.py
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list