rpms/mod_nss/F-8 mod_nss-inherit.patch, NONE, 1.1 mod_nss.spec, 1.11, 1.12

Robert Crittenden (rcritten) fedora-extras-commits at redhat.com
Fri Jul 11 12:44:18 UTC 2008 

Author: rcritten

Update of /cvs/extras/rpms/mod_nss/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22255

Modified Files:
	mod_nss.spec 
Added Files:
	mod_nss-inherit.patch 
Log Message:
- Don't inherit the MP cache in multi-threaded mode
- Don't initialize NSS in each child if SSL isn't configured

Resolves: #454701


mod_nss-inherit.patch:

--- NEW FILE mod_nss-inherit.patch ---
--- mod_nss-1.0.7-orig/nss_engine_init.c	16 May 2008 15:16:02 -0000	1.32
+++ mod_nss-1.0.7/nss_engine_init.c	9 Jul 2008 22:22:46 -0000
@@ -1079,23 +1079,54 @@
     }
 }
 
 void nss_init_Child(apr_pool_t *p, server_rec *base_server)
 {
     SSLModConfigRec *mc = myModConfig(base_server);
     SSLSrvConfigRec *sc;
     server_rec *s;
+    int threaded = 0;
+    int sslenabled = FALSE;
 
     mc->pid = getpid(); /* only call getpid() once per-process */
 
-    if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-             "SSL_InheritMPServerSIDCache failed");
-        nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+    /*
+     *  First, see if ssl is enabled at all
+     */
+    for (s = base_server; s; s = s->next) {
+        sc = mySrvConfig(s);
+        /* If any servers have SSL, we want sslenabled set so we
+         * can perform further initialization
+         */
+
+        if (sc->enabled == UNSET) {
+            sc->enabled = FALSE;
+        }
+
+        if (sc->proxy_enabled == UNSET) {
+            sc->proxy_enabled = FALSE;
+        }
+
+        if ((sc->enabled == TRUE) || (sc->proxy_enabled == TRUE)) {
+            sslenabled = TRUE;
+        }
+    }
+
+    if (sslenabled == FALSE) { /* we are not an SSL/TLS server */
+        return;
+    }
+
+    ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded);
+    if (!threaded) {
+        if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+                         "SSL_InheritMPServerSIDCache failed");
+            nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+        }
     }
 
     nss_init_SSLLibrary(base_server);
 
     /* Configure all virtual servers */
     for (s = base_server; s; s = s->next) {
         sc = mySrvConfig(s);
         if (sc->server->servercert == NULL && NSS_IsInitialized())



Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-8/mod_nss.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- mod_nss.spec	2 Jul 2008 14:44:53 -0000	1.11
+++ mod_nss.spec	11 Jul 2008 12:43:22 -0000	1.12
@@ -1,6 +1,6 @@
 Name: mod_nss
 Version: 1.0.7
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: SSL/TLS module for the Apache HTTP server
 Group: System Environment/Daemons
 License: Apache Software License
@@ -16,6 +16,7 @@
 Patch3: mod_nss-proxy.patch
 Patch4: mod_nss-nofork.patch
 Patch5: mod_nss-fips.patch
+Patch6: mod_nss-inherit.patch
 
 %description
 The mod_nss module provides strong cryptography for the Apache Web
@@ -30,6 +31,7 @@
 %patch3 -p1 -b .proxy
 %patch4 -p1 -b .nofork
 %patch5 -p1 -b .fips
+%patch6 -p1 -b .inherit
 
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
@@ -114,6 +116,10 @@
 %{_sbindir}/gencert
 
 %changelog
+* Thu Jul 10 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-7
+- Don't inherit the MP cache in multi-threaded mode (454701)
+- Don't initialize NSS in each child if SSL isn't configured
+
 * Wed Jul  2 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-6
 - Update the patch for FIPS to include fixes for nss_pcache, enforce
   the security policy and properly initialize the FIPS token.

More information about the scm-commits mailing list