rpms/mod_nss/F-9 mod_nss-inherit.patch, NONE, 1.1 mod_nss-kill.patch, NONE, 1.1 mod_nss.spec, 1.12, 1.13

Robert Crittenden (rcritten) fedora-extras-commits at redhat.com
Wed Jul 16 15:55:48 UTC 2008 

Author: rcritten

Update of /cvs/extras/rpms/mod_nss/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2789

Modified Files:
	mod_nss.spec 
Added Files:
	mod_nss-inherit.patch mod_nss-kill.patch 
Log Message:
1.0.7-9
- Don't force module de-init during the configuration stage (453508)

1.0.7-8
- Don't inherit the MP cache in multi-threaded mode (454701)
- Don't initialize NSS in each child if SSL isn't configured

Resolves: #453508, #454701


mod_nss-inherit.patch:

--- NEW FILE mod_nss-inherit.patch ---
--- mod_nss-1.0.7-orig/nss_engine_init.c	16 May 2008 15:16:02 -0000	1.32
+++ mod_nss-1.0.7/nss_engine_init.c	9 Jul 2008 22:22:46 -0000
@@ -1079,23 +1079,54 @@
     }
 }
 
 void nss_init_Child(apr_pool_t *p, server_rec *base_server)
 {
     SSLModConfigRec *mc = myModConfig(base_server);
     SSLSrvConfigRec *sc;
     server_rec *s;
+    int threaded = 0;
+    int sslenabled = FALSE;
 
     mc->pid = getpid(); /* only call getpid() once per-process */
 
-    if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
-             "SSL_InheritMPServerSIDCache failed");
-        nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+    /*
+     *  First, see if ssl is enabled at all
+     */
+    for (s = base_server; s; s = s->next) {
+        sc = mySrvConfig(s);
+        /* If any servers have SSL, we want sslenabled set so we
+         * can perform further initialization
+         */
+
+        if (sc->enabled == UNSET) {
+            sc->enabled = FALSE;
+        }
+
+        if (sc->proxy_enabled == UNSET) {
+            sc->proxy_enabled = FALSE;
+        }
+
+        if ((sc->enabled == TRUE) || (sc->proxy_enabled == TRUE)) {
+            sslenabled = TRUE;
+        }
+    }
+
+    if (sslenabled == FALSE) { /* we are not an SSL/TLS server */
+        return;
+    }
+
+    ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded);
+    if (!threaded) {
+        if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+                         "SSL_InheritMPServerSIDCache failed");
+            nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+        }
     }
 
     nss_init_SSLLibrary(base_server);
 
     /* Configure all virtual servers */
     for (s = base_server; s; s = s->next) {
         sc = mySrvConfig(s);
         if (sc->server->servercert == NULL && NSS_IsInitialized())


mod_nss-kill.patch:

--- NEW FILE mod_nss-kill.patch ---
--- mod_nss-1.0.7.orig/nss_engine_init.c   14 Jul 2008 20:25:53 -0000      1.33
+++ mod_nss-1.0.7/nss_engine_init.c   14 Jul 2008 20:28:13 -0000
+++ nss_engine_init.c   14 Jul 2008 20:35:34 -0000
@@ -315,6 +315,13 @@
 
     mc->nInitCount++;
 
+    /* 
+     * Let us cleanup on restarts and exists
+     */
+    apr_pool_cleanup_register(p, base_server,
+                              nss_init_ModuleKill,
+                              apr_pool_cleanup_null);
+
     mc->ptemp = ptemp;
  
     /*
@@ -491,9 +498,6 @@
              */
             nss_init_ConfigureServer(s, p, ptemp, sc);
         }
-
-        nss_init_ChildKill(base_server);
-        nss_init_ModuleKill(base_server);
     }
 
     /*
@@ -1144,12 +1148,16 @@
 apr_status_t nss_init_ModuleKill(void *data)
 {
     server_rec *base_server = (server_rec *)data;
+    SSLModConfigRec *mc = myModConfig(base_server);
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
         "Shutting down SSL Session ID Cache");
 
     SSL_ShutdownServerSessionIDCache();
 
+    if (mc->nInitCount == 1)
+        nss_init_ChildKill(base_server);
+
     /* NSS_Shutdown() gets called in nss_init_ChildKill */
     return APR_SUCCESS;
 }


Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-9/mod_nss.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- mod_nss.spec	2 Jul 2008 14:27:28 -0000	1.12
+++ mod_nss.spec	16 Jul 2008 15:54:56 -0000	1.13
@@ -1,6 +1,6 @@
 Name: mod_nss
 Version: 1.0.7
-Release: 7%{?dist}
+Release: 9%{?dist}
 Summary: SSL/TLS module for the Apache HTTP server
 Group: System Environment/Daemons
 License: Apache Software License
@@ -16,6 +16,8 @@
 Patch3: mod_nss-proxy.patch
 Patch4: mod_nss-nofork.patch
 Patch5: mod_nss-fips.patch
+Patch6: mod_nss-inherit.patch
+Patch7: mod_nss-kill.patch
 
 %description
 The mod_nss module provides strong cryptography for the Apache Web
@@ -30,6 +32,8 @@
 %patch3 -p1 -b .proxy
 %patch4 -p1 -b .nofork
 %patch5 -p1 -b .fips
+%patch6 -p1 -b .inherit
+%patch7 -p1 -b .kill
 
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
@@ -114,6 +118,13 @@
 %{_sbindir}/gencert
 
 %changelog
+* Mon Jul 14 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-9
+- Don't force module de-init during the configuration stage (453508)
+
+* Thu Jul 10 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-8
+- Don't inherit the MP cache in multi-threaded mode (454701)
+- Don't initialize NSS in each child if SSL isn't configured
+
 * Wed Jul  2 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-7
 - Update the patch for FIPS to include fixes for nss_pcache, enforce
   the security policy and properly initialize the FIPS token.

More information about the scm-commits mailing list