rpms/mod_nss/F-9 mod_nss-inherit.patch, NONE, 1.1 mod_nss-kill.patch, NONE, 1.1 mod_nss.spec, 1.12, 1.13
Robert Crittenden (rcritten)
fedora-extras-commits at redhat.com
Wed Jul 16 15:55:48 UTC 2008
Author: rcritten
Update of /cvs/extras/rpms/mod_nss/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2789
Modified Files:
mod_nss.spec
Added Files:
mod_nss-inherit.patch mod_nss-kill.patch
Log Message:
1.0.7-9
- Don't force module de-init during the configuration stage (453508)
1.0.7-8
- Don't inherit the MP cache in multi-threaded mode (454701)
- Don't initialize NSS in each child if SSL isn't configured
Resolves: #453508, #454701
mod_nss-inherit.patch:
--- NEW FILE mod_nss-inherit.patch ---
--- mod_nss-1.0.7-orig/nss_engine_init.c 16 May 2008 15:16:02 -0000 1.32
+++ mod_nss-1.0.7/nss_engine_init.c 9 Jul 2008 22:22:46 -0000
@@ -1079,23 +1079,54 @@
}
}
void nss_init_Child(apr_pool_t *p, server_rec *base_server)
{
SSLModConfigRec *mc = myModConfig(base_server);
SSLSrvConfigRec *sc;
server_rec *s;
+ int threaded = 0;
+ int sslenabled = FALSE;
mc->pid = getpid(); /* only call getpid() once per-process */
- if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "SSL_InheritMPServerSIDCache failed");
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+ /*
+ * First, see if ssl is enabled at all
+ */
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+ /* If any servers have SSL, we want sslenabled set so we
+ * can perform further initialization
+ */
+
+ if (sc->enabled == UNSET) {
+ sc->enabled = FALSE;
+ }
+
+ if (sc->proxy_enabled == UNSET) {
+ sc->proxy_enabled = FALSE;
+ }
+
+ if ((sc->enabled == TRUE) || (sc->proxy_enabled == TRUE)) {
+ sslenabled = TRUE;
+ }
+ }
+
+ if (sslenabled == FALSE) { /* we are not an SSL/TLS server */
+ return;
+ }
+
+ ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded);
+ if (!threaded) {
+ if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "SSL_InheritMPServerSIDCache failed");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+ }
}
nss_init_SSLLibrary(base_server);
/* Configure all virtual servers */
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server->servercert == NULL && NSS_IsInitialized())
mod_nss-kill.patch:
--- NEW FILE mod_nss-kill.patch ---
--- mod_nss-1.0.7.orig/nss_engine_init.c 14 Jul 2008 20:25:53 -0000 1.33
+++ mod_nss-1.0.7/nss_engine_init.c 14 Jul 2008 20:28:13 -0000
+++ nss_engine_init.c 14 Jul 2008 20:35:34 -0000
@@ -315,6 +315,13 @@
mc->nInitCount++;
+ /*
+ * Let us cleanup on restarts and exists
+ */
+ apr_pool_cleanup_register(p, base_server,
+ nss_init_ModuleKill,
+ apr_pool_cleanup_null);
+
mc->ptemp = ptemp;
/*
@@ -491,9 +498,6 @@
*/
nss_init_ConfigureServer(s, p, ptemp, sc);
}
-
- nss_init_ChildKill(base_server);
- nss_init_ModuleKill(base_server);
}
/*
@@ -1144,12 +1148,16 @@
apr_status_t nss_init_ModuleKill(void *data)
{
server_rec *base_server = (server_rec *)data;
+ SSLModConfigRec *mc = myModConfig(base_server);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Shutting down SSL Session ID Cache");
SSL_ShutdownServerSessionIDCache();
+ if (mc->nInitCount == 1)
+ nss_init_ChildKill(base_server);
+
/* NSS_Shutdown() gets called in nss_init_ChildKill */
return APR_SUCCESS;
}
Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-9/mod_nss.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- mod_nss.spec 2 Jul 2008 14:27:28 -0000 1.12
+++ mod_nss.spec 16 Jul 2008 15:54:56 -0000 1.13
@@ -1,6 +1,6 @@
Name: mod_nss
Version: 1.0.7
-Release: 7%{?dist}
+Release: 9%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: Apache Software License
@@ -16,6 +16,8 @@
Patch3: mod_nss-proxy.patch
Patch4: mod_nss-nofork.patch
Patch5: mod_nss-fips.patch
+Patch6: mod_nss-inherit.patch
+Patch7: mod_nss-kill.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -30,6 +32,8 @@
%patch3 -p1 -b .proxy
%patch4 -p1 -b .nofork
%patch5 -p1 -b .fips
+%patch6 -p1 -b .inherit
+%patch7 -p1 -b .kill
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -114,6 +118,13 @@
%{_sbindir}/gencert
%changelog
+* Mon Jul 14 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-9
+- Don't force module de-init during the configuration stage (453508)
+
+* Thu Jul 10 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-8
+- Don't inherit the MP cache in multi-threaded mode (454701)
+- Don't initialize NSS in each child if SSL isn't configured
+
* Wed Jul 2 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-7
- Update the patch for FIPS to include fixes for nss_pcache, enforce
the security policy and properly initialize the FIPS token.
More information about the scm-commits
mailing list