[freeipa/f21] Lower python-nss Requires for CentOS builds
Martin Kosek
mkosek at fedoraproject.org
Tue Nov 25 16:18:37 UTC 2014
commit 0ea0f8003fed301e6f7b97a335ac2dfaede2174a
Author: Martin Kosek <mkosek at redhat.com>
Date: Tue Nov 25 17:16:42 2014 +0100
Lower python-nss Requires for CentOS builds
Newer python-nss is not available in CentOS and is not easily rebuildable.
Remove it from CentOS rebuilds of this package.
...NSS-protocol-range-API-to-set-available-T.patch | 143 ++++++++++++++++++++
freeipa.spec | 8 +
2 files changed, 151 insertions(+), 0 deletions(-)
---
diff --git a/0001-Revert-Use-NSS-protocol-range-API-to-set-available-T.patch b/0001-Revert-Use-NSS-protocol-range-API-to-set-available-T.patch
new file mode 100644
index 0000000..bad4e2d
--- /dev/null
+++ b/0001-Revert-Use-NSS-protocol-range-API-to-set-available-T.patch
@@ -0,0 +1,143 @@
+From a0daea7c5137947a7783f37f3c369a0fd17244c3 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Tue, 25 Nov 2014 17:12:09 +0100
+Subject: [PATCH] Revert "Use NSS protocol range API to set available TLS
+ protocols"
+
+The new python-nss is not avialable in CentOS 7.0 at the moment.
+
+This reverts commit 8ef191448f0511b9c1749f47615437d649db0777.
+---
+ freeipa.spec.in | 2 +-
+ ipalib/constants.py | 4 ----
+ ipalib/rpc.py | 5 +----
+ ipapython/dogtag.py | 4 +---
+ ipapython/nsslib.py | 17 ++---------------
+ 5 files changed, 5 insertions(+), 27 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 95ec6210a157fd158d81d97efbd46f3d35facbc6..a417ab56f843b202787c6112553f8c16f2c1dde0 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -284,7 +284,7 @@ Requires: gnupg
+ Requires: iproute
+ Requires: keyutils
+ Requires: pyOpenSSL
+-Requires: python-nss >= 0.16
++Requires: python-nss >= 0.15
+ Requires: python-lxml
+ Requires: python-netaddr
+ Requires: libipa_hbac-python
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index 111bafe5ed0c3d2df58a1b6839feedc58a14fcc4..1eed7ca6ad0e5920318dadc68ed36fff6cf889f2 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -122,10 +122,6 @@
+
+ ('rpc_protocol', 'jsonrpc'),
+
+- # Define an inclusive range of SSL/TLS version support
+- ('tls_version_min', 'tls1.0'),
+- ('tls_version_max', 'tls1.2'),
+-
+ # Time to wait for a service to start, in seconds
+ ('startup_timeout', 300),
+
+diff --git a/ipalib/rpc.py b/ipalib/rpc.py
+index 806f6bb9adf004660c9cb285cf31b09a988afa93..5934f0c26e4b7c0a44adbab978c1f9b319d72e9f 100644
+--- a/ipalib/rpc.py
++++ b/ipalib/rpc.py
+@@ -68,7 +68,6 @@
+ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE
+ from ipapython.dn import DN
+ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
+-from ipalib import api
+
+ COOKIE_NAME = 'ipa_session'
+ KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+@@ -489,9 +488,7 @@ def make_connection(self, host):
+ if sys.version_info < (2, 7):
+ conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
+ else:
+- conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
+- tls_version_min=api.env.tls_version_min,
+- tls_version_max=api.env.tls_version_max)
++ conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init)
+ self.dbdir=dbdir
+
+ conn.connect()
+diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
+index 0e0aacca798377517244075ed6b07dff63e87358..14824b99431e85dd73613befd72e500d370cfe2c 100644
+--- a/ipapython/dogtag.py
++++ b/ipapython/dogtag.py
+@@ -234,9 +234,7 @@ def https_request(host, port, url, secdir, password, nickname, **kw):
+ """
+
+ def connection_factory(host, port):
+- conn = nsslib.NSSConnection(host, port, dbdir=secdir,
+- tls_version_min=api.env.tls_version_min,
+- tls_version_max=api.env.tls_version_max)
++ conn = nsslib.NSSConnection(host, port, dbdir=secdir)
+ conn.set_debuglevel(0)
+ conn.connect()
+ conn.sock.set_client_auth_data_callback(
+diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
+index 57fa3ff4fa5a044577f21fe43c2c0b0596c2e4f8..93b0c56fcff4fc69841a6823aae8f694c1f76ff0 100644
+--- a/ipapython/nsslib.py
++++ b/ipapython/nsslib.py
+@@ -171,8 +171,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
+ default_port = httplib.HTTPSConnection.default_port
+
+ def __init__(self, host, port=None, strict=None,
+- dbdir=None, family=socket.AF_UNSPEC, no_init=False,
+- tls_version_min='tls1.1', tls_version_max='tls1.2'):
++ dbdir=None, family=socket.AF_UNSPEC, no_init=False):
+ """
+ :param host: the server to connect to
+ :param port: the port to use (default is set in HTTPConnection)
+@@ -181,8 +180,6 @@ def __init__(self, host, port=None, strict=None,
+ :param no_init: do not initialize the NSS database. This requires
+ that the database has already been initialized or
+ the request will fail.
+- :param tls_min_version: mininum version of SSL/TLS supported
+- :param tls_max_version: maximum version of SSL/TLS supported.
+ """
+ httplib.HTTPConnection.__init__(self, host, port, strict)
+ NSSAddressFamilyFallback.__init__(self, family)
+@@ -202,8 +199,6 @@ def __init__(self, host, port=None, strict=None,
+ nss.nss_init(dbdir)
+ ssl.set_domestic_policy()
+ nss.set_password_callback(self.password_callback)
+- self.tls_version_min = str(tls_version_min)
+- self.tls_version_max = str(tls_version_max)
+
+ def _create_socket(self):
+ # TODO: remove the try block once python-nss is guaranteed to contain
+@@ -223,11 +218,6 @@ def _create_socket(self):
+ self.sock = ssl.SSLSocket(family=self.family)
+ self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
+ self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
+- try:
+- self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max)
+- except NSPRError, e:
+- root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max))
+- raise
+ self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+ self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
+ # Provide a callback which notifies us when the SSL handshake is complete
+@@ -246,11 +236,8 @@ def handshake_callback(self, sock):
+ """
+ Verify callback. If we get here then the certificate is ok.
+ """
+- channel = sock.get_ssl_channel_info()
+- suite = ssl.get_cipher_suite_info(channel.cipher_suite)
+ root_logger.debug("handshake complete, peer = %s", sock.get_peer_name())
+- root_logger.debug('Protocol: %s' % channel.protocol_version_str.upper())
+- root_logger.debug('Cipher: %s' % suite.cipher_suite_name)
++ pass
+
+ def connect(self):
+ self.connect_socket(self.host, self.port)
+--
+1.9.3
+
diff --git a/freeipa.spec b/freeipa.spec
index 554f7b5..e0db6de 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -34,6 +34,10 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+%if 0%{?rhel}
+Patch0001: 0001-Revert-Use-NSS-protocol-range-API-to-set-available-T.patch
+%endif
+
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.3.5
BuildRequires: svrcore-devel
@@ -287,7 +291,11 @@ Requires: gnupg
Requires: iproute
Requires: keyutils
Requires: pyOpenSSL
+%if 0%{?rhel}
+Requires: python-nss >= 0.15
+%else
Requires: python-nss >= 0.16
+%endif
Requires: python-lxml
Requires: python-netaddr
Requires: libipa_hbac-python
More information about the scm-commits
mailing list