ipa/0009-Remove-mod_ssl-port-workaround.patch

From a24f83b833eb515e60a6e5b8144834bae7a78f70 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 26 Nov 2013 08:53:34 +0000
Subject: [PATCH 9/9] Remove mod_ssl port workaround.

https://fedorahosted.org/freeipa/ticket/4021
---
 freeipa.spec.in                   |  8 ++++++--
 install/tools/ipa-upgradeconfig   |  2 +-
 ipaserver/install/httpinstance.py | 17 ++++++++---------
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index eb9afbb4bfa1a11caf1282d5b76c2e138735386c..1f2ca11cb04d3e2f3a02d7a77cad1763c85e63cb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,14 +118,14 @@ Requires: krb5-server >= 1.10
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
-Requires: httpd
+Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
 %if 0%{?fedora} >= 18
 Requires: mod_auth_kerb >= 5.4-16
 %else
 Requires: mod_auth_kerb >= 5.4-8
 %endif
-Requires: mod_nss >= 1.0.8-24
+Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap
 Requires: python-krbV
 Requires: acl
@@ -861,6 +861,10 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Tue Nov 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.3.90-6
+- Set minimum version of httpd to 2.4.6-6
+- Set minimum version of mod_nss to 1.0.8-26
+
 * Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
 - Add Fedora 19 platform files
 
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1052,7 +1052,7 @@ def main():
     http = httpinstance.HTTPInstance(fstore)
     http.remove_httpd_ccache()
     http.configure_selinux_for_httpd()
-    http.change_mod_nss_port_to_http()
+    http.change_mod_nss_port_from_http()
 
     ds = dsinstance.DsInstance()
     ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 5d37926ddcaa17ce2eab839cd6aecdab0159a8ee..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -237,25 +237,24 @@ def __configure_http(self):
         http_fd.close()
         os.chmod(target_fname, 0644)
 
-    def change_mod_nss_port_to_http(self):
+    def change_mod_nss_port_from_http(self):
         # mod_ssl enforces SSLEngine on for vhost on 443 even though
         # the listener is mod_nss. This then crashes the httpd as mod_nss
         # listened port obviously does not match mod_ssl requirements.
         #
-        # Change port to http to workaround the mod_ssl check, the SSL is
-        # enforced in the vhost later, so it is benign.
+        # The workaround for this was to change port to http. It is no longer
+        # necessary, as mod_nss now ships with default configuration which
+        # sets SSLEngine off when mod_ssl is installed.
         #
-        # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
-        # is fixed.
-        if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
-            installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
-            sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
+        # Remove the workaround.
+        if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+            installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
+            sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
 
     def __set_mod_nss_port(self):
         self.fstore.backup_file(NSS_CONF)
         if installutils.update_file(NSS_CONF, '8443', '443') != 0:
             print "Updating port in %s failed." % NSS_CONF
-        self.change_mod_nss_port_to_http()
 
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
-- 
1.8.5.3