URL: https://github.com/freeipa/freeipa/pull/847
Author: pvomacka
 Title: #847: Turn off OCSP check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/847/head:pr847
git checkout pr847
From 13766049634b86692a7faa7321de6498479c3873 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Thu, 1 Jun 2017 09:56:16 +0200
Subject: [PATCH] Turn off OCSP check

The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
---
 install/restart_scripts/restart_httpd | 15 +-----------
 ipaserver/install/httpinstance.py     | 43 +++++++++++++++++++----------------
 ipaserver/install/server/upgrade.py   | 25 +++-----------------
 3 files changed, 28 insertions(+), 55 deletions(-)

diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index cd7f12024e..d168481290 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,24 +21,11 @@
 
 import syslog
 import traceback
-from ipalib import api
 from ipaplatform import services
-from ipaplatform.paths import paths
-from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
-from ipaserver.install import certs, installutils
+from ipaserver.install import certs
 
 
 def _main():
-
-    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-    api.finalize()
-
-    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
-    nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
-
-    # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
-
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
     try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 555c82213c..e081103bc1 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -34,8 +34,7 @@
 from ipalib.install import certmonger
 from ipapython import ipaldap
 from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
-                              EXTERNAL_CA_TRUST_FLAGS,
-                              TRUSTED_PEER_TRUST_FLAGS)
+                              EXTERNAL_CA_TRUST_FLAGS)
 from ipaserver.install import replication
 from ipaserver.install import service
 from ipaserver.install import certs
@@ -67,6 +66,10 @@
 ]
 NSS_CIPHER_REVISION = '20160129'
 
+OCSP_DIRECTIVE = 'NSSOCSP'
+
+NSS_OCSP_ENABLED = 'nss_ocsp_enabled'
+
 
 def httpd_443_configured():
     """
@@ -156,7 +159,7 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None,
                   self.set_mod_nss_protocol)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
-        self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
+        self.step("disabling mod_nss OCSP", self.disable_mod_nss_ocsp)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,7 +266,12 @@ def enable_mod_nss_renegotiate(self):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
-    def enable_mod_nss_ocsp(self):
+    def disable_mod_nss_ocsp(self):
+        if sysupgrade.get_upgrade_state('httpd', NSS_OCSP_ENABLED) is None:
+            self.__disable_mod_nss_ocsp()
+            sysupgrade.set_upgrade_state('httpd', NSS_OCSP_ENABLED, False)
+
+    def __disable_mod_nss_ocsp(self):
         aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
 
         aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
@@ -271,22 +279,21 @@ def enable_mod_nss_ocsp(self):
         aug.load()
 
         path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+        ocsp_path = '{}/directive[.="{}"]'.format(path, OCSP_DIRECTIVE)
+        ocsp_arg = '{}/arg'.format(ocsp_path)
+        ocsp_comment = '{}/#comment[.="{}"]'.format(path, OCSP_DIRECTIVE)
 
-        ocsp_comment = aug.get(
-                        '{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
-        ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+        ocsp_dir = aug.get(ocsp_path)
 
-        if ocsp_dir is None and ocsp_comment is not None:
-            # Directive is missing, comment is present
-            aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
-                    'NSSOCSP')
-            aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
-        elif ocsp_dir is None:
-            # Directive is missing and comment is missing
-            aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+        # there is NSSOCSP directive in nss.conf file, comment it
+        # otherwise just do nothing
+        if ocsp_dir is not None:
+            ocsp_state = aug.get(ocsp_arg)
+            aug.remove(ocsp_arg)
+            aug.rename(ocsp_path, '#comment')
+            aug.set(ocsp_comment, '{} {}'.format(OCSP_DIRECTIVE, ocsp_state))
+            aug.save()
 
-        aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
-        aug.save()
 
     def set_mod_nss_cipher_suite(self):
         ciphers = ','.join(NSS_CIPHER_SUITE)
@@ -405,8 +412,6 @@ def __setup_ssl(self):
             self.__set_mod_nss_nickname(nickname)
             self.add_cert_to_service()
 
-            db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
-
         else:
             if not self.promote:
                 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 3e2abefc21..118dd3203d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1399,24 +1399,6 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
-def fix_server_cert_trust_flags():
-    root_logger.info(
-        '[Fixing server certificate trust flags in %s]' %
-        paths.HTTPD_ALIAS_DIR)
-
-    if sysupgrade.get_upgrade_state('http', 'fix_serv_cert_trust_flags'):
-        root_logger.info("Trust flags already processed")
-        return
-
-    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
-    sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
-                                             "NSSNickname")
-    # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
-
-    sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
-
-
 def update_mod_nss_protocol(http):
     root_logger.info('[Updating mod_nss protocol versions]')
 
@@ -1429,9 +1411,9 @@ def update_mod_nss_protocol(http):
     sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
 
 
-def enable_mod_nss_ocsp(http):
+def disable_mod_nss_ocsp(http):
     root_logger.info('[Updating mod_nss enabling OCSP]')
-    http.enable_mod_nss_ocsp()
+    http.disable_mod_nss_ocsp()
 
 
 def update_mod_nss_cipher_suite(http):
@@ -1731,9 +1713,8 @@ def upgrade_configuration():
     update_ipa_httpd_service_conf(http)
     update_mod_nss_protocol(http)
     update_mod_nss_cipher_suite(http)
-    enable_mod_nss_ocsp(http)
+    disable_mod_nss_ocsp(http)
     fix_trust_flags()
-    fix_server_cert_trust_flags()
     update_http_keytab(http)
     http.configure_gssproxy()
     http.start()
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to