URL: https://github.com/freeipa/freeipa/pull/1561
Author: tiran
 Title: #1561: Use system-wide crypto-policies on Fedora
Action: opened

PR body:
"""
HTTPS connections from IPA framework now uses system-wide
crypto-policies on Fedora.

The 'DEFAULT' crypto policy also includes unnecessary ciphers for
PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1561/head:pr1561
git checkout pr1561
From a0cb7bffa895ddf379e330a76a7268ba98eed833 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 9 Feb 2018 11:50:32 +0100
Subject: [PATCH] Use system-wide crypto-policies on Fedora

HTTPS connections from IPA framework now uses system-wide
crypto-policies on Fedora.

The 'DEFAULT' crypto policy also includes unnecessary ciphers for
PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipalib/constants.py             | 4 +---
 ipalib/util.py                  | 9 +++++----
 ipaplatform/base/constants.py   | 3 +++
 ipaplatform/fedora/constants.py | 5 +++++
 4 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 9ae6e0aaae..e161d65adf 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -304,9 +304,7 @@
     "tls1.2"
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
-# high ciphers without RC4, MD5, TripleDES, pre-shared key
-# and secure remote password
-TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
+
 
 # Use cache path
 USER_CACHE_PATH = (
diff --git a/ipalib/util.py b/ipalib/util.py
index 96fcb33eaa..b29c2d06e7 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -56,9 +56,10 @@
 from ipalib import errors, messages
 from ipalib.constants import (
     DOMAIN_LEVEL_0,
-    TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS
+    TLS_VERSIONS, TLS_VERSION_MINIMAL
 )
 from ipalib.text import _
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN, RDN
@@ -330,9 +331,9 @@ def create_https_connection(
         ssl.OP_SINGLE_ECDH_USE
     )
 
-    # high ciphers without RC4, MD5, TripleDES, pre-shared key
-    # and secure remote password
-    ctx.set_ciphers(TLS_HIGH_CIPHERS)
+    # high ciphers without RC4, MD5, TripleDES, pre-shared key and secure
+    # remote password. Uses system crypto policies on some platforms.
+    ctx.set_ciphers(constants.TLS_HIGH_CIPHERS)
 
     # pylint: enable=no-member
     # set up the correct TLS version flags for the SSL context
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index ca4a12ec01..3a522537f0 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -42,6 +42,9 @@ class BaseConstantsNamespace(object):
     # WSGI module override, only used on Fedora
     MOD_WSGI_PYTHON2 = None
     MOD_WSGI_PYTHON3 = None
+    # high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
+    # remote password, and DSA cert authentication.
+    TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"
 
 
 constants = BaseConstantsNamespace()
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
index 79e7bd9a5e..f4b4d915b7 100644
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -16,5 +16,10 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
     MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
     MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
 
+    # System-wide crypto policy, but without TripleDES, pre-shared key,
+    # secure remote password, and DSA cert authentication.
+    # see https://fedoraproject.org/wiki/Changes/CryptoPolicy
+    TLS_HIGH_CIPHERS = "PROFILE=SYSTEM:!3DES:!PSK:!SRP:!aDSS"
+
 
 constants = FedoraConstantsNamespace()
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to