Success with these additional changes:
[root@ipa-server-3 python2.7]# diff /etc/httpd/conf.d/nss.conf.orig
/etc/httpd/conf.d/nss.conf
74c74
< NSSRenegotiation off
---
> NSSRenegotiation on
[root@ipa-server-3 python2.7]# diff -u
./site-packages/ipapython/nsslib.py.orig ./site-packages/ipapython/nsslib.py
--- ./site-packages/ipapython/nsslib.py.orig 2011-08-16
17:19:53.000000000 -0400
+++ ./site-packages/ipapython/nsslib.py 2011-08-16 17:35:17.000000000
-0400
@@ -213,7 +213,10 @@
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+ #ssl.define SSL_REQUIRE_SAFE_NEGOTIATION 21
+ self.sock.set_ssl_option(21, False)
+ #ssl.h define SSL_ENABLE_RENEGOTIATION 20
+ self.sock.set_ssl_option(20, 2)
# Provide a callback which notifies us when the SSL handshake
is complete
self.sock.set_handshake_callback(self.handshake_callback)
On 08/15/2011 10:50 PM, Adam Young wrote:
Just to keep the lists informed:
We found a couple more things out after that last posting:
The suburl /ca/ee/ca/ works fine, so mod_proxcy_ajp does work in
some cases.
Calling the CA from IPA does not work as we get the error:
[Mon Aug 15 22:44:17 2011] [debug] nss_engine_kernel.c(418):
Re-negotation request failed: returned error -12176
You can see this by making the changes to logging:
diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf
95c95,96
< LogLevel warn
---
> #LogLevel warn
> LogLevel debug
On 08/15/2011 10:10 PM, Adam Young wrote:
On 08/15/2011 12:00 PM, Ade Lee wrote:
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where "unsafe" legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
service ipa stop
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
and have it redirect for SSL to the EE port (9444)
[root@f15server ~]# diff /etc/pki-ca/server.xml.orig
/etc/pki-ca/server.xml
216a217
> <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" />
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
<filter>
<filter-name>AgentRequestFilter</filter-name>
<filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
<init-param>
<param-name>https_port</param-name>
<param-value>9203</param-value>
</init-param>
<init-param>
<param-name>active</param-name>
<param-value>false</param-value>
</init-param>
</filter>
[root@f15server WEB-INF]# git diff web.xml.orig web.xml
diff --git a/web.xml.orig b/web.xml
index 7f757bd..affa315 100644
--- a/web.xml.orig
+++ b/web.xml
@@ -12,7 +12,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -25,7 +25,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -42,7 +42,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
@@ -55,7 +55,7 @@
</init-param>
<init-param>
<param-name>active</param-name>
- <param-value>true</param-value>
+ <param-value>false</param-value>
</init-param>
</filter>
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
mv ~/dogtag.conf /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
service ipa start
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig
/usr/lib/python2.7/site-packages/ipalib/constants.py
140c140
< ('ca_agent_port', 9443),
---
> ('ca_agent_port', 443),
2. Do your IPA cert tests and confirm that it works ok.
service ipa restart
....
cannot connect to
'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial':
''
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
