Adam Young wrote:
Here's a segment from my patch.  All it shoudl be doing is switching
NSSRenegotiation from off to on, but it doesn't have any effect. Am I
missing something conceptually here?

+++ b/ipaserver/install/
@@ -160,6 +160,9 @@ class HTTPInstance(service.Service):
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)

+ def __enable_mod_nss_renegotiate(self):
+ installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on')
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/

@@ -189,6 +192,7 @@ class HTTPInstance(service.Service):
db.track_server_cert(nickname, self.principal, db.passwd_fname)

+ self.__enable_mod_nss_renegotiate()
if self.self_signed_ca:
diff --git a/ipaserver/plugins/ b/ipaserver/plugins/
index d1234a0..23d06ab 100644

This is only called when a user provides their own PKCS#12 files (and replica installations)

We don't set the nickname on most installations because we assume a vanilla server therefore the nickname is already set to Server-Cert (probably not the best assumption these days).

You'll want to set this in a step in create_instance() instead.


Freeipa-devel mailing list

Reply via email to