On 09/11/2014 04:04 PM, Martin Kosek wrote:
On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
On 09/11/2014 01:37 PM, Martin Kosek wrote:
Hi team,
It seems we have pretty serious bug in our FreeIPA 4.0.2 release, breaking
upgrade from older releases:
https://fedorahosted.org/freeipa/ticket/4529
We also have packaging fix requested by Fedora Server roles group:
https://fedorahosted.org/freeipa/ticket/4430
It seems just these 2 bugs are enough for a quick FreeIPA 4.0.3 release...
Makes sense? Any other tickets or patches we would like to get in?
Looks like it's just those two. I'll start releasing shortly.
I'd like to get a fix in for the missing ciphers in the new NSS. I can
have a patch on the list shortly.
Nathaniel
Isn't this related to
https://fedorahosted.org/freeipa/ticket/4395
? I think we do not work with the newest DS which fixed the default ciphers.
yes
Don't we need to set our SSL ciphers setting to
https://fedorahosted.org/389/ticket/47838#comment:29
yes
tjhe attached patch tries this, but at the moment I failed to build and
also to upgrade to F21
? If yes, I think this is definitely a 4.0.3 candidate.
Martin
>From 40d4318cfc9dc53073316af8b1edff5a68b3fe6b Mon Sep 17 00:00:00 2001
From: lkrispen <lkris...@redhat.com>
Date: Thu, 11 Sep 2014 14:06:34 +0200
Subject: [PATCH] ticket 4395 - change ciphers enabled by default
---
install/updates/20-sslciphers.update | 6 ++++++
install/updates/Makefile.am | 1 +
ipaserver/install/dsinstance.py | 7 ++-----
3 files changed, 9 insertions(+), 5 deletions(-)
create mode 100644 install/updates/20-sslciphers.update
diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
new file mode 100644
index 0000000..ce88dae
--- /dev/null
+++ b/install/updates/20-sslciphers.update
@@ -0,0 +1,6 @@
+# change configured ciphers
+# the result of this update will be that all ciphers
+# provided by NSS which ar not weak will be enabled
+dn: cn=encryption,cn=config
+only:nsSSL3Ciphers: +all
+only:allowWeakCiphers: off
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 1d912a7..026cde0 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -14,6 +14,7 @@ app_DATA = \
20-indices.update \
20-nss_ldap.update \
20-replication.update \
+ 20-sslciphers.update \
20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index cc1d327..0518dd0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -664,11 +664,8 @@ class DsInstance(service.Service):
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
- (ldap.MOD_REPLACE, "nsSSL3Ciphers",
- "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha")]
+ (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+ (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
