On Fri, 2014-09-12 at 13:17 +0200, Martin Kosek wrote: > On 09/12/2014 10:25 AM, Martin Kosek wrote: > > On 09/12/2014 10:13 AM, Ludwig Krispenz wrote: > >> > >> On 09/12/2014 09:37 AM, Martin Kosek wrote: > >>> On 09/12/2014 03:21 AM, Nathaniel McCallum wrote: > >>>> On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote: > >>>>> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote: > >>>>>> On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote: > >>>>>>> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote: > >>>>>>>> > >>>>>>>> On 09/11/2014 04:31 PM, Petr Viktorin wrote: > >>>>>>>>> On 09/11/2014 04:26 PM, Martin Kosek wrote: > >>>>>>> ... > >>>>>>>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA > >>>>>>>>>> Copr: > >>>>>>>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/ > >>>>>>>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any > >>>>>>>>>> known issues > >>>>>>>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA > >>>>>>>>>> 4.0.x to be > >>>>>>>>>> based on it? > >>>>>>>>>> > >>>>>>>>>> If yes, we may need to include the patch in Fedora 21 downstream > >>>>>>>>>> only > >>>>>>>>>> after all.. > >>>>>>>>> > >>>>>>>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we > >>>>>>>>> couldn't include the patch even there. > >>>>>>>>> There better be no such issues. > >>>>>>>> what do you mean by "no such issues" ? I don't think that 389/F21 > >>>>>>>> will > >>>>>>>> be the first bug free software. At the moment Thierry is > >>>>>>>> investigating a > >>>>>>>> crash in dna-plugin and Noriko a memory leak, which could be in F21 - > >>>>>>>> > >>>>>>> > >>>>>>> any known issues in the F21 389-ds-base build that would prevent > >>>>>>> upstream FreeIPA 4.0.x to be based on it > >>>>>> > >>>>>> Yes. 389 will not start if weak ciphers are specified. Currently, > >>>>>> FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't > >>>>>> work at all because the DS will never start. > >>>>>> > >>>>>> We need this patch merged: https://fedorahosted.org/389/ticket/47838 > >>>> > >>>> Done: thanks everyone on the DS side! > >>>> > >>>>>> Then, we need an F21 build of 389-ds-base. > >>>> > >>>> Done: thanks nhosoi! > >>>> > >>>>>> Then we need to merge Ludwig's IPA patch from this thread with a > >>>>>> versioned dependency on the new 389-ds-base build. > >>>> > >>>> New patch attached which includes a versioned dep on the new DS. > >>> > >>> ipa-server-install still fails for me, even when I use > >>> 389-ds-base-1.3.3.2-1.fc20.x86_64: > >>> > >>> # ipa-server-install > >>> ... > >>> [12/13]: restarting httpd > >>> [13/13]: configuring httpd to start on boot > >>> Done configuring the web interface (httpd). > >>> Applying LDAP updates > >>> Unexpected error - see /var/log/ipaserver-install.log for details: > >>> ObjectclassViolation: attribute "allowweakciphers" not allowed > >>> > >>> > >>> I think you simply use a wrong config name - have extra "s" in the end. > >>> It is > >>> defined as > >> that typo was already in my first draft of the patch, sorry > >>> > >>> allowWeakCipher in "cn=encryption,cn=config". allowWeakCipher: [on | off] > >>> > >>> > >>> Also, do we really need to put it to "off" in the updates? AFAIU, it is > >>> off > >>> by default in our config and with current setting, users could not put it > >>> to > >>> "on" (for whatever reason) without the value being overwritten with every > >>> run > >>> of FreeIPA upgrade. > >> could there be an upgrade from a install not yet using that params. should > >> "only:allowWeakCipher" be replaced by "addifnew" ? > > > > You can try "default:allowWeakCiphers: off" - it would set the attribute to > > off > > if it was not there before. > > > > Given you are probably working on updated version, I would also recommend > > following > > > > http://www.freeipa.org/page/Contribute/Patch_Format#Patch_format_2 > > > > as I saw couple nitpicks with your patch > > - ticket number in patch description and not in it's body > > - bad "From" field - I would rather expect it to be "Ludwig Krispenz > > <lkris...@redhat.com>" than "lkrispen <lkris...@redhat.com>" > > > > Thanks, > > Martin > > Hello, any update on this front? Are you or Nathaniel updating the patch?
Attached.
From d4d24366c6392a1cd0c3d7c8513e20d0f9520766 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum <npmccal...@redhat.com> Date: Fri, 12 Sep 2014 10:02:00 -0400 Subject: [PATCH] Update 389 SSL cipher config We allow 389 to choose its own ciphers, but we default to disabling weak ciphers. This offloads the choice to the proper place so that we don't have to manage it in FreeIPA anymore. Thanks to Ludwig Krispenz <lkris...@redhat.com> for the first version of this patch. https://fedorahosted.org/freeipa/ticket/4395 --- freeipa.spec.in | 6 +++--- install/updates/20-sslciphers.update | 6 ++++++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 7 ++----- 4 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 install/updates/20-sslciphers.update diff --git a/freeipa.spec.in b/freeipa.spec.in index b672ecb03bdd73c1a911a6a982ccd894bebcbce4..685b345fedb9d157c8deedc66f8712da32c5963b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -18,7 +18,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.2.16 +BuildRequires: 389-ds-base-devel >= 1.3.3.2 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -87,7 +87,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.2.20 +Requires: 389-ds-base >= 1.3.3.2 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -124,7 +124,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.75.13 -Requires(pre): 389-ds-base >= 1.3.2.20 +Requires(pre): 389-ds-base >= 1.3.3.2 Requires: fontawesome-fonts Requires: open-sans-fonts diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update new file mode 100644 index 0000000000000000000000000000000000000000..eef95f1907b397a277dc96046d5bb91a92aaf304 --- /dev/null +++ b/install/updates/20-sslciphers.update @@ -0,0 +1,6 @@ +# change configured ciphers +# the result of this update will be that all ciphers +# provided by NSS which ar not weak will be enabled +dn: cn=encryption,cn=config +only:nsSSL3Ciphers: +all +default:allowWeakCipher: off diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1d912a7d29552000d082aca58d345924ab84e11c..026cde0498dc15bda10605dd427881d71c4bfa25 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -14,6 +14,7 @@ app_DATA = \ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-sslciphers.update \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index cc1d32709f552a7c6366edbb8b9c03ec28ac6e3a..0518dd0e0f20255f4e42911af6f1f95fc25f554e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -664,11 +664,8 @@ class DsInstance(service.Service): conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", - "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\ -+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\ -+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\ -+tls_rsa_export1024_with_des_cbc_sha")] + (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"), + (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] -- 2.1.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
