On to, 12 tammi 2017, Christian Heimes wrote:
On 2016-12-19 15:07, John Dennis wrote:
I'm not a big fan of NSS, it has it's issues. As the author of the
Python binding I'm quite aware of all the nasty behaviors NSS has and
needs to be worked around. I wouldn't be sad to see it go but OpenSSL
has it's own issues too. If you remove NSS you're also removing the
option to support smart cards, HSM's etc. Perhaps before removing
functionality it would be good to assess what the requirements are.


When Standa started to work on the PR, I raised similar concerns
regarding the feature set of OpenSSL. I asked him to write a design spec
to address some of the concerns.

HSM and smart card authentication are of no concern. Standa's PR
replaces FreeIPA's internal HTTS connection with a OpenSSL based
implementation. It's used to communicate from an IPA client to an IPA
server or from an IPA server to Dogtag. We don't support client cert
auth for client to server. Smart card authentication is performed based
on pkinit and Kerberos. Currently just IPA server to Dogtag uses client
cert authentication. That part will be replaced with GSSAPI eventually.
We are adding client cert authentication in 4.5. This is pretty big part
of the release, actually, as we are getting external authentication and
privilege separation support. See Simo's PR#314 which is very close to
be merged.

We don't plan yet to use this for IPA client itself, but nothing prevent
clients other than web browsers to utilize client cert auth to establish
TLS session authentication. In fact, this is something which most likely
will be used for external entities anyway.


I'm more concerned that we loose the ability to check revocation state
of certificates. Python's ssl module has no support for OCSP. OpenSSL's
and Python's CRL capabilities are sub-par compared to NSS. The ssl
module can load CRLs but it has no means to retrieve or update a CRL
from a remote server.

For Fedora 26 we will have to deal with similar concerns for libldap.
Fedora has switched from NSS to OpenSSL as TLS backend.

Christian





--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to