URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729
From dcd894bf135d37ed647a244f415b7a55cbe10412 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka <pvoma...@redhat.com> Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 13 ++++++++++++- ipaserver/install/httpinstance.py | 18 ++++++++++++++++++ ipaserver/install/server/upgrade.py | 12 +++++++++++- 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..f10544c 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,22 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + + api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) + api.finalize() + + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + + db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..2844d19 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) + self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) + def enable_mod_nss_ocsp(self): + aug = augeas.Augeas() + ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') + ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg')) + + if ocsp is None: + aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP') + + aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on') + aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +384,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +409,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() + db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..732f6b5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1375,6 +1375,11 @@ def remove_ds_ra_cert(subject_base): def fix_trust_flags(): root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR) + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, + "NSSNickname") + db.trust_root_cert(sc_nickname, "P,,") + if sysupgrade.get_upgrade_state('http', 'fix_trust_flags'): root_logger.info("Trust flags already processed") return @@ -1383,7 +1388,6 @@ def fix_trust_flags(): root_logger.info("CA is not enabled") return - db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) nickname = certdb.get_ca_nickname(api.env.realm) cert = db.get_cert_from_db(nickname) if cert: @@ -1404,6 +1408,11 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def enable_mod_nss_ocsp(http): + root_logger.info('[Updating mod_nss enabling OCSP]') + http.enable_mod_nss_ocsp() + + def update_mod_nss_cipher_suite(http): root_logger.info('[Updating mod_nss cipher suite]') @@ -1660,6 +1669,7 @@ def upgrade_configuration(): update_ipa_httpd_service_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http) + enable_mod_nss_ocsp(http) fix_trust_flags() update_http_keytab(http) http.configure_gssproxy()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
