subject:"\[Freeipa\-devel\] \[PATCH 431\] Configure 389ds with default cipher suite"

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

2016-03-09 Thread Martin Basti




On 09.03.2016 10:04, Fraser Tweedale wrote:

On Wed, Mar 09, 2016 at 09:53:35AM +0100, Martin Basti wrote:


On 09.03.2016 04:47, Fraser Tweedale wrote:

On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5684

patch attached

I think the comment in install/updates/20-sslciphers.update should
be updated.  Apart from that, ACK.

Cheers,
Fraser

Thanks,

updated patch attached.

Martin^2


ACK

Pushed to:
master: dd86f83c96961390f756e35496447d6aeae64df6
ipa-4-3: 3c4a8c89320e734d11ca2d5adadbbd6485c04722

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

2016-03-09 Thread Fraser Tweedale

On Wed, Mar 09, 2016 at 09:53:35AM +0100, Martin Basti wrote:
> 
> 
> On 09.03.2016 04:47, Fraser Tweedale wrote:
> >On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:
> >>https://fedorahosted.org/freeipa/ticket/5684
> >>
> >>patch attached
> >I think the comment in install/updates/20-sslciphers.update should
> >be updated.  Apart from that, ACK.
> >
> >Cheers,
> >Fraser
> Thanks,
> 
> updated patch attached.
> 
> Martin^2
>
ACK

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

2016-03-09 Thread Martin Basti




On 09.03.2016 04:47, Fraser Tweedale wrote:

On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5684

patch attached

I think the comment in install/updates/20-sslciphers.update should
be updated.  Apart from that, ACK.

Cheers,
Fraser

Thanks,

updated patch attached.

Martin^2
From a8073284ccf37beff8f5767866ae9d8eb2c235d6 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 3 Mar 2016 17:39:34 +0100
Subject: [PATCH] Configure 389ds with "default" cipher suite

nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS

https://fedorahosted.org/freeipa/ticket/5684
---
 install/updates/20-sslciphers.update | 6 +++---
 ipaserver/install/dsinstance.py  | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
index b0c952f498bc89568029f1d01eaded4db1371c76..978a44ba40f34265e0534c461822c06135a3a2bd 100644
--- a/install/updates/20-sslciphers.update
+++ b/install/updates/20-sslciphers.update
@@ -1,6 +1,6 @@
 # change configured ciphers
-# the result of this update will be that all ciphers
-# provided by NSS which ar not weak will be enabled
+# the result of this update will be that default ciphers
+# provided by DS which are not weak will be enabled
 dn: cn=encryption,cn=config
-only:nsSSL3Ciphers: +all
+only:nsSSL3Ciphers: default
 addifnew:allowWeakCipher: off
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c54b01da7687d5812790518a2b8e00256001e5e..741dda91f3ceb6b4aff3419790f746d69adf5e16 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -777,7 +777,7 @@ class DsInstance(service.Service):
 conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
 
 mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-   (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+   (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
 conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
@@ -1240,7 +1240,7 @@ class DsInstance(service.Service):
 conn.do_external_bind('root')
 
 mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-   (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+   (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
 conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

2016-03-08 Thread Fraser Tweedale

On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5684
> 
> patch attached

I think the comment in install/updates/20-sslciphers.update should
be updated.  Apart from that, ACK.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

Re: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

4 matches

Site Navigation

Mail list logo

Footer information