[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [x] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] separate ra-agent.pem into certificate and private-key files, have private-key file encrypted - [ ] once ^- is done, track the new files in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code