URL: https://github.com/freeipa/freeipa/pull/1906 Author: stlaz Title: #1906: mod_ssl: add SSLVerifyDepth for external CA installs Action: opened
PR body: """ mod_ssl's limiting of client cert verification depth was causing the replica installs to fail when master had been installed with external CA since the SSLCACertificateFile was pointing to a file with more than one certificate. This is caused by the default SSLVerifyDepth value of 1. We set it to 5 as that should be just about enough even for possible sub-CAs. https://pagure.io/freeipa/issue/7530 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1906/head:pr1906 git checkout pr1906
From ba7302ce817a32c6dacad531d31553e04c5ad07f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 4 May 2018 12:16:33 +0200 Subject: [PATCH] mod_ssl: add SSLVerifyDepth for external CA installs mod_ssl's limiting of client cert verification depth was causing the replica installs to fail when master had been installed with external CA since the SSLCACertificateFile was pointing to a file with more than one certificate. This is caused by the default SSLVerifyDepth value of 1. We set it to 5 as that should be just about enough even for possible sub-CAs. https://pagure.io/freeipa/issue/7530 --- ipalib/constants.py | 2 ++ ipaserver/install/httpinstance.py | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index e161d65adf..af4b2bb81a 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -319,3 +319,5 @@ ) SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' +# certificate verification depth of Apache's mod_ssl (SSLVerifyDepth) +MOD_SSL_VERIFY_DEPTH = 5 diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index dbbb4000ff..14e678f88d 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -43,7 +43,7 @@ import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api, x509 -from ipalib.constants import IPAAPI_USER +from ipalib.constants import IPAAPI_USER, MOD_SSL_VERIFY_DEPTH from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -412,6 +412,11 @@ def configure_mod_ssl_certs(self): installutils.set_directive(paths.HTTPD_SSL_CONF, 'SSLCACertificateFile', paths.IPA_CA_CRT, False) + # set SSLVerifyDepth for external CA installations + installutils.set_directive(paths.HTTPD_SSL_CONF, + 'SSLVerifyDepth', + MOD_SSL_VERIFY_DEPTH, + quotes=False) def __publish_ca_cert(self): ca_subject = self.cert.issuer
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org