URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
OK. Let's fix it later.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-283290295
--
Manage your subscription for the Freeipa-devel mailing
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
@HonzaCholasta I saw this issue as well, once you hit it on a VM no `pkispawn`
will run correctly. I am not sure if it's caused by this PR, my guess is it
shouldn't be as `pkispawn` was
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
`ipa-replica-install --setup-ca` still fails with the same error though.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-283289474
--
Manage
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
CA-less to CA-ful conversion still fails:
```
2017-03-01T09:14:40Z DEBUG Starting external process
2017-03-01T09:14:40Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpgj_Ue4
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
This should now be fixed. In my endless naivety I had thought passing no
password to `export_pkcs12()` would actually mean no password will be set.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
Upgrade from 4.4.3 asks for a PKCS#12 file password and then fails:
```
Cleanup : freeipa-server-common-4.4.3-1.fc25.noarch
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
Fixed another issue with CA-less to CA-full upgrade.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-283057864
--
Manage your subscription for the
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
The issues should hopefully be fixed
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-283028836
--
Manage your subscription for the Freeipa-devel
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
`ipa-replica-install` with `--setup-ca` fails with:
```
2017-02-28T07:38:41Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
CA-less to CA-full `ipa-ca-install` fails with:
```
2017-02-28T07:24:47Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 892,
in run_script
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
Upgrade from 4.3 fails with:
```
2017-02-28T07:07:18Z DEBUG Starting external process
2017-02-28T07:07:18Z DEBUG args=/usr/bin/pk12util -d /etc/httpd/alias -o (6,
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
NSS DB creation removed from server install, did not realize it does not matter
anymore.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-282703536
--
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
All the raised issues should've been addressed in the latest PR. Except for the
NSS DB creation, please answer the question in
`ipaserver/install/server/install.py`
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
The issues from the previous build should be resolved now, can be reviewed,
hopefully the build passes.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
Hopefully all issues were addressed + `radb` removed. If the Travis check
passes then this is ready for review again.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
Some more fixes for Travis to check.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-281950085
--
Manage your subscription for the Freeipa-devel
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
First set of fixes to comments arrived, throwing it to Travis.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-281710491
--
Manage your subscription
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
HonzaCholasta commented:
"""
Besides what I wrote in inline comments, we need to get rid of
`/var/lib/ipa/radb` now that it's unused.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
Rebased on current master.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-281281981
--
Manage your subscription for the Freeipa-devel mailing list:
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
In the last update I renamed the proposed config option `ca_certfile` to
`cacert_store` and made a requirement for it to be absolute path. This was done
with possible future changes to it
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
In the latest patchset, the "ipaCert" is removed from the "/etc/httpd/alias/"
NSSDB and all the machinery around the certificate is moved accordingly.
I am addressing support of old SSL
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
rcritten commented:
"""
SSLv2 should not be supported, period.
Not that it would work anyway because most SSL libs have completely removed
this support, but it is just a terrible idea to even try and allow
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
@rcritten `tls_version_min/max` could have been set to "ssl2" just as well as
"ssl3" but perhaps it's for the best to remove them. I will try to do the
certmonger part and will remove
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
tiran commented:
"""
Let's not make @stlaz jump through more bike-shedding hoops. How about we let
him finish this PR, and then address TLS versions, ciphers and other
simplifications in another PR?
"""
See
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
tiran commented:
"""
@rcritten I wonder if we need to support any version except TLS 1.2 at all. Are
there any versions of FreeIPA stack that do not have TLS 1.2 support?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
rcritten commented:
"""
Wait, you added support for SSLv2? Please remove it, it isn't needed even for
backwards compatibility and would not be considered a regression.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
@rcritten I spoke to the NSS people who assured me it's the intended behavior.
But thanks for the remainder, I will open a Bugzilla for that as well, I was
considering it before
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
I created the design for this effort:
http://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
I created the design for this effort:
http://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
In the last update I added SSLv2 support in IPAHTTPSConnection for backward
compatibility (https://goo.gl/images/gqh2D9).
I also removed the Fedora crypto policies ciphers as we are not
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
tiran commented:
"""
```
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options = ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE |
ssl.OP_SINGLE_ECDH_USE | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
try:
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
@rcritten I spoke to the NSS people who assured me it's the intended behavior.
But thanks for the remainder, I will open a Bugzilla for that as well, I was
considering it before
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
@rcritten I spoke to the NSS people who assured me it's the intended behavior.
But thanks for the remainder, I will open a Bugzilla for that as well, I was
considering it before
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
rcritten commented:
"""
Did you open a bug against NSS or python-nss regarding the PIN requirement?
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/367#issuecomment-270382386
--
Manage
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
stlaz commented:
"""
You're right, I should probably write some design. The current implementation
does not check CRL or OSCP, so we're "fine" with this change. There is a plan
on doing CRL check in
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
tiran commented:
"""
* Ticket 5695 is about ```FreeIPA on FIPS enabled systems```. Moving from NSS
to OpenSSL is a big change and should be tracked by its own ticket.
* Are customers fine with the fact that
URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA
tiran commented:
"""
* Ticket 5695 looks wrong, it's about ```FreeIPA on FIPS enabled systems```.
* Are customers fine with the fact that FreeIPA clients will no longer very
CRLs? OpenSSL does not
38 matches
Mail list logo