Re: [Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Dne 24.11.2014 v 15:59 Rob Crittenden napsal(a): Jan Cholasta wrote: Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a): Jan Cholasta wrote: Hi, Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a): Use new capability in python-nss-0.16 to use the NSS protocol range setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. I made this configurable via tls_protocol_range in case somebody wants to override it. There isn't a whole ton of error handling on bad input but there is enough, I think, to point the user in the the right direction. Added a couple more lines of debug output to include the negotiated protocol and cipher. rob 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master) Attached. 2) Could you split the option into two options, say tls_version_min and tls_version_max? IMO it would be easier to manage the version range that way, when for example you have to lower just the minimal version on a client to make it able to connect to a SSL3-only server. Sure. I waffled back and forth before deciding on a single value. Separate values are probably less error-prone. 3) Would it make sense to print a warning when the configured minimal TLS version is not safe and the connection uses a safe TLS version? This is for the case when you have to lower the minimal version on the client because of an old server, then the server gets updated, then you probably no longer want to have unsafe minimal version configured on the client. I see what you're saying but I think it could end up being just spam that user's get used to. That and given that I'd probably want to set it up to require tls1.1 as a minimum but we can't do that because dogtag only supports through tls1.0 right now AFAICT. That'd be a lot of warnings. You are probably right about the spam. Nevermind then. Functionally the patch is OK. rob Thanks for the patch, ACK. Fixed option names in commit message and pushed to: master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777 BTW before we can close the ticket, we are going to need a couple more fixes: 1) Bump required versions of 389-ds-base, pki-core and openldap, once the necessary fixes are available. Right, to be sure that POODLE is fully addressed. I will post a patch once we have all of them. 2) Configure mod_nss to also support TLS 1.2. It should be done on both server install and upgrade. This requires a new version of mod_nss. mod_nss 1.0.10 in F-21 and rawhide should both support TLS 1.2 today. mod_nss is also very tolerant of bad/unknown protocols. It won't blow up on unknown protocols. So if the given mod_nss doesn't support TLSv1.2 it will simply report an error about an unknown protocol and configure the server for 1.0/1.1 if configured as: NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 The attached patch 379 fixes this. rob -- Jan Cholasta From 815247c1aa4a923b2aa6fb12bd221ebd83083af2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 25 Nov 2014 08:12:53 + Subject: [PATCH] Add TLS 1.2 to the protocol list in mod_nss config https://fedorahosted.org/freeipa/ticket/4653 --- install/tools/ipa-upgradeconfig | 13 + ipaserver/install/httpinstance.py | 7 --- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ffb51a9..815fe04 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1287,6 +1287,18 @@ def fix_trust_flags(): sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True) +def update_mod_nss_protocol(http): +root_logger.info('[Updating mod_nss protocol versions]') + +if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'): +root_logger.info(Protocol versions already updated) +return + +http.set_mod_nss_protocol() + +sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) + + def main(): Get some basics about the system. If getting those basics fail then @@ -1388,6 +1400,7 @@ def main(): http.change_mod_nss_port_from_http() http.stop() +update_mod_nss_protocol(http) fix_trust_flags() http.start() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 14efa5b..f9e0200 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -115,7 +115,8 @@ class HTTPInstance(service.Service): self.step(setting mod_nss port to 443, self.__set_mod_nss_port) -self.step(setting mod_nss protocol list to TLSv1.0 and TLSv1.1, self.__set_mod_nss_protocol) +self.step(setting mod_nss protocol list to TLSv1.0 - TLSv1.2, + self.set_mod_nss_protocol) self.step(setting mod_nss password file, self.__set_mod_nss_passwordfile) self.step(enabling mod_nss renegotiate, self.enable_mod_nss_renegotiate)
Re: [Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
On 11/25/2014 09:35 AM, Jan Cholasta wrote: Dne 24.11.2014 v 15:59 Rob Crittenden napsal(a): ... 2) Configure mod_nss to also support TLS 1.2. It should be done on both server install and upgrade. This requires a new version of mod_nss. mod_nss 1.0.10 in F-21 and rawhide should both support TLS 1.2 today. mod_nss is also very tolerant of bad/unknown protocols. It won't blow up on unknown protocols. So if the given mod_nss doesn't support TLSv1.2 it will simply report an error about an unknown protocol and configure the server for 1.0/1.1 if configured as: NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 The attached patch 379 fixes this. Works for me, ACK! Pushed to: master: bef1d18878118aea379659bb10d78c1e955b0b63 ipa-4-1: dc443cc4503822cb35c3693e5e525425573140f2 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a): Jan Cholasta wrote: Hi, Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a): Use new capability in python-nss-0.16 to use the NSS protocol range setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. I made this configurable via tls_protocol_range in case somebody wants to override it. There isn't a whole ton of error handling on bad input but there is enough, I think, to point the user in the the right direction. Added a couple more lines of debug output to include the negotiated protocol and cipher. rob 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master) Attached. 2) Could you split the option into two options, say tls_version_min and tls_version_max? IMO it would be easier to manage the version range that way, when for example you have to lower just the minimal version on a client to make it able to connect to a SSL3-only server. Sure. I waffled back and forth before deciding on a single value. Separate values are probably less error-prone. 3) Would it make sense to print a warning when the configured minimal TLS version is not safe and the connection uses a safe TLS version? This is for the case when you have to lower the minimal version on the client because of an old server, then the server gets updated, then you probably no longer want to have unsafe minimal version configured on the client. I see what you're saying but I think it could end up being just spam that user's get used to. That and given that I'd probably want to set it up to require tls1.1 as a minimum but we can't do that because dogtag only supports through tls1.0 right now AFAICT. That'd be a lot of warnings. You are probably right about the spam. Nevermind then. Functionally the patch is OK. rob Thanks for the patch, ACK. Fixed option names in commit message and pushed to: master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777 BTW before we can close the ticket, we are going to need a couple more fixes: 1) Bump required versions of 389-ds-base, pki-core and openldap, once the necessary fixes are available. 2) Configure mod_nss to also support TLS 1.2. It should be done on both server install and upgrade. This requires a new version of mod_nss. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Jan Cholasta wrote: Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a): Jan Cholasta wrote: Hi, Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a): Use new capability in python-nss-0.16 to use the NSS protocol range setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. I made this configurable via tls_protocol_range in case somebody wants to override it. There isn't a whole ton of error handling on bad input but there is enough, I think, to point the user in the the right direction. Added a couple more lines of debug output to include the negotiated protocol and cipher. rob 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master) Attached. 2) Could you split the option into two options, say tls_version_min and tls_version_max? IMO it would be easier to manage the version range that way, when for example you have to lower just the minimal version on a client to make it able to connect to a SSL3-only server. Sure. I waffled back and forth before deciding on a single value. Separate values are probably less error-prone. 3) Would it make sense to print a warning when the configured minimal TLS version is not safe and the connection uses a safe TLS version? This is for the case when you have to lower the minimal version on the client because of an old server, then the server gets updated, then you probably no longer want to have unsafe minimal version configured on the client. I see what you're saying but I think it could end up being just spam that user's get used to. That and given that I'd probably want to set it up to require tls1.1 as a minimum but we can't do that because dogtag only supports through tls1.0 right now AFAICT. That'd be a lot of warnings. You are probably right about the spam. Nevermind then. Functionally the patch is OK. rob Thanks for the patch, ACK. Fixed option names in commit message and pushed to: master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777 BTW before we can close the ticket, we are going to need a couple more fixes: 1) Bump required versions of 389-ds-base, pki-core and openldap, once the necessary fixes are available. Right, to be sure that POODLE is fully addressed. 2) Configure mod_nss to also support TLS 1.2. It should be done on both server install and upgrade. This requires a new version of mod_nss. mod_nss 1.0.10 in F-21 and rawhide should both support TLS 1.2 today. mod_nss is also very tolerant of bad/unknown protocols. It won't blow up on unknown protocols. So if the given mod_nss doesn't support TLSv1.2 it will simply report an error about an unknown protocol and configure the server for 1.0/1.1 if configured as: NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Hi, Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a): Use new capability in python-nss-0.16 to use the NSS protocol range setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. I made this configurable via tls_protocol_range in case somebody wants to override it. There isn't a whole ton of error handling on bad input but there is enough, I think, to point the user in the the right direction. Added a couple more lines of debug output to include the negotiated protocol and cipher. rob 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master) 2) Could you split the option into two options, say tls_version_min and tls_version_max? IMO it would be easier to manage the version range that way, when for example you have to lower just the minimal version on a client to make it able to connect to a SSL3-only server. 3) Would it make sense to print a warning when the configured minimal TLS version is not safe and the connection uses a safe TLS version? This is for the case when you have to lower the minimal version on the client because of an old server, then the server gets updated, then you probably no longer want to have unsafe minimal version configured on the client. Functionally the patch is OK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Jan Cholasta wrote: Hi, Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a): Use new capability in python-nss-0.16 to use the NSS protocol range setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. I made this configurable via tls_protocol_range in case somebody wants to override it. There isn't a whole ton of error handling on bad input but there is enough, I think, to point the user in the the right direction. Added a couple more lines of debug output to include the negotiated protocol and cipher. rob 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master) Attached. 2) Could you split the option into two options, say tls_version_min and tls_version_max? IMO it would be easier to manage the version range that way, when for example you have to lower just the minimal version on a client to make it able to connect to a SSL3-only server. Sure. I waffled back and forth before deciding on a single value. Separate values are probably less error-prone. 3) Would it make sense to print a warning when the configured minimal TLS version is not safe and the connection uses a safe TLS version? This is for the case when you have to lower the minimal version on the client because of an old server, then the server gets updated, then you probably no longer want to have unsafe minimal version configured on the client. I see what you're saying but I think it could end up being just spam that user's get used to. That and given that I'd probably want to set it up to require tls1.1 as a minimum but we can't do that because dogtag only supports through tls1.0 right now AFAICT. That'd be a lot of warnings. Functionally the patch is OK. rob From 3cdf7b21d3472d0710bee26a8fcabbc159739554 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 30 Oct 2014 11:52:14 -0400 Subject: [PATCH] Use NSS protocol range API to set available TLS protocols Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. If only a single value is provided then it represents both the min and max. This is overridable per client by setting tls_protocol_range. https://fedorahosted.org/freeipa/ticket/4653 --- freeipa.spec.in | 2 +- ipalib/constants.py | 4 ipalib/rpc.py | 5 - ipapython/dogtag.py | 4 +++- ipapython/nsslib.py | 17 +++-- 5 files changed, 27 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a417ab56f843b202787c6112553f8c16f2c1dde0..95ec6210a157fd158d81d97efbd46f3d35facbc6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -284,7 +284,7 @@ Requires: gnupg Requires: iproute Requires: keyutils Requires: pyOpenSSL -Requires: python-nss = 0.15 +Requires: python-nss = 0.16 Requires: python-lxml Requires: python-netaddr Requires: libipa_hbac-python diff --git a/ipalib/constants.py b/ipalib/constants.py index 1eed7ca6ad0e5920318dadc68ed36fff6cf889f2..111bafe5ed0c3d2df58a1b6839feedc58a14fcc4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,10 @@ DEFAULT_CONFIG = ( ('rpc_protocol', 'jsonrpc'), +# Define an inclusive range of SSL/TLS version support +('tls_version_min', 'tls1.0'), +('tls_version_max', 'tls1.2'), + # Time to wait for a service to start, in seconds ('startup_timeout', 300), diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 5934f0c26e4b7c0a44adbab978c1f9b319d72e9f..806f6bb9adf004660c9cb285cf31b09a988afa93 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -68,6 +68,7 @@ from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE from ipapython.dn import DN from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES +from ipalib import api COOKIE_NAME = 'ipa_session' KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME @@ -488,7 +489,9 @@ class SSLTransport(LanguageAwareTransport): if sys.version_info (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init) +conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) self.dbdir=dbdir conn.connect() diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 14824b99431e85dd73613befd72e500d370cfe2c..0e0aacca798377517244075ed6b07dff63e87358 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -234,7 +234,9 @@ def https_request(host, port, url, secdir, password, nickname, **kw): def connection_factory(host, port): -conn = nsslib.NSSConnection(host, port, dbdir=secdir) +conn = nsslib.NSSConnection(host, port,