Adam Young wrote:
Here's a segment from my patch. All it shoudl be doing is switching
NSSRenegotiation from off to on, but it doesn't have any effect. Am I
missing something conceptually here?
+++ b/ipaserver/install/httpinstance.py
@@ -160,6 +160,9 @@ class HTTPInstance(service.Service):
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+ def __enable_mod_nss_renegotiate(self):
+ installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on')
+
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/
@@ -189,6 +192,7 @@ class HTTPInstance(service.Service):
db.track_server_cert(nickname, self.principal, db.passwd_fname)
self.__set_mod_nss_nickname(nickname)
+ self.__enable_mod_nss_renegotiate()
else:
if self.self_signed_ca:
db.create_from_cacert(ca_db.cacert_fname)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d1234a0..23d06ab 100644
This is only called when a user provides their own PKCS#12 files (and
replica installations)
We don't set the nickname on most installations because we assume a
vanilla server therefore the nickname is already set to Server-Cert
(probably not the best assumption these days).
You'll want to set this in a step in create_instance() instead.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
