On Thu, 2014-09-11 at 16:48 +0200, Petr Viktorin wrote:
> On 09/11/2014 04:43 PM, Nathaniel McCallum wrote:
> > On Thu, 2014-09-11 at 16:39 +0200, Petr Viktorin wrote:
> >> On 09/11/2014 04:38 PM, Ludwig Krispenz wrote:
> >>>
> >>> On 09/11/2014 04:31 PM, Petr Viktorin wrote:
> >>>> On 09/11/2014 04:26 PM, Martin Kosek wrote:
> >> ...
> >>>>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
> >>>>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
> >>>>> so that F20 users can upgrade to the newest FreeIPA. Are there any
> >>>>> known issues
> >>>>> in the F21 389-ds-base build that would prevent upstream FreeIPA
> >>>>> 4.0.x to be
> >>>>> based on it?
> >>>>>
> >>>>> If yes, we may need to include the patch in Fedora 21 downstream only
> >>>>> after all..
> >>>>
> >>>> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
> >>>> couldn't include the patch even there.
> >>>> There better be no such issues.
> >>> what do you mean by "no such issues" ? I don't think that 389/F21 will
> >>> be the first bug free software. At the moment Thierry is investigating a
> >>> crash in dna-plugin and Noriko a memory leak, which could be in F21 -
> >>>
> >>
> >> any known issues in the F21 389-ds-base build that would prevent
> >> upstream FreeIPA 4.0.x to be based on it
> >
> > Yes. 389 will not start if weak ciphers are specified. Currently,
> > FreeIPA specifies weak ciphers. This means that FreeIPA in F21 doesn't
> > work at all because the DS will never start.
> >
> > We need this patch merged: https://fedorahosted.org/389/ticket/47838
Done: thanks everyone on the DS side!
> > Then, we need an F21 build of 389-ds-base.
Done: thanks nhosoi!
> > Then we need to merge Ludwig's IPA patch from this thread with a
> > versioned dependency on the new 389-ds-base build.
New patch attached which includes a versioned dep on the new DS.
> > Then we release 4.0.3.
>
> That's what I understood, but thanks for confirming.
>
> We need to move fast; FreeIPA is an f21 alpha blocker.
>
>
> >> Plugin crashes or memory leaks are bad, but we can release with them.
> >
> > +1. The real problem is that without the above fixes, IPA doesn't work
> > at all.
> >
> > Nathaniel
> >
> >
>
>
From e172f638e9aa12ccb3cecedf80433bcdac9f54cb Mon Sep 17 00:00:00 2001
From: lkrispen <lkris...@redhat.com>
Date: Thu, 11 Sep 2014 14:06:34 +0200
Subject: [PATCH] ticket 4395 - change ciphers enabled by default
---
freeipa.spec.in | 6 +++---
install/updates/20-sslciphers.update | 6 ++++++
install/updates/Makefile.am | 1 +
ipaserver/install/dsinstance.py | 7 ++-----
4 files changed, 12 insertions(+), 8 deletions(-)
create mode 100644 install/updates/20-sslciphers.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b672ecb03bdd73c1a911a6a982ccd894bebcbce4..685b345fedb9d157c8deedc66f8712da32c5963b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -18,7 +18,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.2.16
+BuildRequires: 389-ds-base-devel >= 1.3.3.2
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -87,7 +87,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.20
+Requires: 389-ds-base >= 1.3.3.2
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
@@ -124,7 +124,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.75.13
-Requires(pre): 389-ds-base >= 1.3.2.20
+Requires(pre): 389-ds-base >= 1.3.3.2
Requires: fontawesome-fonts
Requires: open-sans-fonts
diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
new file mode 100644
index 0000000000000000000000000000000000000000..ce88dae8fbe5f8976a06dca34c6a98b8ab76caaa
--- /dev/null
+++ b/install/updates/20-sslciphers.update
@@ -0,0 +1,6 @@
+# change configured ciphers
+# the result of this update will be that all ciphers
+# provided by NSS which ar not weak will be enabled
+dn: cn=encryption,cn=config
+only:nsSSL3Ciphers: +all
+only:allowWeakCiphers: off
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 1d912a7d29552000d082aca58d345924ab84e11c..026cde0498dc15bda10605dd427881d71c4bfa25 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -14,6 +14,7 @@ app_DATA = \
20-indices.update \
20-nss_ldap.update \
20-replication.update \
+ 20-sslciphers.update \
20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index cc1d32709f552a7c6366edbb8b9c03ec28ac6e3a..0518dd0e0f20255f4e42911af6f1f95fc25f554e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -664,11 +664,8 @@ class DsInstance(service.Service):
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
- (ldap.MOD_REPLACE, "nsSSL3Ciphers",
- "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha")]
+ (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+ (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
--
2.1.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
