URL: https://github.com/freeipa/freeipa/pull/531 Author: HonzaCholasta Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias Action: opened
PR body: """ Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Rename the symlink on install and upgrade to prevent the system trust module to be loaded in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/531/head:pr531 git checkout pr531
From 8d6021f84698f1234866ebdad87b1704610c3e59 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 1 Mar 2017 17:54:05 +0100 Subject: [PATCH] httpinstance: don't load system trust module in /etc/httpd/alias Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Rename the symlink on install and upgrade to prevent the system trust module to be loaded in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 --- ipaserver/install/httpinstance.py | 5 +++++ ipaserver/install/server/upgrade.py | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 0c2216e..cec684a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -354,6 +354,11 @@ def __setup_ssl(self): subject_base=self.subject_base, user="root", group=constants.HTTPD_GROUP, truncate=(not self.promote)) + + libnssckbi_so = os.path.join(paths.HTTPD_ALIAS_DIR, 'libnssckbi.so') + if os.path.exists(libnssckbi_so): + ipautil.backup_file(libnssckbi_so) + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index d7271e5..9f780c6 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1495,6 +1495,26 @@ def enable_anonymous_principal(krb): pass +def disable_httpd_system_trust(): + libnssckbi_so = os.path.join(paths.HTTPD_ALIAS_DIR, 'libnssckbi.so') + if not os.path.exists(libnssckbi_so): + return + + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + + ca_certs = [] + for nickname, trust_flags in db.list_certs(): + if 'u' not in trust_flags: + cert = db.get_cert_from_db(nickname, pem=False) + if cert: + ca_certs.append((cert, nickname, trust_flags)) + + ipautil.backup_file(libnssckbi_so) + + for cert, nickname, trust_flags in ca_certs: + db.add_cert(cert, nickname, trust_flags) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1630,6 +1650,7 @@ def upgrade_configuration(): http.enable_kdcproxy() http.stop() + disable_httpd_system_trust() update_ipa_httpd_service_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code