URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 96447296da8dd4ee565d9b5dcf5991e160e87091 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH 1/2] Turn on NSSOCSP check in mod_nss conf
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.
Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.
https://pagure.io/freeipa/issue/6370
---
freeipa.spec.in | 1 +
install/restart_scripts/restart_httpd | 14 +++++++++++++-
ipaserver/install/httpinstance.py | 19 +++++++++++++++++++
ipaserver/install/server/upgrade.py | 24 ++++++++++++++++++++++++
4 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
Requires: gssproxy >= 0.7.0-2
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
import syslog
import traceback
+from ipalib import api
from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
def _main():
+
+ api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+ api.finalize()
+
+ db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+ nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+ # Add trust flag which set certificate trusted for SSL connections.
+ db.trust_root_cert(nickname, "P,,")
+
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..90f918b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
import locale
import six
+import augeas
from ipalib.constants import IPAAPI_USER
from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
self.set_mod_nss_protocol)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+ self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
+ def enable_mod_nss_ocsp(self):
+ aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+ aug.set('/augeas/load/Httpd/lens', 'Httpd.lens')
+ aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+ aug.load()
+
+ path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP')
+ aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+ aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+ aug.save()
+
def set_mod_nss_cipher_suite(self):
ciphers = ','.join(NSS_CIPHER_SUITE)
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +385,7 @@ def __setup_ssl(self):
create=True)
self.disable_system_trust()
self.create_password_conf()
+
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
@@ -393,6 +410,8 @@ def __setup_ssl(self):
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
+ db.trust_root_cert(nickname, "P,,")
+
else:
if not self.promote:
ca_args = [
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 927acb0..3aef012 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1392,6 +1392,23 @@ def fix_trust_flags():
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
+def fix_server_cert_trust_flags():
+ root_logger.info(
+ '[Fixing server certificate trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
+
+ if sysupgrade.get_upgrade_state('http', 'fix_serv_cert_trust_flags'):
+ root_logger.info("Trust flags already processed")
+ return
+
+ db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+ sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
+ "NSSNickname")
+ # Add trust flag which set certificate trusted for SSL connections.
+ db.trust_root_cert(sc_nickname, "P,,")
+
+ sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
+
+
def update_mod_nss_protocol(http):
root_logger.info('[Updating mod_nss protocol versions]')
@@ -1404,6 +1421,11 @@ def update_mod_nss_protocol(http):
sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
+def enable_mod_nss_ocsp(http):
+ root_logger.info('[Updating mod_nss enabling OCSP]')
+ http.enable_mod_nss_ocsp()
+
+
def update_mod_nss_cipher_suite(http):
root_logger.info('[Updating mod_nss cipher suite]')
@@ -1660,7 +1682,9 @@ def upgrade_configuration():
update_ipa_httpd_service_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)
+ enable_mod_nss_ocsp(http)
fix_trust_flags()
+ fix_server_cert_trust_flags()
update_http_keytab(http)
http.configure_gssproxy()
http.start()
From 70b24358759afa6d74a343634523a55d12fc6ae6 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Fri, 28 Apr 2017 12:41:38 +0200
Subject: [PATCH 2/2] A
---
ipaserver/install/httpinstance.py | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 90f918b..f291580 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,7 +29,7 @@
import locale
import six
-import augeas
+from augeas import Augeas
from ipalib.constants import IPAAPI_USER
from ipalib.install import certmonger
@@ -266,7 +266,7 @@ def enable_mod_nss_renegotiate(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def enable_mod_nss_ocsp(self):
- aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+ aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
aug.set('/augeas/load/Httpd/lens', 'Httpd.lens')
aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
@@ -274,8 +274,19 @@ def enable_mod_nss_ocsp(self):
path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
- aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP')
- aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+ ocsp_comment = aug.get(
+ '{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+ if ocsp_dir is None and ocsp_comment is not None:
+ # Directive is missing, comment is present
+ aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+ 'NSSOCSP')
+ aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+ elif ocsp_dir is None:
+ # Directive is missing and comment is missing
+ aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
aug.save()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
