summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-01-27 15:31:51 -0500
committerRob Crittenden <rcritten@redhat.com>2010-01-27 17:01:26 -0500
commitb7cda86697cfb8ffc25ab5d3c051f181e145648d (patch)
treeeef50ba7005fab34ed00471ec6004b09d7beae75
parentc092f3780df4417e5cf3512a1afedd109183628d (diff)
downloadfreeipa-b7cda86697cfb8ffc25ab5d3c051f181e145648d.tar.gz
freeipa-b7cda86697cfb8ffc25ab5d3c051f181e145648d.tar.xz
freeipa-b7cda86697cfb8ffc25ab5d3c051f181e145648d.zip
Update dogtag configuration to work after CVE-2009-3555 changes
NSS is going to disallow all SSL renegotiation by default. Because of this we need to always use the agent port of the dogtag server which always requires SSL client authentication. The end user port will prompt for a certificate if required but will attempt to re-do the handshake to make this happen which will fail with newer versions of NSS.
-rw-r--r--ipaserver/install/cainstance.py12
-rw-r--r--ipaserver/install/certs.py8
-rw-r--r--ipaserver/plugins/dogtag.py4
3 files changed, 18 insertions, 6 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 47183bb22..d2c2c70e5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -518,6 +518,18 @@ class CAInstance(service.Service):
pent = pwd.getpwnam(self.pki_user)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+ # Update the servlet mapping to so we use the agent interface rather
+ # than the end-user interface. The agent interface always requires
+ # client auth which lets us work work around the NSS change which
+ # disallows renegotation (CVE-2009-3555)
+ #
+ # The spaces here, while ugly, are required because update_file()
+ # escapes the incoming string.
+ installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
+ ' <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern>',
+ ' <url-pattern> /agent/ca/profileSubmitSSLClient </url-pattern>'
+)
+
logging.debug("restarting ca instance")
try:
self.restart()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 6e7eb82d1..4fb794c82 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,11 +570,11 @@ class CertDB(object):
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
- conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
+ conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
conn.set_debuglevel(0)
- conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
+ conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
res = conn.getresponse()
data = res.read()
conn.close()
@@ -664,11 +664,11 @@ class CertDB(object):
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
- conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
+ conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
conn.set_debuglevel(0)
- conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
+ conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
res = conn.getresponse()
data = res.read()
conn.close()
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 9b799d45d..b64636300 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1509,8 +1509,8 @@ class ra(rabase.rabase):
# Call CMS
http_status, http_reason_phrase, http_headers, http_body = \
- self._sslget('/ca/ee/ca/profileSubmit',
- self.env.ca_ee_port,
+ self._sslget('/ca/agent/ca/profileSubmitSSLClient',
+ self.env.ca_agent_port,
profileId='caIPAserviceCert',
cert_request_type=request_type,
cert_request=csr,