summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLudwig Krispenz <lkrispen@redhat.com>2014-09-12 12:43:31 +0200
committerMartin Kosek <mkosek@redhat.com>2014-09-12 16:42:09 +0200
commitab196220fdd886fc2b1998eeee0f8e9a4b384845 (patch)
tree6a66fdaa676cd87d9322e7a4f3f38f215cd19653
parent854bc42913f663dce1f2e0fbb44a670a2812d87c (diff)
downloadfreeipa-ab196220fdd886fc2b1998eeee0f8e9a4b384845.zip
freeipa-ab196220fdd886fc2b1998eeee0f8e9a4b384845.tar.gz
freeipa-ab196220fdd886fc2b1998eeee0f8e9a4b384845.tar.xz
Update SSL ciphers configured in 389-ds-base
use configuration parameters to enable ciphers provided by NSS and not considered weak. This requires 389-ds version 1.3.3.2 or later https://fedorahosted.org/freeipa/ticket/4395 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
-rw-r--r--freeipa.spec.in6
-rw-r--r--install/updates/20-sslciphers.update6
-rw-r--r--install/updates/Makefile.am1
-rw-r--r--ipaserver/install/dsinstance.py7
4 files changed, 12 insertions, 8 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b672ecb..685b345 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -18,7 +18,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.2.16
+BuildRequires: 389-ds-base-devel >= 1.3.3.2
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -87,7 +87,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.20
+Requires: 389-ds-base >= 1.3.3.2
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
@@ -124,7 +124,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.75.13
-Requires(pre): 389-ds-base >= 1.3.2.20
+Requires(pre): 389-ds-base >= 1.3.3.2
Requires: fontawesome-fonts
Requires: open-sans-fonts
diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
new file mode 100644
index 0000000..b0c952f
--- /dev/null
+++ b/install/updates/20-sslciphers.update
@@ -0,0 +1,6 @@
+# change configured ciphers
+# the result of this update will be that all ciphers
+# provided by NSS which ar not weak will be enabled
+dn: cn=encryption,cn=config
+only:nsSSL3Ciphers: +all
+addifnew:allowWeakCipher: off
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 1d912a7..026cde0 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -14,6 +14,7 @@ app_DATA = \
20-indices.update \
20-nss_ldap.update \
20-replication.update \
+ 20-sslciphers.update \
20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index cc1d327..0518dd0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -664,11 +664,8 @@ class DsInstance(service.Service):
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
- (ldap.MOD_REPLACE, "nsSSL3Ciphers",
- "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha")]
+ (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+ (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]