Use NSS protocol range API to set available TLS protocols

Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.

This is overridable per client by setting tls_version_min and/or
tls_version_max.

https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

2 files changed, 8 insertions, 1 deletions

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 325414b64..df31a2088 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -122,6 +122,10 @@ DEFAULT_CONFIG = (
 
     ('rpc_protocol', 'jsonrpc'),
 
+    # Define an inclusive range of SSL/TLS version support
+    ('tls_version_min', 'tls1.0'),
+    ('tls_version_max', 'tls1.2'),
+
     # Time to wait for a service to start, in seconds
     ('startup_timeout', 300),
 
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 001b7f1ca..ab5b2f630 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -69,6 +69,7 @@ from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT
                              KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
+from ipalib import api
 
 COOKIE_NAME = 'ipa_session'
 KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
@@ -492,7 +493,9 @@ class SSLTransport(LanguageAwareTransport):
         if sys.version_info < (2, 7):
             conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
         else:
-            conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init)
+            conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
+                                 tls_version_min=api.env.tls_version_min,
+                                 tls_version_max=api.env.tls_version_max)
         self.dbdir=dbdir
 
         conn.connect()