diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-10-30 11:52:14 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2014-11-24 13:09:44 +0000 |
commit | 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c (patch) | |
tree | 1a87eeb179772b5be2db9b32474099ac8164bac8 /ipalib | |
parent | aa9ecb253a60d9d15cd41c5c38695fe64058669a (diff) | |
download | freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.tar.gz freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.tar.xz freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.zip |
Use NSS protocol range API to set available TLS protocols
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.
This is overridable per client by setting tls_version_min and/or
tls_version_max.
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/constants.py | 4 | ||||
-rw-r--r-- | ipalib/rpc.py | 5 |
2 files changed, 8 insertions, 1 deletions
diff --git a/ipalib/constants.py b/ipalib/constants.py index 325414b64..df31a2088 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,10 @@ DEFAULT_CONFIG = ( ('rpc_protocol', 'jsonrpc'), + # Define an inclusive range of SSL/TLS version support + ('tls_version_min', 'tls1.0'), + ('tls_version_max', 'tls1.2'), + # Time to wait for a service to start, in seconds ('startup_timeout', 300), diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 001b7f1ca..ab5b2f630 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -69,6 +69,7 @@ from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE from ipapython.dn import DN from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES +from ipalib import api COOKIE_NAME = 'ipa_session' KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME @@ -492,7 +493,9 @@ class SSLTransport(LanguageAwareTransport): if sys.version_info < (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: - conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init) + conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) self.dbdir=dbdir conn.connect() |