summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--freeipa.spec.in3
-rw-r--r--install/conf/Makefile.am1
-rw-r--r--install/conf/ipa-pki-proxy.conf25
-rwxr-xr-xinstall/tools/ipa-ca-install4
-rw-r--r--ipalib/constants.py10
-rw-r--r--ipapython/dogtag.py2
-rw-r--r--ipapython/nsslib.py15
-rw-r--r--ipaserver/install/cainstance.py13
-rw-r--r--ipaserver/install/certs.py4
-rw-r--r--ipaserver/install/httpinstance.py5
-rw-r--r--ipaserver/plugins/dogtag.py2
11 files changed, 74 insertions, 10 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 760100c..a691a40 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -303,6 +303,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
%endif
@@ -451,8 +452,10 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/ipa-pki-proxy.conf
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad61..5ee3edd 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa.conf \
+ ipa-pki-proxy.conf \
ipa-rewrite.conf \
$(NULL)
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
new file mode 100644
index 0000000..275f326
--- /dev/null
+++ b/install/conf/ipa-pki-proxy.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient require
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 7bbba4b..05a05dc 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -36,6 +36,7 @@ from ipapython import version
from ipalib import api, util
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
+from ipapython import ipautil
CACERT="/etc/ipa/ca.crt"
REPLICA_INFO_TOP_DIR=None
@@ -144,6 +145,9 @@ def main():
cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
cs.add_cert_to_service()
+ # We need to restart apache as we drop a new config file in there
+ ipautil.service_restart('httpd', '', True)
+
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e073..51cf566 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
- ('ca_port', 9180),
- ('ca_agent_port', 9443),
- ('ca_ee_port', 9444),
+ ('ca_port', 80),
+ ('ca_agent_port', 443),
+ ('ca_ee_port', 443),
+ ('ca_install_port', 9180),
+ ('ca_agent_install_port', 9443),
+ ('ca_ee_install_port', 9444),
+
# Special CLI:
('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e..02f9819 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
if ca_host is None:
ca_host = api.env.ca_host
chain = None
- conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+ conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
conn.request("GET", "/ca/ee/ca/getCertChain")
res = conn.getresponse()
doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d21..c4d8cdc 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
self._create_socket()
def _create_socket(self):
+
+ #TODO remove the try block once python-nss is guaranteed to
+ #contain these values
+ try :
+ ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602
+ ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602
+ ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+ except :
+ ssl_enable_renegotiation = 20
+ ssl_require_safe_negotiation = 21
+ ssl_renegotiate_requires_xtn = 2
+
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+ self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+ self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e..d86b392 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ from ipaserver.install import certs
from ipaserver.install.installutils import ReplicaConfig
from ipalib import util
+HTTPD_CONFD = "/etc/httpd/conf.d/"
DEFAULT_DSPORT=7389
PKI_USER = "pkiuser"
@@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+
# We need to reset the template because the CA uses the regular boot
# information
INF_TEMPLATE = """
@@ -537,6 +539,7 @@ class CAInstance(service.Service):
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
self.step("issuing RA agent certificate", self.__issue_ra_cert)
self.step("adding RA agent as a trusted user", self.__configure_ra)
+ self.step("Configure HTTP to proxy connections", self.__http_proxy)
self.start_creation("Configuring certificate server", 210)
@@ -557,6 +560,7 @@ class CAInstance(service.Service):
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
'-redirect', 'logs=/var/log/pki-ca',
+ '-enable_proxy'
]
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
@@ -658,7 +662,7 @@ class CAInstance(service.Service):
args.append("-sd_hostname")
args.append(self.master_host)
args.append("-sd_admin_port")
- args.append(str(ADMIN_SECURE_PORT))
+ args.append("443")
args.append("-sd_admin_name")
args.append("admin")
args.append("-sd_admin_password")
@@ -666,7 +670,7 @@ class CAInstance(service.Service):
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
- args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT))
+ args.append("https://%s:%d" % (self.master_host, 443))
else:
args.append("-clone")
args.append("false")
@@ -1077,6 +1081,11 @@ class CAInstance(service.Service):
fd.close()
os.chmod(location, 0444)
+ def __http_proxy(self):
+ shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
+ HTTPD_CONFD + "ipa-pki-proxy.conf")
+
+
def install_replica_ca(config, postinstall=False):
"""
Install a CA on a replica.
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f14efe3..d3df168 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -633,7 +633,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
@@ -715,7 +715,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise RuntimeError("Unable to submit cert request")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index fe5f7aa..04d1ed4 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+ self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
self.step("setting up ssl", self.__setup_ssl)
@@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+ def __enable_mod_nss_renegotiate(self):
+ installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+ installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d1234a0..23d06ab 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1514,7 +1514,7 @@ class ra(rabase.rabase):
# Call CMS
http_status, http_reason_phrase, http_headers, http_body = \
- self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+ self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
self.env.ca_ee_port,
profileId='caIPAserviceCert',
cert_request_type=request_type,